Secure the Clones
Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to...
Saved in:
| Published in: | Logical methods in computer science Vol. 8, Issue 2; no. 2 |
|---|---|
| Main Authors: | , , |
| Format: | Journal Article |
| Language: | English |
| Published: |
Logical Methods in Computer Science Association
31.05.2012
Logical Methods in Computer Science e.V |
| Subjects: | |
| ISSN: | 1860-5974, 1860-5974 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Exchanging mutable data objects with untrusted code is a delicate matter
because of the risk of creating a data space that is accessible by an attacker.
Consequently, secure programming guidelines for Java stress the importance of
using defensive copying before accepting or handing out references to an
internal mutable object. However, implementation of a copy method (like
clone()) is entirely left to the programmer. It may not provide a sufficiently
deep copy of an object and is subject to overriding by a malicious sub-class.
Currently no language-based mechanism supports secure object cloning. This
paper proposes a type-based annotation system for defining modular copy
policies for class-based object-oriented programs. A copy policy specifies the
maximally allowed sharing between an object and its clone. We present a static
enforcement mechanism that will guarantee that all classes fulfil their copy
policy, even in the presence of overriding of copy methods, and establish the
semantic correctness of the overall approach in Coq. The mechanism has been
implemented and experimentally evaluated on clone methods from several Java
libraries. |
|---|---|
| ISSN: | 1860-5974 1860-5974 |
| DOI: | 10.2168/LMCS-8(2:5)2012 |