SAFKASI: A Security Mechanism for Language-based Systems

Dan S. Wallach
Andrew W. Appel
Edward W. Felten
In order to run untrusted code in the same process as trusted code, there must be a mechanism to allow dangerous calls to determine if their caller is authorized to exercise the privilege of using the dangerous routine. Java systems have adopted a technique called stack inspection to address this concern. But its original definition, in terms of searching stack frames, had an unclear relationship to the actual achievement of security, over-constrained the implementation of a Java system, limited many desirable optimizations such as method inlining and tail recursion, and generally interfered with interprocedural optimization. We present a new semantics for stack inspection based on a belief logic and its implementation using the calculus of security-passing style which addresses the concerns of traditional stack inspection. With security-passing style, we can efficiently represent the security context for any method activation, and we can build a new implementation strictly by rewriting the Java bytecodes before they are loaded by the system. No changes to the JVM or bytecode semantics are necessary. With a combination of static analysis and runtime optimizations, our prototype implementation shows reasonable performance (although traditional stack inspection is still faster), and is easier to consider for languages beyond Java.
ACM Transactions on Software Engineering and Methodology, volume 9, number 4, October 2000.
PostScript (385 kbytes)
PDF (190 kbytes)

Dan Wallach, CS Department, Rice University
Last modified: Mon 10-Feb-2003 15:46