Abstract
Access control to objects in common object-oriented languages is statically verified but cannot be changed at run-time. However, dynamic authorization is required by most applications and it would be desirable to check more flexible access control policies also statically, at least partially. In this work, we introduce a model where “views” to object references represent the current access control policy of a principal for a given object, and first class authorizations support dynamic modification of those policies. To demonstrate our concepts, we have developed a core language, equipped with a provably correct type and effect system capable of detecting unauthorized method calls at compile-time, and defined and implemented a typechecking algorithm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M.: Secrecy by typing in security protocols. J. ACM 46(5), 749–786 (1999)
Abadi, M.: Logic in access control. In: Proceedings of LICS 2003, pp. 228–233. IEEE Computer Society, Los Alamitos (2003)
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)
Bartoletti, M., Degano, P., Ferrari, G.: History-based access control with local policies. In: Proc. of Foundations of Software Science and Computation Structure 2005, pp. 316–332. Springer, Heidelberg (2005)
Bartoletti, M., Degano, P., Ferrari, G., Zunino, R.: Types and effects for resource usage analysis. In: Proc. of Foundations of Software Science and Computation Structure 2007. LNCS, pp. 32–47. Springer, Heidelberg (2007)
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: CSF 2008: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, pp. 17–32. IEEE Computer Society Press, Los Alamitos (2008)
Crampton, J., Loizou, G.: A logic of access control. The Computer Journal 44, 54–66 (2001)
Dezani-Ciancaglini, M., Mostrous, D., Yoshida, N., Drossopoulou, S.: Session types for object-oriented languages. In: Thomas, D. (ed.) ECOOP 2006. LNCS, vol. 4067, pp. 328–352. Springer, Heidelberg (2006)
Dezani-Ciancaglini, M., Drossopoulou, S., Mostrous, D., Yoshida, N.: Objects and session types. Inf. Comput. 207(5), 595–641 (2009)
Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 141–156. Springer, Heidelberg (2005)
Gosling, J., Joy, B., Steele, G., Bracha, G.: Java(TM) Language Specification, 3rd edn. (Java (Addison-Wesley)) Addison-Wesley Professional, Reading (2005)
Honda, K.: Types for dyadic interaction. In: Best, E. (ed.) CONCUR 1993. LNCS, vol. 715, pp. 509–523. Springer, Heidelberg (1993)
Jia, L., Vaughan, J.A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., Zdancewic, S.: Aura: a programming language for authorization and audit. In: ICFP 2008: Proceeding of the 13th ACM SIGPLAN international conference on Functional programming, pp. 27–38. ACM, New York (2008)
Kozen, D.: Language-based security. In: Mathematical Foundations of Computer Science, pp. 284–298. Springer, Heidelberg (1999)
Nielson, F., Nielson, H.R.: Type and effect systems. In: ACM Computing Surveys, pp. 114–136 (1999)
Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)
Pires, M.: A type system for access control in an object-oriented language. Master’s thesis, Faculdade de Ciências e Tecnologia, Universidade Nova de Lisboa (2009)
PLASTIC. Plastic homepage (2009), http://ctp.di.fct.unl.pt/PLASTIC/
Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Informatics: 10 Years Back, 10 Years Ahead, pp. 86–101. Springer, Heidelberg (2000)
Skalka, C., Smith, S.: History effects and verification. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 107–128. Springer, Heidelberg (2004)
Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: IEEE Symp. on Security and Privacy, Society Press (2008)
Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Information and Computation 115, 38–94 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pires, M., Caires, L. (2010). A Type System for Access Control Views in Object-Oriented Languages. In: Armando, A., Lowe, G. (eds) Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. ARSPA-WITS 2010. Lecture Notes in Computer Science, vol 6186. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16074-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-16074-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16073-8
Online ISBN: 978-3-642-16074-5
eBook Packages: Computer ScienceComputer Science (R0)