Team for Research in
Ubiquitous Secure Technology

InvisiType: Object-Oriented Security Policies

Citation
"InvisiType: Object-Oriented Security Policies". Jiwon Seo and Monica S. Lam (eds.), Annual Network and Distributed System Security Symposium, 2010.

Abstract
Many modern software platforms today, including browsers, middleware server architectures, cell phone operating systems, web application engines, support thirdparty software extensions. This paper proposes InvisiType, an object-oriented approach that enables platform developers to efficiently enforce fine-grained safety checks on thirdparty extensions without requiring their cooperation. This allows us to harness the true power of third-party software by giving it access to sensitive data while ensuring that it does not leak data. In this approach, a platform developer encapsulates all safety checks in a policy class and selectively subjects objects at risk to these policies. The runtime enforces these policies simply by changing the types of these objects dynamically. It uses the virtual method dispatch mechanism to substitute the original methods and operations with code laced with safety checks efficiently. The runtime hides the type changes from application code so the original code can run unmodified. We have incorporated the notion of InvisiType into the Python language. We have applied the technique to 4 realworld Python web applications totaling 156,000 lines of code. InvisiType policies greatly enhance the security of the web applications, including MoinMoin, a popular, 94,000- line Wiki Engine. MoinMoin has a large number of thirdparty extensions, which makes security enforcement important. With less than 150 lines of Python code, we found 16 security bugs in MoinMoin. This represents a significant reduction in developers’ effort from a previous proposal, Flume, which required 1,000 lines of C++ code and modifications to 1,000 lines of Python code. Our InvisiType policies successfully found 19 cross-site scripting vulnerabilities and 6 access control errors in total. The overhead of applying the policies is less than 4 percent, indicating that the technique is practical.

Electronic downloads

Citation formats  
  • HTML 
     <a
href="http://www.truststc.org/pubs/734.html"
><i>InvisiType: Object-Oriented Security
Policies</i></a>, Jiwon Seo and Monica S. Lam
(eds.), Annual Network and Distributed System  Security
Symposium, 2010.
  • Plain text 
     "InvisiType: Object-Oriented Security Policies".
Jiwon Seo and Monica S. Lam (eds.), Annual Network and
Distributed System  Security Symposium, 2010.
  • BibTeX 
    @proceedings{SeoLam10_InvisiTypeObjectOrientedSecurityPolicies,
    title = {InvisiType: Object-Oriented Security Policies},
    editor = {Jiwon Seo and Monica S. Lam},
    organization = {Annual Network and Distributed System  Security
              Symposium},
    year = {2010},
    abstract = {Many modern software platforms today, including
              browsers, middleware server architectures, cell
              phone operating systems, web application engines,
              support thirdparty software extensions. This paper
              proposes InvisiType, an object-oriented approach
              that enables platform developers to efficiently
              enforce fine-grained safety checks on thirdparty
              extensions without requiring their cooperation.
              This allows us to harness the true power of
              third-party software by giving it access to
              sensitive data while ensuring that it does not
              leak data. In this approach, a platform developer
              encapsulates all safety checks in a policy class
              and selectively subjects objects at risk to these
              policies. The runtime enforces these policies
              simply by changing the types of these objects
              dynamically. It uses the virtual method dispatch
              mechanism to substitute the original methods and
              operations with code laced with safety checks
              efficiently. The runtime hides the type changes
              from application code so the original code can run
              unmodified. We have incorporated the notion of
              InvisiType into the Python language. We have
              applied the technique to 4 realworld Python web
              applications totaling 156,000 lines of code.
              InvisiType policies greatly enhance the security
              of the web applications, including MoinMoin, a
              popular, 94,000- line Wiki Engine. MoinMoin has a
              large number of thirdparty extensions, which makes
              security enforcement important. With less than 150
              lines of Python code, we found 16 security bugs in
              MoinMoin. This represents a significant reduction
              in developers’ effort from a previous proposal,
              Flume, which required 1,000 lines of C++ code and
              modifications to 1,000 lines of Python code. Our
              InvisiType policies successfully found 19
              cross-site scripting vulnerabilities and 6 access
              control errors in total. The overhead of applying
              the policies is less than 4 percent, indicating
              that the technique is practical.},
    URL = {http://www.truststc.org/pubs/734.html}
}

Posted by Jessica Gamble on 3 May 2010.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.