Securing Class Initialization in Java-like Languages

Willard Rafnsson; Keiko Nakata; Andrei Sabelfeld

doi:10.1109/TDSC.2012.73

Publication
2013
Issue No. 1 - Jan.-Feb.
Abstract - Securing Class Initialization in Java-like Languages

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Willard Rafnsson Articles by Keiko Nakata Articles by Andrei Sabelfeld

Securing Class Initialization in Java-like Languages

Jan.-Feb. 2013 (vol. 10 no. 1)

pp. 1-13

	ASCII Text	x
	Willard Rafnsson, Keiko Nakata, Andrei Sabelfeld, "Securing Class Initialization in Java-like Languages," IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 1, pp. 1-13, Jan.-Feb., 2013.

	BibTex	x
	@article{ 10.1109/TDSC.2012.73, author = {Willard Rafnsson and Keiko Nakata and Andrei Sabelfeld}, title = {Securing Class Initialization in Java-like Languages}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {10}, number = {1}, issn = {1545-5971}, year = {2013}, pages = {1-13}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.73}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - Securing Class Initialization in Java-like Languages IS - 1 SN - 1545-5971 SP1 EP13 EPD - 1-13 A1 - Willard Rafnsson, A1 - Keiko Nakata, A1 - Andrei Sabelfeld, PY - 2013 KW - Security KW - Java KW - Context KW - Lattices KW - Loading KW - Syntactics KW - Semantics KW - program analysis KW - Information flow control VL - 10 JA - IEEE Transactions on Dependable and Secure Computing ER -

Willard Rafnsson, Chalmers University of Technology, Göteborg

Keiko Nakata, Tallinn University of Technology, Tallinn

Andrei Sabelfeld, Chalmers University of Technology, Göteborg

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2012.73

Language-based information-flow security is concerned with specifying and enforcing security policies for information flow via language constructs. Although much progress has been made on understanding information flow in object-oriented programs, little attention has been given to the impact of class initialization on information flow. This paper turns the spotlight on security implications of class initialization. We reveal the subtleties of information propagation when classes are initialized, and demonstrate how these flows can be exploited to leak information through error recovery. Our main contribution is a type-and-effect system which tracks these information flows. The type system is parameterized by an arbitrary lattice of security levels. Flows through the class hierarchy and dependencies in field initializers are tracked by typing class initializers wherever they could be executed. The contexts in which each class can be initialized are tracked to prevent insecure flows of out-of-scope contextual information through class initialization statuses and error recovery. We show that the type system enforces termination-insensitive noninterference.

Index Terms:

Security,Java,Context,Lattices,Loading,Syntactics,Semantics,program analysis,Information flow control

Citation:

Willard Rafnsson, Keiko Nakata, Andrei Sabelfeld, "Securing Class Initialization in Java-like Languages," IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 1, pp. 1-13, Jan.-Feb. 2013, doi:10.1109/TDSC.2012.73

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.