Securing Java with Local Policies - Dipartimento di….pdfVIP

Securing Java with Local Policies 1 2 1 Massimo Bartoletti , Gabriele Costa , Pierpaolo Degano , 2 3 Fabio Martinelli , and Roberto Zunino 1 Dipartimento di Informatica, Universit`a di Pisa, Italy 2 Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy 3 Dipartimento di Informatica e Telecomunicazioni, Universit`a di Trento, Italy Abstract. We propose an extension to the security model of Java. It allows for specifying, analysing and enforcing history-based policies. Poli- cies are defined by finite state automata recognizing the permitted execu- tion histories. Programmers can sandbox an untrusted piece of code with a policy, which is enforced at run-time through its local scope. A static analysis allows for optimizing the execution monitor, that will only check the program points where some security violation may actually occur. 1 Introduction A fundamental concern of security is to ensure that resources are used correctly. Devising expressive, flexible and efficient mechanisms to control resource usages is therefore a major issue in the design and implementation of security-aware programming languages. The problem is made even more crucial by the current programming trends, which allow for reusing code, and exploiting services and components, offered by (possibly untrusted) third parties. It is common practice to pick from the Web some scripts, or plugins, or packages, and assemble them into a bigger program, with little or no control about the security of the whole. Stack inspection, the mechanism adopted by Java [23] and the .NET CLR [31], offers a pragmatic setting for access control. Roughly, each frame in the call