56
Secure Information Flow and Pointer Confinement in a Java-like Language Anindya Banerjee and David A. Naumann Kansas State University and Stevens Institute of Technology ,
Secure
Information
Flow
and
Pointer
Confinem
entina
Java-likeLanguage
Anindya
Banerjee
andD
avidA
.Naum
ann
������ ������� ��� � ����� ���� ���������
Kansas
State
University
andS
tevensInstitute
ofTechnology
��� �� �� �����������
,
��� ��� ���� ������ ���� ���� � ��
� ���� ����
The
Prob
lem�
System
with
High
andLow
inputs,L�
H.
H
secret/private/classified
�
Lusers
permitted
tosee
Loutputs.
(Security
Policy:
Confidentiality
“PR
OT
EC
TS
EC
RE
TS
”)
Form
alisefor
systems
programm
edin
Java-likelanguages.
Noninterference
(NI)
[Goguen-M
eseguer’82]
“No
matter
howH
inputschange,L
outputsrem
ainsam
e”.
No
information
flowfrom
Hto
L.
� ���� �� �
The
Prob
lem�
System
with
High
andLow
inputs,L�
H.
H
secret/private/classified
�
Lusers
permitted
tosee
Loutputs.
(Security
Policy:
Confidentiality
“PR
OT
EC
TS
EC
RE
TS
”)
Form
alisefor
systems
programm
edin
Java-likelanguages.
�
Noninterference
(NI)
[Goguen-M
eseguer’82]
“No
matter
howH
inputschange,L
outputsrem
ainsam
e”.
No
information
flowfrom
Hto
L.
� ���� �� � !"
Our
Contrib
ution
Type-basedanalysis
forsecure
information
flow.
�
Sequential,Java-like
language
#
privatefields,class-based
visibility
#
mutually
recursiveclasses,m
ethods
#
pointers,mutable
state,dynamic
allocation
#
inheritance,dynamic
dispatch
� ���� ��%$
Our
Contrib
ution
Type-basedanalysis
forsecure
information
flow.
�
Sequential,Java-like
language
�
Security
typesystem
Data
flow(via
mutable
fields)
Controlflow
(viadynam
icdispatch)
ProofofN
oninterference(denotationalsem
antics,com
positionalproofs)
� ���� ���&
Our
Contrib
ution
Type-basedanalysis
forsecure
information
flow.
�
Sequential,Java-like
language
�
Security
typesystem
#
Data
flow(via
mutable
fields)
Controlflow
(viadynam
icdispatch)
ProofofN
oninterference(denotationalsem
antics,com
positionalproofs)
� ���� �� & !"
Our
Contrib
ution
Type-basedanalysis
forsecure
information
flow.
�
Sequential,Java-like
language
�
Security
typesystem
#
Data
flow(via
mutable
fields)
#
Controlflow
(viadynam
icdispatch)
ProofofN
oninterference(denotationalsem
antics,com
positionalproofs)
� ���� ���& !'
Our
Contrib
ution
Type-basedanalysis
forsecure
information
flow.
�
Sequential,Java-like
language
�
Security
typesystem
#
Data
flow(via
mutable
fields)
#
Controlflow
(viadynam
icdispatch)
�
ProofofN
oninterference(denotationalsem
antics,com
positionalproofs)
� ���� ���& !(
What
We
Have
Not
Done�
Extension
tofullJavaC
ard
#
Exceptions
#
Protected
fields,private/protectedclasses,
interfaces,packages
�
Extension
tofullJava
#
Threads
#
Class
loading,Reflection,N
ativem
ethods
#
Generics
#
...
� ���� ��%)
Pre
viousW
ork:M
ainInspirations
�
Noninterference:
Goguen-M
eseguer,Denning-D
enning
�
Type-basedanalyses
forinform
ationflow
:
1996–S
mith,V
olpano(S
imple
Imperative
Language)
1999–A
badietal.(D
CC
–Info.
flowas
dependenceanalysis)
1999–S
abelfeld,Sands
(Threads,P
oss.N
I,Prob.
NI)
1999M
yers(Java
–butN
Iopen)
2000–P
ottier,Sim
onet,Conchon
(Core
ML)
� ���� ��%*
Pre
viousW
ork:M
ainInspirations
�
AbstractInterpretation
basedanalyses
forinfo.
flow:
1992M
izuno,Schm
idt(Logicalrelationsto
proveN
I)
Our
focus:
Type-basedanalyses
forinform
ationflow
:(S
mith,
Volpano)
Cope
with
threads,non-determinism
,stochasticprocesses,declassification,...
Cope
with
realisticprogram
ming
languages.
� ���� ��%+
Pre
viousW
ork:M
ainInspirations
�
AbstractInterpretation
basedanalyses
forinfo.
flow:
1992M
izuno,Schm
idt(Logicalrelationsto
proveN
I)
Our
focus:
�
Type-basedanalyses
forinform
ationflow
:(S
mith,
Volpano)
#
Cope
with
threads,non-determinism
,stochasticprocesses,declassification,...
#
Cope
with
realisticprogram
ming
languages.
� ���� �� + !"
Exam
ple:A
liasing(1)
�,���-.��� �� /� ��0 �1 ��2 �� ��� ��3 ��� ��4�5 4
6 �4��7�� 8
6 �4��77 � 9� :;2 4��4�� ,<��� 8=
� ����� 9� : 6 �4��7�;
2 � ,<��� >@?�8=
=
� ���� ��%A
Exam
ple:A
liasing(1)
�,���-.��� �� /� ��0 �1 ��2 �� ��� ��3 ��� ��4�5 4
6 �4��7�� 8
6 �4��77 � 9� :;2 4��4�� ,<��� 8=
� ����� 9� : 6 �4��7�;
2 � ,<��� >@?�8=
=
�,���B.��� �� /� ��-.��� ��
2
6 �4��7���8�� 6 CDE CF
6 �4��77 � GHI:;2 4��4�� ,<����8=
� ����� GHI: 6 �4��7�;2 � ,<����> ?�8==
� ���� �� A !"
Exam
ple:A
liasing(1)
-.��� ��,3>@?4�J�,:;8
6 �4��7-K� <>@?,3 �7 � 9� :;8 6 �4��7GK� <>@?,3 �7 � 9� :;8
LBuf L
lp.name L
HB
uf
B.��� ��/3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <;8
LBuf L
lp.name L
HB
uf L
xp.name
HB
ufxp.hiv;
LBuf
lp.name
xp.name
lp.name
xp.hiv
� ���� ��%M
Exam
ple:A
liasing(1)
-.��� ��,3>@?4�J�,:;8
6 �4��7-K� <>@?,3 �7 � 9� :;8 6 �4��7GK� <>@?,3 �7 � 9� :;8
LBuf L
lp.name L
HB
uf
B.��� ��/3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <;8
LBuf L
lp.name L
HB
uf L
xp.name
6 �4��7GK� <>@?4�J45 F4���D �� �� ,:;8 /3 ��� GHI: GK� <;8
HB
uf L
xp.hiv;LB
uf Llp.nam
e L
xp.name
lp.name
xp.hiv
� ���� �� M !"
Exam
ple:A
liasing(1)
-.��� ��,3>@?4�J�,:;8
6 �4��7-K� <>@?,3 �7 � 9� :;8 6 �4��7GK� <>@?,3 �7 � 9� :;8
LBuf L
lp.name L
HB
uf
B.��� ��/3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <;8
LBuf L
lp.name L
HB
uf L
xp.name
6 �4��7GK� <>@?4�J45 F4���D �� �� ,:;8 /3 ��� GHI: GK� <;8
HB
uf L
xp.hiv;LB
uf Llp.nam
e L
xp.name
-K� <>@?GK� <8 ,3 ��� 9� : /3 �7 � GHI:;;
lp.name
xp.hiv
� ���� ��%M !'
Exam
ple:A
liasing(1)
-.��� ��,3>@?4�J�,:;8
6 �4��7-K� <>@?,3 �7 � 9� :;8 6 �4��7GK� <>@?,3 �7 � 9� :;8
LBuf L
lp.name L
HB
uf
B.��� ��/3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <;8
LBuf L
lp.name L
HB
uf L
xp.name
6 �4��7GK� <>@?4�J45 F4���D �� �� ,:;8 /3 ��� GHI: GK� <;8
HB
uf L
xp.hiv;LB
uf Llp.nam
e L
xp.name
-K� <>@?GK� <8 ,3 ��� 9� : /3 �7 � GHI:;;
lp.name L
xp.hiv
� ���� ��%M !(
Annotated
TypesP
reve
ntD
irectD
ataF
low
s
�,���-.��� �� /� ��0 �1 ��2
: 6 �4��7 � -;�� 8
: 6 �4��7 � -;7 � 9� :;2 4��4�� ,<��� 8=
: � ���� -;�� 9� :: 6 �4��7 � -;�;
2 � ,<��� >@?�8=
=
�,���B.��� �� /� ��-.��� ��
2
: 6 �4��7 � G;���8�� 6 CDE CF
: 6 �4��7 � G;7 � GHI:;2 4��4�� ,<����8=
: � ���� -;�� GHI: : 6 �4��7 � G;�;2 � ,<����>@?�8==
No
directassignmentfrom
Hto
L
� ���� �� ��
Exam
ple:A
liasing(1)
Revisited
: -.��� ��� -;,3>@?4�J�,:;8
: 6 �4��7 � -;-K� <>@?,3 �7 � 9� :;8
: 6 �4��7 � G;GK� <>@?,3 �7 � 9� :;8
: B.��� ��� -; /3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <>-;8
: 6 �4��7 � G;GK� <>@?4�F4������8 /3 ��� GHI: GK� <>G;8
� ���� �� ��
Exam
ple:A
liasing(1)
Revisited
: -.��� ��� -;,3>@?4�J�,:;8
: 6 �4��7 � -;-K� <>@?,3 �7 � 9� :;8
: 6 �4��7 � G;GK� <>@?,3 �7 � 9� :;8
: B.��� ��� -; /3 >@?��B.��� ��:;8 /3 ��� 9� : -K� <>-;8
: 6 �4��7 � G;GK� <>@?4�F4������8 /3 ��� GHI: GK� <>G;8
-K� <>: 6 �4��7 � -;>@?GK� <>: 6 �4��7 � G;
,3 ��� 9� : /3 �7 � GHI:;>: 6 �4��7 � G;;
� ���� ����� !"
Exam
ple:A
liasing(1)
Revisited
�,���-.��� ��- /� ��0 �1 ��2
: 6 �4��7 � -;�� 8
: 6 �4��7 � -;7 � 9� :;2 4��4�� ,<��� 8=
: � ���� -;�� 9� :: 6 �4��7 � -;�;
2 � ,<��� >@?�8=
=
�,���B.��� ��- /� ��-.��� ��
2
: 6 �4��7 � G;���8�� 6 CDE CF
: 6 �4��7 � G;7 � GHI:;2 4��4�� ,<����8=
: � ���� -;�� GHI: : 6 �4��7 � G;�;2 � ,<����>@?�8==
� ���� �� ��
Exam
ple:A
liasing(2)
�,���-.��� ��- /� ��0 �1 ��2
�� �� �7 � 9� � �� 9�
: 6 �4��7 � -;3 ���6 ,<:;2
���5 � : � ,<;����� ���-� 47 � ��==
�,���B.��� ��- /� ��-.��� ��
2 �� ����7 � GHI� �� GHI=
� ���� �� �$
Exam
ple:A
liasing(2)
�,���-.��� ��- /� ��0 �1 ��2
�� �� �7 � 9� � �� 9�
: 6 �4��7 � -;3 ���6 ,<:;2
���5 � : � ,<;����� ���-� 47 � ��==
�,���B.��� ��- /� ��-.��� ��
2 �� ����7 � GHI� �� GHI=
�,���G.��� ��G /� ��B.��� ��
2 �� ��� 4���3 ���6 ,<:;=
� ���� ����$ !"
Exam
ple:A
liasing(2)
�,���-.��� ��- /� ��0 �1 ��2
���: 6 �4��7 � -;3 ���6 ,<:;2 ���5 � : � ,<;���==
�,���B.��� ��- /� ��-.��� ��
2 ���=
�,���G.��� ��G /� ��B.��� ��
2 �� ��� 4���3 ���6 ,<:;=
�
Require:
H-subclass
ofL-classoverrides
allinheritedm
ethods.
Restr ictive:
Why
overridegetN
ame?
Use
anonymous
method(?)
“self”notleaked...
� ���� �� �&
Exam
ple:A
liasing(2)
�,���-.��� ��- /� ��0 �1 ��2
���: 6 �4��7 � -;3 ���6 ,<:;2 ���5 � : � ,<;���==
�,���B.��� ��- /� ��-.��� ��
2 ���=
�,���G.��� ��G /� ��B.��� ��
2 �� ��� 4���3 ���6 ,<:;=
�
Require:
H-subclass
ofL-classoverrides
allinheritedm
ethods.
�
Restrictive:
Why
overridegetN
ame?
: 6 �4��7 � -;7 � 9� :;2 4��4�� ,<��� 8=
Use
anonymous
method(?)
“self”notleaked...
� ���� ����& !"
Exam
ple:A
liasing(2)
�,���-.��� ��- /� ��0 �1 ��2
���: 6 �4��7 � -;3 ���6 ,<:;2 ���5 � : � ,<;���==
�,���B.��� ��- /� ��-.��� ��
2 ���=
�,���G.��� ��G /� ��B.��� ��
2 �� ��� 4���3 ���6 ,<:;=
�
Require:
H-subclass
ofL-classoverrides
allinheritedm
ethods.
�
Restrictive:
Why
overridegetN
ame?
: 6 �4��7 � -;7 � 9� :;2 4��4�� ,<��� 8=
�
Use
anonymous
method(?)
“self”notleaked...
� ���� �� �& !'
Exam
ple:C
ontrolF
low
(Conditional)
�,���B.��� ��- /� ��-.��� ��
2 �� ����7 � GHI� �� GHI=
6 �4��7
,� �6 �����:;2
�� 46 �4��7
�8 �� ,� ,5 <� NNN
�<: � ,<����;
2 �>@?OOPC
6RQQ8= ,�2 �>@?OO90 QQ
= 8
4��4��8
=
Ifguardis
H,only
H-variables
andH
-fieldsm
aybe
modified.
� ���� �� �)
Exam
ple:C
ontrolF
low
(Conditional)
�,���B.��� ��- /� ��-.��� ��
2 �� ����7 � GHI� �� GHI=
: 6 �4��7 � G;,� �6 �����:;2
�� 4: 6 �4��7 � G;�8 �� ,� ,5 <� NNN
�<: � ,<����;
2 �>@?OOPC
6RQQ8= ,�2 �>@?OO90 QQ
= 8
4��4��8
=
Ifguardis
H,only
H-variables
andH
-fieldsm
aybe
modified.
� ���� ����) !"
Exam
ple:C
ontrolF
low
(Dynam
icD
ispatch)
�,���B.��� ��- /� ��-.��� ��
2�� �������
�,���P9- /� ��0 �1 ��2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���P- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���9- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4�<� ,�8==
� ���� �� �*
Exam
ple:C
ontrolF
low
(Dynam
icD
ispatch)
�,���B.��� ��- /� ��-.��� ��
2�� �������
: P9� G;,� �:;2
�� 4: P9� G;58
�<: � ,<����;
2 5>@?��P:;8= ,�2 5>@?��9:;8=
4��4�58==
�,���P9- /� ��0 �1 ��2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���P- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���9- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4�<� ,�8==
� ���� ����* !"
Exam
ple:C
ontrolF
low
(Dynam
icD
ispatch)
�,���B.��� ��- /� ��-.��� ��
2�� �������
: P9� G;,� �:;2
�� 4: P9� G;58
�<: � ,<����;
2 5>@?��P:;8= ,�2 5>@?��9:;8=
4��4�58==
/3 �,� �:;>: P9� G;8
�,���P9- /� ��0 �1 ��2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���P- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���9- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4�<� ,�8==
� ���� �� �* !'
Exam
ple:C
ontrolF
low
(Dynam
icD
ispatch)
�,���B.��� ��- /� ��-.��� ��
2�� �������
: P9� G;,� �:;2
�� 4: P9� G;58
�<: � ,<����;
2 5>@?��P:;8= ,�2 5>@?��9:;8=
4��4�58==
/3 �,� �:;>: P9� G;8/3 �,� �:;��� ,:;>: �55 ,� NNN;
�,���P9- /� ��0 �1 ��2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���P- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4��4�8==
�,���9- /� ��P9
2 : �55 ,� -; �� ,:;2 4��4�<� ,�8==
� ���� ����* !(
Exam
ple:C
ontrolF
low
(Dynam
icD
ispatch)
�,���B.��� ��- /� ��-.��� ��
2�� �������
: P9� G;,� �:;2 ���=
=�/3 �,� �:;>: P9� G;
�/3 �,� �:;��� ,:;>: �55 ,� G;
IflevelofreceiverH
,levelofreturnedresultfrom
method
callH.
� ���� �� �+
Exam
ple:D
ynamic
Dispatc
h–
Leaksvia
Heap
�,���P9�- /� ��0 �1 ��2
�55 ,�8
�55 ,�� ,:;2 4��4�� ,<��8=
� ������: �55 ,�;2 � ,<��>@?�8=
� �����:;2 � ,<����: � 4�;8==
�,���P�- /� ��P9�
2 � �����:;2 � ,<����: � 4�;8==
�,���9�- /� ��P9�
2 � �����:;2 � ,<����: <� ,�;8==
� ���� �� �A
Exam
ple:D
ynamic
Dispatc
h–
Leaksvia
Heap
�,���P9�- /� ��0 �1 ��2
�55 ,�8 �� ,� ,5 <� NNN
�55 ,�� ,:;2 4��4�� ,<��8=
� ������: �55 ,�;2 � ,<��>@?�8=
� �����:;2 � ,<����: � 4�;8==
/>@?/3 �,� �:;8 �� />: P9�� G;
/���:;8
�,���P�- /� ��P9�
2 � �����:;2 � ,<����: � 4�;8==
�,���9�- /� ��P9�
2 � �����:;2 � ,<����: <� ,�;8==
� ���� ����A !"
Exam
ple:D
ynamic
Dispatc
h–
Leaksvia
Heap
�,���P9�- /� ��0 �1 ��2
�55 ,�8 �� ,� ,5 <� NNN
�55 ,�� ,:;2 4��4�� ,<��8=
� ������: �55 ,�;2 � ,<��>@?�8=
� �����:;2 � ,<����: � 4�;8==
/>@?/3 �,� �:;8 �� />: P9�� G;
/���:;8 ���/��� ,:;���
�,���P�- /� ��P9�
2 � �����:;2 � ,<����: � 4�;8==
�,���9�- /� ��P9�
2 � �����:;2 � ,<����: <� ,�;8==
� ���� �� �A !'
Exam
ple:D
ynamic
Dispatc
h–
Leaksvia
Heap
�,���P9�- /� ��0 �1 ��2
: �55 ,� G;�8
: �55 ,� G;�� ,:;2 4��4�� ,<��8=
: � ���� -;���:: �55 ,� G;�;2 � ,<��> ?�8=
: � ���� -;��:;2 � ,<����: � 4�;8==
/>@?/3 �,� �:;8 /���:;8���/��� ,:;>G���
IflevelofreceiverH
,onlyH
-fieldsm
aybe
modified
inm
eth.call
� ���� �� �M
Pointer
Confinem
ent�
L-objectmay
bealiased
byL-var,H
-var
�
L-classm
ayhave
H-subclass
Show
L-Confinem
ent:
1.L-vars,L-fields
donotcontain
H-pointers.
2.M
eaningofL-expression
neverH
-pointer.
Inconditionals/dyn.dispatch,assignm
entmay
beconfined
toH
-vars,H-fields.
Show
H-C
onfinement:
Inputstates,outputstatesindistinguishable
byL.
� ���� �� ��
Pointer
Confinem
ent�
L-objectmay
bealiased
byL-var,H
-var
�
L-classm
ayhave
H-subclass
Show
L-Confinem
ent:
1.L-vars,L-fields
donotcontain
H-pointers.
2.M
eaningofL-expression
neverH
-pointer.
�
Inconditionals/dyn.dispatch,assignm
entmay
beconfined
toH
-vars,H-fields.
Show
H-C
onfinement:
Inputstates,outputstatesindistinguishable
byL.
� ���� �� �� !"
Form
alisation
Types:
STTVUWXZY
[TTVU� ���X �55 ,X]\
^TTVU_ [` Sa
//securitytype
TypingJudgem
ents:
//security
typecontext
“assignto
vars,update
fields”
� ���� �� ��
Form
alisation
Types:
STTVUWXZY
[TTVU� ���X �55 ,X]\
^TTVU_ [` Sa
//securitytype
TypingJudgem
ents:
bcdT_ [` Sa
//b
securitytype
context
bce T_ �5 Sf` Sga
“assignto
vars,update
fields”
� ���� �� �� !"
Form
alisation
Types:
STTVUWXZY
[TTVU� ���X �55 ,X]\
^TTVU_ [` Sa
//securitytype
TypingJudgem
ents:
bcdT_ [` Sa
//b
securitytype
context
bce T_ �5 Sf` Sga
“assignto
varshSf ,update
fieldshSg ”
� ���� �� �� !'
Form
alisation
Meanings
ofTypingJudgem
ents:
iijk
lm noop qriijk
sm tu voop q
w
Method
Environm
entx
Stack
y
Heap
_x ` ya
State
x z{{ b}|~~
Related
States
areindistinguishable
byL.
,iffdom
,ifthen
;iffsam
eL-locations
andthose
haveequalL-fields.
� ���� �� ��
Form
alisation
Meanings
ofTypingJudgem
ents:
iijk
lm noop qriijk
sm tu voop q
w
Method
Environm
entx
Stack
y
Heap
_x ` ya
State
x z{{ b}|~~
Related
States_x ` ya L_x��
` y �a are
indistinguishableby
L.
x Lx��
,iff� �z
dom
b
,if_ [` Wa Ub�
thenx �U
x���;
y Ly �
iffsame
L-locationsand
thosehave
equalL-fields.
� ���� �� �� !"
Safe
Express
ions
Suppose:
�bcdT_ [` Wa
�_x ` ya L_x �` y �a
�w `x `x��` y` y �
areL-confined
������w
(i.e.,method
callinL-confined
,,yields
relatedheaps
and(ifnon-
)returns
equalresultsifreturn
typeofm
ethodis
L)
�{{ b}|cdT[~~wx y� U�� U{{ b}|cdT[~~wx��y �
Then:
{{ b |cdT[~~wx y U{{ b |cdT[~~wx �y �
� ���� �� �$
Safe
Express
ions
Suppose:
�bcdT_ [` Wa
�_x ` ya L_x �` y �a
�w `x `x��` y` y �
areL-confined
������w (i.e.,m
ethodcallin
L-confinedw `x `x��` y` y �
,
_x ` ya L_x �` y �a ,yields
relatedheaps
and(ifnon- �
)returns
equalresultsifreturn
typeofm
ethodis
L)
�{{ b}|cdT[~~wx y� U�� U{{ b}|cdT[~~wx��y �
Then:
{{ b |cdT[~~wx y U{{ b |cdT[~~wx �y �
� ���� �� �$ !"
Safe
Com
mands
Suppose:
�bce T_ �5 Sf` Sga
�w
isH
-confined
�
...same
asfor
expressions...
�{{ b}|ce T �5 ~~wx y� U�� U{{ b |ce T �5 ~~wx �y �
.
Then
outputstatesrelated:_x �
` y�a L_x���` y ��a w
here
_x �` y�a U{{ b |ce T �5 ~~wx y
_x���` y ��a U{{ b |ce T �5 ~~wx �y �
� ���� �� �&
Ongoing/F
utureW
ork�
Extension
tofullJavaC
ard
�
Extension
tofullJava
#
Threads
#
Generics
#
...
�
Termination-insensitivity
�
Inferenceofannotations
(Pottier
et.al.)
�
Declassification
(Halpern&
O’N
eill,Myers&
Zdancew
ic)� ���� �� �)
L-confinement
(�
)�
Define���� U
�Z�z ���X level� UW� .
�
For
heaps,define��y
iffforall�
z
dom
y
andevery
�z
fields_������ � ��a ,ifstype_ �` ����� � ��a U_ [` Wa for
some
[
andy��z ���
theny��z ����
.
�
For
environments,define��
bxifffor
every�
with
b�U
_ [` Wa forsom
e[
,ifx �z ���
thenx �z ����
.
�
For
method
environments,define��
wiffthe
following
holds:for
every�` \`x ` y
,if��y
,��bx
,and
w \�x y� U�
then� �y�
and
S� UW��z ���
�z ����
,
� ���� �� �*
where
smtype_ �` \
a U_ [` Sa �
¡¢_ [` S�a
pars_ �` \aU
_ �T_ [` Saa
b
U�T_ [` Sa` selfT_ \` level\a
_ �` y�a
Uw \�x y
� ���� �� �+
TypeR
ules
\U£
self
[�z
dfields\
£ cdf T\
£ cdg T¤¤�[
£ cdfV¥�TVUdg T �5
mtype
� ���� �� �A
TypeR
ules
\U£
self
[�z
dfields\
£ cdf T\
£ cdg T¤¤�[
£ cdfV¥�TVUdg T �5
mtype_ �`@¦a U[ ¢[
£ cdT ¦
£ cdT¤
¤�[
£ cd¥�_ da T �5
� ���� �� �A !"
Security
TypeR
ules�� U
self
[g�[fSg�SfS� �Sf
b` �T_ [f` Sfa cdT_ [g` Sga
b` �T_ [f` Sfa c�TVUdT_ �5 S�` S§a
sdfields
� ���� �� �M
Security
TypeR
ules�� U
self
[g�[fSg�SfS� �Sf
b` �T_ [f` Sfa cdT_ [g` Sga
b` �T_ [f` Sfa c�TVUdT_ �5 S�` S§a
_ [` Sga �z
sdfields\
bcdf T_ \` Sfabcdg T_ ¤` S�a
¤�[Sf]¨S� ¨S©�Sg
bcdf ¥ �TVUdg T_ �5 S§` S©a
� ���� �� �M !"
smtype_ �`@¦
a U_ [` Sa �
ª¡¢_ [` Sga
bcdT_ ¦` S§abcdT_ ¤` S©a
¤�[S©�SS§ ¨S«�S�
bcd¥�_ da T_ �5 S¬` S«a
� ���� �� $�
