A Type System for the Java Bytecode Language and Verifier
Journal of Automated Reasoning
Java Security: From HotJava to Netscape and Beyond
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley))
Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley))
Establishing object invariants with delayed types
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
Automatic inference of stationary fields: a generalization of java's final fields
Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Masked types for sound object initialization
Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ACM Computing Surveys (CSUR)
Sawja: static analysis workshop for java
FoVeOOS'10 Proceedings of the 2010 international conference on Formal verification of object-oriented software
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Plan B: a buffered memory model for Java
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Hi-index | 0.00 |
Sun and the CERT recommend for secure Java development to not allow partially initialized objects to be accessed. The CERT considers the severity of the risks taken by not following this recommendation as high. The solution currently used to enforce object initialization is to implement a coding pattern proposed by Sun, which is not formally checked. We propose a modular type system to formally specify the initialization policy of libraries or programs and a type checker to statically check at load time that all loaded classes respect the policy. This allows to prove the absence of bugs which have allowed some famous privilege escalations in Java. Our experimental results show that our safe default policy allows to prove 91% of classes of java.lang, java.security and javax.security safe without any annotation and by adding 57 simple annotations we proved all classes but four safe. The type system and its soundness theorem have been formalized and machine checked using Coq.