- Dan S. Wallach
- Edward W. Felten
Current implementations of Java make security decisions by searching
the runtime call stack. These systems have attractive security
properties, but they have been criticized as being dependent on specific
artifacts of the Java implementation.
This paper models the stack inspection algorithm in terms of a
well-understood logic for access control and
demonstrates how stack inspection is a useful tool for expressing and
managing complex trust relationships. We show that an access control
decision based on stack inspection corresponds to the construction of
a proof in the logic, and we present an efficient decision procedure
for generating these proofs.
By examining the decision procedure, we demonstrate that many
statements in the logic are equivalent and can thus be expressed in a
simpler form. We show that there are a finite number of such
statements, allowing us to represent the security state of the system
as a pushdown automaton. We also show that this automaton may be
embedded in Java by rewriting all Java classes to pass an additional
argument when a procedure is invoked. We call this security-passing
style and describe its benefits over previous stack
inspection systems. Finally, we show how the logic allows us
to describe a straightforward design for extending stack inspection
across remote procedure calls.
- Proceedings of 1998 IEEE Symposium on Security and Privacy (Oakland, California), May 1998.
- GZip'ed Postscript (56k)
PDF (Adobe Acrobat) (124k)
- See Also
- Netscape's signed object documentation
- Sun's JDK 1.2 security documentation