Securing Java with Local Policies
Massimo Bartoletti, Dipartimento di Matematica e Informatica, Università degli
Studi di Cagliari, Italy
Gabriele Costa, Istituto di Informatica e Telematica, Consiglio Nazionale delle
Ricerche, Italy
Pierpaolo Degano, Dipartimento di Informatica, Università di Pisa, Italy
Fabio Martinelli, Istituto di Informatica e Telematica, Consiglio Nazionale delle
Ricerche, Italy
Roberto Zunino, Dipartimento di Ingegneria e Scienza dell'Informazione, Università degli Studi di Trento, Italy
|
 |
REFEREED
ARTICLE

PDF Version |
Abstract
We propose an extension to the security model of Java, that allows for specifying,
analysing and enforcing history-based usage policies. Policies are defined by usage
automata, that recognize the forbidden execution histories. Programmers can sandbox
an untrusted piece of code with a policy, which is enforced at run-time through its
local scope. A static analysis allows for optimizing the execution monitor: only the
policies not guaranteed to be always obeyed will be enforced at run-time.
Note: Due to the typographical sophistication of this article, no HTML version is available. Please use the PDF version.
About the authors

|
|
Massimo Bartoletti received the PhD degree in Computer Science
from the University of Pisa in 2005, and he is now researcher at the
Computer Science Department of the University of Cagliari, Italy.
His current research interests are language-based security and security
issues in service-oriented computing. Other research interests
include control
ow analysis and type systems for functional and
object-oriented languages. He can be reached at bart@unica.it |

|
|
Pierpaolo Degano has been full professor of Computer Science
since 1990 and, since 1993, he has been at the Department of Computer
Science, University of Pisa, being head from 1993 to 1996;
since 2006 he is the chairman of the Ph.D. programme in Computer
Science; from 1999 to 2003 he chaired the Italian Association of Professors
of Computer Science. Pierpaolo Degano served as program
chair of many international conferences and as guest editor of many
international journals; he served as member of the steering Committees
of TAPSOFT, ETAPS, EATCS, and co-founded the IFIP TC1
WG 1.7 on Theoretical Foundations of Security Analysis and Design;
since 2005 he is member of the Board of Directors of the Microsoft
Research { University of Trento Center for Computational and Systems
Biology. His main areas of interest have been, or are, security
of concurrent and mobile systems, computational systems biology,
semantics and concurrency, methods and tools for program verification
and evaluation, and programming tools. He can be reached at
degano@di.unipi.it |

|
|
Gabriele Costa is a Ph.D. student in Computer Science at University
of Pisa and a researcher of the security group of the National
Research Council (CNR). His research interests include foundational
and practical aspects of programming language security. He can be
reached at gabriele.costa@iit.cnr.it |

|
|
Fabio Martinelli (M.Sc. 1994, Ph.D. 1999) is a senior researcher
of IIT-CNR, Pisa, where he is the scientific coordinator of the security
group. His main research interests involve security and privacy
in distributed and mobile systems and foundations of security
and trust. He serves as PC-chair/organizer in several international
conferences/workshops. He is the co-initiator of the International
Workshop series on Formal Aspects in Security and Trust (FAST).
He is serving as scientific co-director of the international research
school on Foundations of Security Analysis and Design (FOSAD)
since 2004 edition. He chairs the WG on security and trust management
(STM) of the European Research Consortium in Informatics
and Mathematics (ERCIM). He usually manages R&D projects on
information and communication security and he is involved in several
FP6/7 EU projects. He can be reached at Fabio.Martinelli@iit.cnr.it |

|
|
Roberto Zunino (M.Sc. 2002, Ph.D. 2006) is assistant professor
at the Department of Information Engineering and Computer Science
of the University of Trento, Italy. His current research topics
include computer security, crypto-protocol verification techiniques,
and bioinformatics. Other research interests include language-based
security and type systems. He can be reached at zunino@disi.unitn.it |
Massimo Bartoletti, Gabriele Costa, Pierpaolo Degano, Fabio Martinelli, and Roberto Zunino: "Securing Jaba with Local Policies", in Journal of Object Technology, vol. 8, no. 4, Special Issue:Workhop FTfJP and IWACO at ECOOP 08, June 2009, pp. 5-32 http://www.jot.fm/issues/issue_2009_06/article1/
|