Robust composition: towards a unified approach to access control and concurrency control
- Author:
- Mark Samuel Miller,
- Adviser:
- Jonathan S. Shapiro
Skip Abstract Section
Abstract
When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.
Cited By
Boruch-Gruszecki A, Odersky M, Lee E, Lhoták O and Brachthäuser J (2023). Capturing Types, ACM Transactions on Programming Languages and Systems, 45:4, (1-52), Online publication date: 31-Dec-2024.- Ijaz R, Boos K and Zhong L Leveraging Rust for Lightweight OS Correctness Proceedings of the 1st Workshop on Kernel Isolation, Safety and Verification, (1-8)
- AlHamdan A and Staicu C SANDDRILLER Proceedings of the 32nd USENIX Conference on Security Symposium, (3457-3474)
- Burtsev A, Narayanan V, Huang Y, Huang K, Tan G and Jaeger T Evolving Operating System Kernels Towards Secure Kernel-Driver Interfaces Proceedings of the 19th Workshop on Hot Topics in Operating Systems, (166-173)
- Runge T, Servetto M, Potanin A and Schaefer I (2022). Immutability and Encapsulation for Sound OO Information Flow Control, ACM Transactions on Programming Languages and Systems, 45:1, (1-35), Online publication date: 31-Mar-2023.
- Melicher D, Xu A, Zhao V, Potanin A and Aldrich J (2022). Bounded Abstract Effects, ACM Transactions on Programming Languages and Systems, 44:1, (1-48), Online publication date: 31-Mar-2022.
- Vilanova L, Maudlej L, Bergman S, Miemietz T, Hille M, Asmussen N, Roitzsch M, Härtig H and Silberstein M Slashing the disaggregation tax in heterogeneous data centers with FractOS Proceedings of the Seventeenth European Conference on Computer Systems, (352-367)
- Li Z, Huang T, Narayanan V and Burtsev A Understanding the Overheads of Hardware and Language-Based IPC Mechanisms Proceedings of the 11th Workshop on Programming Languages and Operating Systems, (53-61)
- Burtsev A, Appel D, Detweiler D, Huang T, Li Z, Narayanan V and Zellweger G Isolation in Rust Proceedings of the 11th Workshop on Programming Languages and Operating Systems, (76-83)
- Narayanan V, Huang T, Detweiler D, Appel D, Li Z, Zellweger G and Burtsev A RedLeaf Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation, (21-39)
- Narayanan V, Huang Y, Tan G, Jaeger T and Burtsev A Lightweight kernel isolation with virtualization and VM functions Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, (157-171)
- Devriese D Modular effects in Haskell through effect polymorphism and explicit dictionary applications: a new approach and the μVeriFast verifier as a case study Proceedings of the 12th ACM SIGPLAN International Symposium on Haskell, (1-14)
- van Ginkel N, De Groef W, Massacci F, Piessens F and Tolomei G (2019). A Server-Side JavaScript Security Architecture for Secure Integration of Third-Party Libraries, Security and Communication Networks, 2019, Online publication date: 1-Jan-2019.
- Melicher D, Shi Y, Zhao V, Potanin A and Aldrich J Using object capabilities and effects to build an authority-safe module system Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security, (1-1)
- Felleisen M, Findler R, Flatt M, Krishnamurthi S, Barzilay E, McCarthy J and Tobin-Hochstadt S (2018). A programmable programming language, Communications of the ACM, 61:3, (62-71), Online publication date: 21-Feb-2018.
- Chrząszcz J and Schubert A Function definitions for compound values in object-oriented languages Proceedings of the 19th International Symposium on Principles and Practice of Declarative Programming, (61-72)
- Chisnall D, Davis B, Gudka K, Brazdil D, Joannou A, Woodruff J, Markettos A, Maste J, Norton R, Son S, Roe M, Moore S, Neumann P, Laurie B and Watson R (2017). CHERI JNI, ACM SIGPLAN Notices, 52:4, (569-583), Online publication date: 12-May-2017.
- Chisnall D, Davis B, Gudka K, Brazdil D, Joannou A, Woodruff J, Markettos A, Maste J, Norton R, Son S, Roe M, Moore S, Neumann P, Laurie B and Watson R (2017). CHERI JNI, ACM SIGARCH Computer Architecture News, 45:1, (569-583), Online publication date: 11-May-2017.
- Chisnall D, Davis B, Gudka K, Brazdil D, Joannou A, Woodruff J, Markettos A, Maste J, Norton R, Son S, Roe M, Moore S, Neumann P, Laurie B and Watson R CHERI JNI Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, (569-583)
- Haller P and Loiko A (2016). LaCasa: lightweight affinity and object capabilities in Scala, ACM SIGPLAN Notices, 51:10, (272-291), Online publication date: 5-Dec-2016.
- Moore S, Dimoulas C, Findler R, Flatt M and Chong S (2016). Extensible access control with authorization contracts, ACM SIGPLAN Notices, 51:10, (214-233), Online publication date: 5-Dec-2016.
- Litton J, Vahldiek-Oberwagner A, Elnikety E, Garg D, Bhattacharjee B and Druschel P Light-weight contexts Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation, (49-64)
- Ringer T, Grossman D and Roesner F AUDACIOUS Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, (204-216)
- Haller P and Loiko A LaCasa: lightweight affinity and object capabilities in Scala Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, (272-291)
- Moore S, Dimoulas C, Findler R, Flatt M and Chong S Extensible access control with authorization contracts Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, (214-233)
- Drossopoulou S, Noble J, Miller M and Murray T Permission and Authority Revisited towards a formalisation Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs, (1-6)
- Van Acker S and Sabelfeld A JavaScript Sandboxing Tutorial Lectures on Foundations of Security Analysis and Design VIII - Volume 9808, (32-86)
- Teruel C, Ducasse S, Cassou D and Denker M (2015). Access control to reflection with object ownership, ACM SIGPLAN Notices, 51:2, (168-176), Online publication date: 11-May-2016.
- Garnock-Jones T and Felleisen M Coordinated Concurrent Programming in Syndicate Proceedings of the 25th European Symposium on Programming Languages and Systems - Volume 9632, (310-336)
- Stewart A, Cardell-Oliver R and Davies R Fine-grained classification of side-effect free methods in real-world Java code and applications to software security Proceedings of the Australasian Computer Science Week Multiconference, (1-7)
- Tran T, Pelizzi R and Sekar R JaTE Proceedings of the 31st Annual Computer Security Applications Conference, (151-160)
- Clebsch S, Drossopoulou S, Blessing S and McNeil A Deny capabilities for safe, fast actors Proceedings of the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control, (1-12)
- Teruel C, Ducasse S, Cassou D and Denker M Access control to reflection with object ownership Proceedings of the 11th Symposium on Dynamic Languages, (168-176)
- Gudka K, Watson R, Anderson J, Chisnall D, Davis B, Laurie B, Marinos I, Neumann P and Richardson A Clean Application Compartmentalization with SOAAP Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (1016-1031)
- Hermann B, Reif M, Eichberg M and Mezini M Getting to know you: towards a capability model for Java Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, (758-769)
- Drossopoulou S, Noble J and Miller M Swapsies on the Internet Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security, (2-15)
- Rhodes D, Disney T and Flanagan C (2014). Dynamic detection of object capability violations through model checking, ACM SIGPLAN Notices, 50:2, (103-112), Online publication date: 12-May-2015.
- De Groef W, Massacci F and Piessens F NodeSentry Proceedings of the 30th Annual Computer Security Applications Conference, (446-455)
- Rhodes D, Disney T and Flanagan C Dynamic detection of object capability violations through model checking Proceedings of the 10th ACM Symposium on Dynamic languages, (103-112)
- Moore S, Dimoulas C, King D and Chong S SHILL Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, (183-199)
- Stefan D, Yang E, Marchenko P, Russo A, Herman D, Karp B and Mazières D Protecting users by confining JavaScript with COWL Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, (131-146)
- Muscar A Programming Safe Agents in Blueprint Proceedings of the 4th International Conference on Web Intelligence, Mining and Semantics (WIMS14), (1-10)
- Garnock-Jones T, Tobin-Hochstadt S and Felleisen M The Network as a Language Construct Proceedings of the 23rd European Symposium on Programming Languages and Systems - Volume 8410, (473-492)
- Roesner F, Kohno T and Molnar D (2014). Security and privacy for augmented reality systems, Communications of the ACM, 57:4, (88-96), Online publication date: 1-Apr-2014.
- Keil M and Thiemann P (2013). Efficient dynamic access analysis using JavaScript proxies, ACM SIGPLAN Notices, 49:2, (49-60), Online publication date: 5-Feb-2014.
- Weiher M and Hirschfeld R (2013). Polymorphic identifiers, ACM SIGPLAN Notices, 49:2, (61-72), Online publication date: 5-Feb-2014.
- Krishnaswami N (2013). Higher-order functional reactive programming without spacetime leaks, ACM SIGPLAN Notices, 48:9, (221-232), Online publication date: 12-Nov-2013.
- Sun M, Tan G, Siefers J, Zeng B and Morrisett G (2013). Bringing java's wild native world under control, ACM Transactions on Information and System Security, 16:3, (1-28), Online publication date: 1-Nov-2013.
- Keil M and Thiemann P Efficient dynamic access analysis using JavaScript proxies Proceedings of the 9th symposium on Dynamic languages, (49-60)
- Weiher M and Hirschfeld R Polymorphic identifiers Proceedings of the 9th symposium on Dynamic languages, (61-72)
- Krishnaswami N Higher-order functional reactive programming without spacetime leaks Proceedings of the 18th ACM SIGPLAN international conference on Functional programming, (221-232)
- Leonard T, Hall-May M and Surridge M (2013). Modelling Access Propagation in Dynamic Systems, ACM Transactions on Information and System Security, 16:2, (1-31), Online publication date: 1-Sep-2013.
- Van Cutsem T and Miller M Trustworthy proxies Proceedings of the 27th European conference on Object-Oriented Programming, (154-178)
- Miller M, Van Cutsem T and Tulloh B Distributed electronic rights in javascript Proceedings of the 22nd European conference on Programming Languages and Systems, (1-20)
- Murray A and Grove D replay Proceedings of the Thirty-Sixth Australasian Computer Science Conference - Volume 135, (13-21)
- Terei D, Marlow S, Peyton Jones S and Mazières D (2012). Safe haskell, ACM SIGPLAN Notices, 47:12, (137-148), Online publication date: 17-Jan-2013.
- Agten P, Van Acker S, Brondsema Y, Phung P, Desmet L and Piessens F JSand Proceedings of the 28th Annual Computer Security Applications Conference, (1-10)
- Strickland T, Tobin-Hochstadt S, Findler R and Flatt M (2012). Chaperones and impersonators, ACM SIGPLAN Notices, 47:10, (943-962), Online publication date: 15-Nov-2012.
- Schumacher D Actor idioms Proceedings of the 2nd edition on Programming systems, languages and applications based on actors, agents, and decentralized control abstractions, (123-128)
- Strickland T, Tobin-Hochstadt S, Findler R and Flatt M Chaperones and impersonators Proceedings of the ACM international conference on Object oriented programming systems languages and applications, (943-962)
- King-Lacroix J and Martin A BottleCap Proceedings of the seventh ACM workshop on Scalable trusted computing, (45-54)
- Niu B and Tan G Enforcing user-space privilege separation with declarative architectures Proceedings of the seventh ACM workshop on Scalable trusted computing, (9-20)
- Terei D, Marlow S, Peyton Jones S and Mazières D Safe haskell Proceedings of the 2012 Haskell Symposium, (137-148)
- Dinges P and Agha G Scoped synchronization constraints for large scale actor systems Proceedings of the 14th international conference on Coordination Models and Languages, (89-103)
- Saghafi S, Fisler K and Krishnamurthi S Features and object capabilities Proceedings of the 11th annual international conference on Aspect-oriented Software Development, (25-34)
- Stefan D, Russo A, Mazières D and Mitchell J Disjunction category labels Proceedings of the 16th Nordic conference on Information Security Technology for Applications, (223-239)
- Warg A and Lackorzynski A Rounding pointers Proceedings of the 6th Workshop on Programming Languages and Operating Systems, (1-5)
- Gorlick M, Strasser K, Baquero A and Taylor R CREST Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion, (193-194)
- Austin T, Disney T and Flanagan C Virtual values for language extension Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications, (921-938)
- Austin T, Disney T and Flanagan C (2011). Virtual values for language extension, ACM SIGPLAN Notices, 46:10, (921-938), Online publication date: 18-Oct-2011.
- Disney T, Flanagan C and McCarthy J Temporal higher-order contracts Proceedings of the 16th ACM SIGPLAN international conference on Functional programming, (176-188)
- Disney T, Flanagan C and McCarthy J (2011). Temporal higher-order contracts, ACM SIGPLAN Notices, 46:9, (176-188), Online publication date: 18-Sep-2011.
- De Groef W, Devriese D and Piessens F Better security and privacy for web browsers Proceedings of the 8th international conference on Formal Aspects of Security and Trust, (21-38)
- Birgisson A, Russo A and Sabelfeld A Capabilities for information flow Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, (1-15)
- Felt A, Finifter M, Weinberger J and Wagner D Diesel Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, (416-422)
- Toledo R Exploiting modular access control for advanced policies Proceedings of the tenth international conference on Aspect-oriented software development companion, (87-88)
- Bracha G Modules Proceedings of the tenth international conference on Aspect-oriented software development, (283-284)
- Van Cutsem T and Miller M (2010). Proxies, ACM SIGPLAN Notices, 45:12, (59-72), Online publication date: 3-Dec-2010.
- Van Cutsem T and Miller M Proxies Proceedings of the 6th symposium on Dynamic languages, (59-72)
- Cappos J, Dadgar A, Rasley J, Samuel J, Beschastnikh I, Barsan C, Krishnamurthy A and Anderson T Retaining sandbox containment despite bugs in privileged memory-safe code Proceedings of the 17th ACM conference on Computer and communications security, (212-223)
- Wood A and Zhao Y Vistas Proceedings of the 2010 conference on Parallel processing, (689-696)
- Kuz I, Klein G, Lewis C and Walker A capDL Proceedings of the first ACM asia-pacific workshop on Workshop on systems, (31-36)
- Arnaud J, Denker M, Ducasse S, Pollet D, Bergel A and Suen M Read-only execution for dynamic languages Proceedings of the 48th international conference on Objects, models, components, patterns, (117-136)
- Bracha G, von der Ahé P, Bykov V, Kashai Y, Maddox W and Miranda E Modules as objects in newspeak Proceedings of the 24th European conference on Object-oriented programming, (405-428)
- Mettler A and Wagner D Class properties for security review in an object-capability subset of Java Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, (1-7)
- Lachmund S Auto-generating access control policies for applications by static analysis with user input recognition Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, (8-14)
- Meyerovich L, Felt A and Miller M Object views Proceedings of the 19th international conference on World wide web, (721-730)
- Krishnamurthy A, Mettler A and Wagner D Fine-grained privilege separation for web applications Proceedings of the 19th international conference on World wide web, (551-560)
- Lachmund S and Hengst G Auto-generation of least privileges access control policies for applications supported by user input recognition Transactions on computational science XI, (17-38)
- Murray T and Lowe G Analysing the information flow properties of object-capability patterns Proceedings of the 6th international conference on Formal Aspects in Security and Trust, (81-95)
- Wang Y, Kelly T, Kudlur M, Lafortune S and Mahlke S Gadara Proceedings of the 8th USENIX conference on Operating systems design and implementation, (281-294)
- Wilcox-O'Hearn Z and Warner B Tahoe Proceedings of the 4th ACM international workshop on Storage security and survivability, (21-26)
- Finifter M, Mettler A, Sastry N and Wagner D Verifiable functional purity in java Proceedings of the 15th ACM conference on Computer and communications security, (161-174)
- Košík M Taming of pict Proceedings of the 34th conference on Current trends in theory and practice of computer science, (610-621)
- Li J and Karp A Access control for the services oriented architecture Proceedings of the 2007 ACM workshop on Secure web services, (9-17)
- Courtès L, Killijian M and Powell D Security rationale for a cooperative backup service for mobile devices Proceedings of the Third Latin-American conference on Dependable Computing, (212-230)
- Miller M, Donnelley J and Karp A Delegating responsibility in digital systems Proceedings of the 2nd USENIX workshop on Hot topics in security, (1-5)
- Walfield N and Brinkmann M (2007). A critique of the GNU hurd multi-server operating system, ACM SIGOPS Operating Systems Review, 41:4, (30-39), Online publication date: 1-Jul-2007.
- Van Cutsem T, Dedecker J and De Meuter W Object-oriented coordination in mobile ad hoc networks Proceedings of the 9th international conference on Coordination models and languages, (231-248)
Index Terms
- Robust composition: towards a unified approach to access control and concurrency control
Recommendations
Hierarchical composition of industrial components
Special issue on new software composition conceptsIn this paper we focus on the hierarchical composition of instances of arbitrary industrial component models yielding new (compound) components with specified capabilities and requirements which can themselves be composed to yield higher level ...
Visual Composition of Distributed Component Systems
ICSEA '07: Proceedings of the International Conference on Software Engineering AdvancesComponent composition has been over a decade a concept that supplements classical reference-based programming, but does not replace it to a larger extent. Though a new generation of component languages like ArchJava has pushed forwards composition from ...