Virtual values for language extension

Austin, Thomas H.; Disney, Tim; Flanagan, Cormac

doi:10.1145/2048066.2048136

Cited by 23 publications

(8 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yet to avoid jeopardizing the security of the host page, the programmer of the host page needs to carefully restrict the authority of embedded code. To help programmers resolve this tension, tools for "taming" third-party JavaScript code, such as Caja [1] and JSand [6], use JavaScript proxy technology [7,8,9] to enforce the principles of object capabilities on mashups. Object-capability systems [10] treat all object references as capabilities and achieve capability safety by restricting object interactions to message passing.…”

Section: A Example: Securing a Web Mashupmentioning

confidence: 99%

“…Object-capability-safe languages typically already have constructs that achieve complete and transparent mediation and interposition, e.g., membranes [10] in E and Caja. Recent research [7] explores the addition of such a feature to existing languages, and contract systems have been implemented using membrane-like constructs [19,31]. In addition, membranes have been used to equip Javascript objects with contracts for path-based access control for method invocation [32].…”

Section: B Implementing Capability Controlmentioning

confidence: 99%

See 1 more Smart Citation

Declarative Policies for Capability Control

Dimoulas

Moore

Askarov

et al. 2014

2014 IEEE 27th Computer Security Foundations Symposium

View full text Add to dashboard Cite

In capability-safe languages, components can access a resource only if they possess a capability for that resource. As a result, a programmer can prevent an untrusted component from accessing a sensitive resource by ensuring that the component never acquires the corresponding capability. In order to reason about which components may use a sensitive resource it is necessary to reason about how capabilities propagate through a system. This may be difficult, or, in the case of dynamically composed code, impossible to do before running the system. To counter this situation, we propose extensions to capabilitysafe languages that restrict the use of capabilities according to declarative policies. We introduce two independently useful semantic security policies to regulate capabilities and describe language-based mechanisms that enforce them. Access control policies restrict which components may use a capability and are enforced using higher-order contracts. Integrity policies restrict which components may influence (directly or indirectly) the use of a capability and are enforced using an information-flow type system. Finally, we describe how programmers can dynamically and soundly combine components that enforce access control or integrity policies with components that enforce different policies or even no policy at all.

show abstract

Section: A Example: Securing a Web Mashupmentioning

confidence: 99%

Section: B Implementing Capability Controlmentioning

confidence: 99%

Declarative Policies for Capability Control

Dimoulas

Moore

Askarov

et al. 2014

2014 IEEE 27th Computer Security Foundations Symposium

View full text Add to dashboard Cite

show abstract

“…First, we manually combine the example test programs into a single file via concatenation (not shown). 4 DSLInfer uses the Ruby Intermediate Language (RIL) [19], a tool designed for exactly this kind of use, to parse in the example programs and replace each call m(args...) without an explicit receiver (i.e., a potential keyword call) with a call to dsl log(:m, stmt id, args...). Here, m is the method name, stmt id is the unique RIL statement id, and args are the original 4 No example uses side effects such that concatenation would be unsafe.…”

Section: Contracts For Dsl Structurementioning

confidence: 99%

“…Proxies. Both Strickland et al [31] and Austin et al [4] present systems for proxying primitive values and interposing on their operations in JavaScript and Racket, respectively. Method shims in our implementation are inspired by Strickland et al's description of chaperones and impersonators for functional values.…”

Section: Related Workmentioning

confidence: 99%

Contracts for domain-specific languages in Ruby

Strickland¹,

Ren²,

Foster³

2014

Proceedings of the 10th ACM Symposium on Dynamic Languages

View full text Add to dashboard Cite

This paper concerns object-oriented embedded DSLs, which are popular in the Ruby community but have received little attention in the research literature. Ruby DSLs implement language keywords as implicit method calls to self; language structure is enforced by adjusting which object is bound to self in different scopes. While Ruby DSLs are powerful and elegant, they suffer from a lack of specification. In this paper, we introduce contracts for Ruby DSLs, which allow us to attribute blame appropriately when there are inconsistencies between an implementation and client. We formalize Ruby DSL contract checking in DSL, a core calculus that uses premethods with instance evaluation to enforce contracts. We then describe RDL, an implementation of Ruby DSL contracts. Finally, we present two tools that automatically infer RDL contracts: Type-Infer infers simple, type-like contracts based on observed method calls, and DSLInfer infers DSL keyword scopes and nesting by generating and testing candidate DSL usages based on initial examples. The type contracts generated by TypeInfer work well enough, though they are limited in precision by the small number of tests, while DSLInfer finds almost all DSL structure. Our goal is to help users understand a DSL from example programs.

show abstract

“…Such objects have been called mirages [15] or virtual values [4], and have largely been studied in the context of behavioural intercession, or augmenting or replacing behaviours on existing objects. Holographic objects are similar in implementation, but focus instead on reproducing the behaviour of base objects with no actual base object available in the runtime to provide the base behaviour.…”

Section: Mirror-based Behavioral Intercessionmentioning

confidence: 99%

Interacting with dead objects

Salkeld

Kiczales

2013

Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages &Amp; Application

View full text Add to dashboard Cite

Debugging and analyzing a snapshot of a crashed program's memory is far more difficult than working with a live program, because debuggers can no longer execute code to help make sense of the program state. We present an architecture that supports the restricted execution of ordinary code starting from the snapshot, as if the dead objects within it had been restored, but without access to their original external environment. We demonstrate the feasibility of this approach via an implementation for Java that does not require a custom virtual machine, show that it performs competitively with live execution, and use it to diagnose an unresolved memory leak in a mature mainstream application.

show abstract

Virtual values for language extension

Cited by 23 publications

References 21 publications

Declarative Policies for Capability Control

Declarative Policies for Capability Control

Contracts for domain-specific languages in Ruby

Interacting with dead objects

Contact Info

Product

Resources

About