Stack Inspection

Types for stack inspection
  - Want to do static checking of \lamda_sec code
    -- Statically detect security failures
    -- Eliminate redundant checks
    -- Example of nonstandard type system for
       enforcing security properties

  - Type system based on work by Pottier, Skalka and
    Smith
    -- "A systematic approach to static access control"

  - Explain the type system by taking a detour through
    "security-passing" style
    -- see Wallach's & Felten's

  adding static checking
    - new expresseion form:
        check p then e
        ==
        test p then e else fail
    - the type system will ensure that the check always
      succeeds

  Basic idea: convert the "stack-crawling" form into a
  "permission-set passing style"
    - computer the current set of permsssions at any point
      in the code
    - make the set of permissions explicit as an extra 
      parameter to functions (hence "seucirty-passing style)

  Target language is untyped lambda calculus with a primitive
  datatype of sets

  YAFOSI
    
       R; S; x |- T

       R : staitic permsision
       S : dynamic permission
       x : stack
       T : the set of permsiisions granted by stack x

       P; P; x |- T  p \in T
       ---------------------
	     x |- p
       computes the answer bottom to top (in the order
       that the stack is built)

       "Eager" stack inspection

       lemma: stack(E) |- p in the first formulation iff
	      stack(E) |- p in the eager formulation

       Target language, \lamda_set
       
       Translation: \lamda_sec to \lamda_set
           [[e]]R     : translation of e in domain R
	   [[x]]R     : x
     [[\lamda_x.e]]]R : \lamda_x.\lamda_s.[[e]]R
	  [[e f]]R    : [[e]]R [[f]]R s
  [[let x = e in f]]R : let x = [[e]]R in [[f]]R
   [[enable p in e]]R : let s = s \union ({f} \intesect R) in [[e]]R
           [[R'{e}]]R : let s = s \intesect R' in [[e]]R'
  [[check r then e]]R : if r \in s then [[e]]R else fail
[[test r then e1 else e2]]R
		      : if r \in s then [[e1]]R else [[e2]]R
     Top level  [[e]] : [[e]]P{P/s}

Typing judgments
  R; S; \lamba |- x : \lambda(x)

Typing rules
  ...

Type Safety
   
Discussion
  Problem: Applets returning closures that circumvent stack
	   inspection
  Possible solution:
    -- values of the form: R{v}, keep track of the protection
       domain of the source
    -- have closures capture their current secuirty context
    -- integrity analysis (i.e. where data comes from)
  Fournet & Gordon prove some properties of strengthened versions
  of stack inspection.

Stack Inspection++
  - enforces a form of integrity policy
  - can combine with information-flow policies
    -- Baerjee & Naumann, CSFW 03
    -- Tse & Zdancewic, IEEE S&P 04
