Abstract
Access control to objects in common object-oriented languages is statically verified but cannot be changed at run-time. However, dynamic authorization is required by most applications and it would be desirable to check more flexible access control policies also statically, at least partially. In this work, we introduce a model where “views” to object references represent the current access control policy of a principal for a given object, and first class authorizations support dynamic modification of those policies. To demonstrate our concepts, we have developed a core language, equipped with a provably correct type and effect system capable of detecting unauthorized method calls at compile-time, and defined and implemented a typechecking algorithm.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M.: Secrecy by typing in security protocols. J. ACM 46(5), 749–786 (1999)
Abadi, M.: Logic in access control. In: Proceedings of LICS 2003, pp. 228–233. IEEE Computer Society, Los Alamitos (2003)
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)
Bartoletti, M., Degano, P., Ferrari, G.: History-based access control with local policies. In: Proc. of Foundations of Software Science and Computation Structure 2005, pp. 316–332. Springer, Heidelberg (2005)
Bartoletti, M., Degano, P., Ferrari, G., Zunino, R.: Types and effects for resource usage analysis. In: Proc. of Foundations of Software Science and Computation Structure 2007. LNCS, pp. 32–47. Springer, Heidelberg (2007)
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: CSF 2008: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, pp. 17–32. IEEE Computer Society Press, Los Alamitos (2008)
Crampton, J., Loizou, G.: A logic of access control. The Computer Journal 44, 54–66 (2001)
Dezani-Ciancaglini, M., Mostrous, D., Yoshida, N., Drossopoulou, S.: Session types for object-oriented languages. In: Thomas, D. (ed.) ECOOP 2006. LNCS, vol. 4067, pp. 328–352. Springer, Heidelberg (2006)
Dezani-Ciancaglini, M., Drossopoulou, S., Mostrous, D., Yoshida, N.: Objects and session types. Inf. Comput. 207(5), 595–641 (2009)
Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 141–156. Springer, Heidelberg (2005)
Gosling, J., Joy, B., Steele, G., Bracha, G.: Java(TM) Language Specification, 3rd edn. (Java (Addison-Wesley)) Addison-Wesley Professional, Reading (2005)
Honda, K.: Types for dyadic interaction. In: Best, E. (ed.) CONCUR 1993. LNCS, vol. 715, pp. 509–523. Springer, Heidelberg (1993)
Jia, L., Vaughan, J.A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., Zdancewic, S.: Aura: a programming language for authorization and audit. In: ICFP 2008: Proceeding of the 13th ACM SIGPLAN international conference on Functional programming, pp. 27–38. ACM, New York (2008)
Kozen, D.: Language-based security. In: Mathematical Foundations of Computer Science, pp. 284–298. Springer, Heidelberg (1999)
Nielson, F., Nielson, H.R.: Type and effect systems. In: ACM Computing Surveys, pp. 114–136 (1999)
Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)
Pires, M.: A type system for access control in an object-oriented language. Master’s thesis, Faculdade de Ciências e Tecnologia, Universidade Nova de Lisboa (2009)
PLASTIC. Plastic homepage (2009), http://ctp.di.fct.unl.pt/PLASTIC/
Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Informatics: 10 Years Back, 10 Years Ahead, pp. 86–101. Springer, Heidelberg (2000)
Skalka, C., Smith, S.: History effects and verification. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 107–128. Springer, Heidelberg (2004)
Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: IEEE Symp. on Security and Privacy, Society Press (2008)
Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Information and Computation 115, 38–94 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pires, M., Caires, L. (2010). A Type System for Access Control Views in Object-Oriented Languages. In: Armando, A., Lowe, G. (eds) Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. ARSPA-WITS 2010. Lecture Notes in Computer Science, vol 6186. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16074-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-16074-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16073-8
Online ISBN: 978-3-642-16074-5
eBook Packages: Computer ScienceComputer Science (R0)