Document details

Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia Informática

The need for a security system to ensure the integrity of protected data leads to the development of access control systems, whose purpose is to prevent access to protected information or resources by unauthorized individuals. In this thesis, we develop and formalize a type and effect system that verifies the access control to objects in a simplified object-oriented language. Traditionally, access control is done only at run-time, using dynamic techniques, such as access control lists, that perform run-time verifications for credentials and privileges. However, these techniques increase the total execution time of an operation, potentially breaking system requirements such as usability or response time. Static approaches, based on static analysis or type systems, reduce the amount of run-time checks by doing some of those checks during compile-time, preventing the occurrence of errors before running the program and offering formal proofs of system correctness. The type system developed in this dissertation deals with the dynamic delegation of authorizations to access objects. An authorization includes the identification of the protected object and its access policy and is considered by the type system as a first class value. As such, object types are extended with policies that reflect the current privilege associated with the object, and typing an expression can produce an effect on policies. We name this new type as user type and the respective value as user view, which contain the object’s reference and a policy to access the object. We consider privileges over objects to be the methods that can be invoked. So, a policy states what methods are available to be called. When typing a method call by an user view, we are able to verify if it was authorized, that is, if the current policy says that the method is available. This mechanism allows the removal of common security specifications from class declarations, as visibility modifiers (public, private). Furthermore, we present a soundness result for our type system. We also implemented a typechecking algorithm for our type system, resulting in a tool to verify the integrity of protected objects in a system designed in the defined programming language.

This work was supported by a CITI research grant