Secure the Clones
Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to...
Saved in:
| Published in: | Logical methods in computer science Vol. 8, Issue 2; no. 2 |
|---|---|
| Main Authors: | , , |
| Format: | Journal Article |
| Language: | English |
| Published: |
Logical Methods in Computer Science Association
31.05.2012
Logical Methods in Computer Science e.V |
| Subjects: | |
| ISSN: | 1860-5974, 1860-5974 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Exchanging mutable data objects with untrusted code is a delicate matter
because of the risk of creating a data space that is accessible by an attacker.
Consequently, secure programming guidelines for Java stress the importance of
using defensive copying before accepting or handing out references to an
internal mutable object. However, implementation of a copy method (like
clone()) is entirely left to the programmer. It may not provide a sufficiently
deep copy of an object and is subject to overriding by a malicious sub-class.
Currently no language-based mechanism supports secure object cloning. This
paper proposes a type-based annotation system for defining modular copy
policies for class-based object-oriented programs. A copy policy specifies the
maximally allowed sharing between an object and its clone. We present a static
enforcement mechanism that will guarantee that all classes fulfil their copy
policy, even in the presence of overriding of copy methods, and establish the
semantic correctness of the overall approach in Coq. The mechanism has been
implemented and experimentally evaluated on clone methods from several Java
libraries. |
|---|---|
| AbstractList | Exchanging mutable data objects with untrusted code is a delicate matter
because of the risk of creating a data space that is accessible by an attacker.
Consequently, secure programming guidelines for Java stress the importance of
using defensive copying before accepting or handing out references to an
internal mutable object. However, implementation of a copy method (like
clone()) is entirely left to the programmer. It may not provide a sufficiently
deep copy of an object and is subject to overriding by a malicious sub-class.
Currently no language-based mechanism supports secure object cloning. This
paper proposes a type-based annotation system for defining modular copy
policies for class-based object-oriented programs. A copy policy specifies the
maximally allowed sharing between an object and its clone. We present a static
enforcement mechanism that will guarantee that all classes fulfil their copy
policy, even in the presence of overriding of copy methods, and establish the
semantic correctness of the overall approach in Coq. The mechanism has been
implemented and experimentally evaluated on clone methods from several Java
libraries. Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object. However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning. This paper proposes a type-based annotation system for defining modular copy policies for class-based object-oriented programs. A copy policy specifies the maximally allowed sharing between an object and its clone. We present a static enforcement mechanism that will guarantee that all classes fulfil their copy policy, even in the presence of overriding of copy methods, and establish the semantic correctness of the overall approach in Coq. The mechanism has been implemented and experimentally evaluated on clone methods from several Java libraries. |
| Author | Jensen, Thomas Kirchner, Florent Pichardie, David |
| Author_xml | – sequence: 1 givenname: Thomas surname: Jensen fullname: Jensen, Thomas – sequence: 2 givenname: Florent surname: Kirchner fullname: Kirchner, Florent – sequence: 3 givenname: David surname: Pichardie fullname: Pichardie, David |
| BackLink | https://inria.hal.science/hal-00762377$$DView record in HAL |
| BookMark | eNpVkDtPw0AQhE8oSISQgoo2JSlMbu99dJEFJJIRRaA-Lec1SWRidA5I_HtsghBsM6vRzFfMKRvsmh0xdgH8SoBxs-I-X2XuUlzrqeAgjtgQnOGZ9lYN_vwnbNy2W96dlOCEGbLzFcX3RJP9miZ53UHbM3ZcYd3S-EdH7On25jFfZMXD3TKfF1kUGkQm0URPPHZqAAz3gIIIlSJlkaPn1JnPJWrSJC1UJqrSerK-AuW1lnLElgdu2eA2vKXNK6bP0OAmfBtNegmY9ptYU6DISwSDQnuhtCu997I0Fgx5rZzGjjU9sNZY_0Mt5kXoPc6tEdLaD-iys0M2pqZtE1W_BeChHzP0YwYXRNChH1N-AavPZHU |
| Cites_doi | 10.1145/320385.320387 10.1007/BFb0054091 10.1007/978-3-642-19718-5_17 10.1145/1542476.1542488 10.1145/512950.512973 10.1145/949305.949332 10.1145/514188.514190 10.1145/286936.286947 10.1145/964001.964024 10.1006/inco.1996.2613 10.1007/978-3-540-68863-1_9 10.1145/780822.781146 10.1145/320385.320386 |
| ContentType | Journal Article |
| Copyright | Distributed under a Creative Commons Attribution 4.0 International License |
| Copyright_xml | – notice: Distributed under a Creative Commons Attribution 4.0 International License |
| DBID | AAYXX CITATION 1XC VOOES DOA |
| DOI | 10.2168/LMCS-8(2:5)2012 |
| DatabaseName | CrossRef Hyper Article en Ligne (HAL) Hyper Article en Ligne (HAL) (Open Access) DOAJ Directory of Open Access Journals |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| Database_xml | – sequence: 1 dbid: DOA name: DOAJ Directory of Open Access Journals url: https://www.doaj.org/ sourceTypes: Open Website |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 1860-5974 |
| ExternalDocumentID | oai_doaj_org_article_ec0da16a2592458d9993d6716e95485a oai:HAL:hal-00762377v1 10_2168_LMCS_8_2_5_2012 |
| GroupedDBID | .DC 29L 2WC 5GY 5VS AAFWJ AAYXX ADBBV ADQAK AENEX AFPKN ALMA_UNASSIGNED_HOLDINGS BCNDV CITATION EBS EJD FRP GROUPED_DOAJ J9A KQ8 M~E OK1 OVT P2P TR2 TUS XSB 1XC VOOES |
| ID | FETCH-LOGICAL-c2512-3a6c9e0c3a66116091a2eea44e47a0a90e160bda5e5e371f6c4d79e79f1495533 |
| IEDL.DBID | DOA |
| ISSN | 1860-5974 |
| IngestDate | Fri Oct 03 12:51:40 EDT 2025 Tue Oct 14 20:43:28 EDT 2025 Sat Nov 29 06:21:50 EST 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 2 |
| Language | English |
| License | https://arxiv.org/licenses/nonexclusive-distrib/1.0 Distributed under a Creative Commons Attribution 4.0 International License: http://creativecommons.org/licenses/by/4.0 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c2512-3a6c9e0c3a66116091a2eea44e47a0a90e160bda5e5e371f6c4d79e79f1495533 |
| ORCID | 0000-0002-2504-1760 |
| OpenAccessLink | https://doaj.org/article/ec0da16a2592458d9993d6716e95485a |
| ParticipantIDs | doaj_primary_oai_doaj_org_article_ec0da16a2592458d9993d6716e95485a hal_primary_oai_HAL_hal_00762377v1 crossref_primary_10_2168_LMCS_8_2_5_2012 |
| PublicationCentury | 2000 |
| PublicationDate | 2012-05-31 |
| PublicationDateYYYYMMDD | 2012-05-31 |
| PublicationDate_xml | – month: 05 year: 2012 text: 2012-05-31 day: 31 |
| PublicationDecade | 2010 |
| PublicationTitle | Logical methods in computer science |
| PublicationYear | 2012 |
| Publisher | Logical Methods in Computer Science Association Logical Methods in Computer Science e.V |
| Publisher_xml | – name: Logical Methods in Computer Science Association – name: Logical Methods in Computer Science e.V |
| References | 10.2168/LMCS-8(2:5)2012_OHearnYR04 10.2168/LMCS-8(2:5)2012_ChoiGSSM99 10.2168/LMCS-8(2:5)2012_Clarke:98:Ownership 10.2168/LMCS-8(2:5)2012_Blanchet99 10.2168/LMCS-8(2:5)2012_JensenKP:Esop11 10.2168/LMCS-8(2:5)2012_clone-webpage 10.2168/LMCS-8(2:5)2012_CousotCousot77 10.2168/LMCS-8(2:5)2012_pubsdoc:clonesPre S. Sagiv, T. W. Reps, and R. Wilhelm (10.2168/LMCS-8(2:5)2012_SagivRW02) 2002; 24 10.2168/LMCS-8(2:5)2012_Noble:98:Flexible 10.2168/LMCS-8(2:5)2012_Fahndrich03 10.2168/LMCS-8(2:5)2012_SunGuidelines:2010 10.2168/LMCS-8(2:5)2012_hubert08 10.2168/LMCS-8(2:5)2012_AndersonGayNaik:PLDI09 10.2168/LMCS-8(2:5)2012_Bloch04 M. Tofte and J.-P. Talpin (10.2168/LMCS-8(2:5)2012_TofteTalpin97) 1997; 132 |
| References_xml | – ident: 10.2168/LMCS-8(2:5)2012_Blanchet99 doi: 10.1145/320385.320387 – ident: 10.2168/LMCS-8(2:5)2012_Noble:98:Flexible doi: 10.1007/BFb0054091 – ident: 10.2168/LMCS-8(2:5)2012_JensenKP:Esop11 doi: 10.1007/978-3-642-19718-5_17 – ident: 10.2168/LMCS-8(2:5)2012_AndersonGayNaik:PLDI09 doi: 10.1145/1542476.1542488 – ident: 10.2168/LMCS-8(2:5)2012_pubsdoc:clonesPre – ident: 10.2168/LMCS-8(2:5)2012_CousotCousot77 doi: 10.1145/512950.512973 – ident: 10.2168/LMCS-8(2:5)2012_Fahndrich03 doi: 10.1145/949305.949332 – volume: 24 start-page: 217 issue: 3 year: 2002 ident: 10.2168/LMCS-8(2:5)2012_SagivRW02 publication-title: ACM Trans. Program. Lang. Syst. doi: 10.1145/514188.514190 – ident: 10.2168/LMCS-8(2:5)2012_Clarke:98:Ownership doi: 10.1145/286936.286947 – ident: 10.2168/LMCS-8(2:5)2012_OHearnYR04 doi: 10.1145/964001.964024 – ident: 10.2168/LMCS-8(2:5)2012_Bloch04 – volume: 132 start-page: 109 issue: 2 year: 1997 ident: 10.2168/LMCS-8(2:5)2012_TofteTalpin97 publication-title: Information and Computation doi: 10.1006/inco.1996.2613 – ident: 10.2168/LMCS-8(2:5)2012_hubert08 doi: 10.1007/978-3-540-68863-1_9 – ident: 10.2168/LMCS-8(2:5)2012_SunGuidelines:2010 – ident: 10.2168/LMCS-8(2:5)2012_clone-webpage doi: 10.1145/780822.781146 – ident: 10.2168/LMCS-8(2:5)2012_ChoiGSSM99 doi: 10.1145/320385.320386 |
| SSID | ssj0000331826 |
| Score | 1.8499511 |
| Snippet | Exchanging mutable data objects with untrusted code is a delicate matter
because of the risk of creating a data space that is accessible by an attacker.... Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker.... |
| SourceID | doaj hal crossref |
| SourceType | Open Website Open Access Repository Index Database |
| SubjectTerms | Computer Science computer science - programming languages i.1.2, f.3.1, f.3.3, d.3.3 Logic in Computer Science |
| Title | Secure the Clones |
| URI | https://inria.hal.science/hal-00762377 https://doaj.org/article/ec0da16a2592458d9993d6716e95485a |
| Volume | 8, Issue 2 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAON databaseName: DOAJ Directory of Open Access Journals customDbUrl: eissn: 1860-5974 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0000331826 issn: 1860-5974 databaseCode: DOA dateStart: 20040101 isFulltext: true titleUrlDefault: https://www.doaj.org/ providerName: Directory of Open Access Journals – providerCode: PRVHPJ databaseName: ROAD: Directory of Open Access Scholarly Resources customDbUrl: eissn: 1860-5974 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0000331826 issn: 1860-5974 databaseCode: M~E dateStart: 20040101 isFulltext: true titleUrlDefault: https://road.issn.org providerName: ISSN International Centre |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV07T8MwELYQYmCB8hLlpQgxlCFqYscvtlK16tBWSDzUzXLsi0BCFSqlI7-ds9OidmJhSaRT5NjfJb7v7OQ7Qm6QYjBkqpiWMAFp4R3Og5KHv4B15hV3zMVaBC9DOR6ryUQ_rJX6Ct-E1fLANXBtcJm3ubBI02nBlUdCw7xAlg9BqoxHapRJvZZMxTmYsUCcay0fmgvVHo66j6lq0Tt-izGPboShqNaPweV1tZgag0u_QfaWrDDp1L05IFswPST7q4oLyfIFPCKNuDwOCbK2pPseZPaPyXO_99QdpMuiBqkLVCJlVjgNmcOzyHOB4dpSAFsUUEibWZ0BGktvOXBgMq-EK7zUIHUVchkkZydke4rtn5KkLMtKeuuYKjVmuVwhOjSvKgY8o6VSTdJajdF81NoVBjl_gMMEOIwy1HAT4GiS-4DB72VBdDoa0BVm6Qrzlyua5BoR3Ghj0BmaYAsbfpRJucjP_uNO52Q39Lrexb8g2_PZF1ySHbeYv33OruKjgMfRd-8Hcauy_Q |
| linkProvider | Directory of Open Access Journals |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Secure+the+Clones&rft.jtitle=Logical+methods+in+computer+science&rft.au=Thomas+Jensen&rft.au=Florent+Kirchner&rft.au=David+Pichardie&rft.date=2012-05-31&rft.pub=Logical+Methods+in+Computer+Science+e.V&rft.eissn=1860-5974&rft.volume=8%2C+Issue+2&rft_id=info:doi/10.2168%2FLMCS-8%282%3A5%292012&rft.externalDBID=DOA&rft.externalDocID=oai_doaj_org_article_ec0da16a2592458d9993d6716e95485a |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1860-5974&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1860-5974&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1860-5974&client=summon |