Team for Research in
Ubiquitous Secure Technology

InvisiType: Object-Oriented Security Policies

Citation
"InvisiType: Object-Oriented Security Policies". Jiwon Seo and Monica S. Lam (eds.), Annual Network and Distributed System Security Symposium, 2010.

Abstract
Many modern software platforms today, including browsers, middleware server architectures, cell phone operating systems, web application engines, support thirdparty software extensions. This paper proposes InvisiType, an object-oriented approach that enables platform developers to efficiently enforce fine-grained safety checks on thirdparty extensions without requiring their cooperation. This allows us to harness the true power of third-party software by giving it access to sensitive data while ensuring that it does not leak data. In this approach, a platform developer encapsulates all safety checks in a policy class and selectively subjects objects at risk to these policies. The runtime enforces these policies simply by changing the types of these objects dynamically. It uses the virtual method dispatch mechanism to substitute the original methods and operations with code laced with safety checks efficiently. The runtime hides the type changes from application code so the original code can run unmodified. We have incorporated the notion of InvisiType into the Python language. We have applied the technique to 4 realworld Python web applications totaling 156,000 lines of code. InvisiType policies greatly enhance the security of the web applications, including MoinMoin, a popular, 94,000- line Wiki Engine. MoinMoin has a large number of thirdparty extensions, which makes security enforcement important. With less than 150 lines of Python code, we found 16 security bugs in MoinMoin. This represents a significant reduction in developers’ effort from a previous proposal, Flume, which required 1,000 lines of C++ code and modifications to 1,000 lines of Python code. Our InvisiType policies successfully found 19 cross-site scripting vulnerabilities and 6 access control errors in total. The overhead of applying the policies is less than 4 percent, indicating that the technique is practical.

Electronic downloads

Citation formats  
  • HTML
     <a
    href="http://www.truststc.org/pubs/734.html"
    ><i>InvisiType: Object-Oriented Security
    Policies</i></a>, Jiwon Seo and Monica S. Lam
    (eds.), Annual Network and Distributed System  Security
    Symposium, 2010.
  • Plain text
     "InvisiType: Object-Oriented Security Policies".
    Jiwon Seo and Monica S. Lam (eds.), Annual Network and
    Distributed System  Security Symposium, 2010.
  • BibTeX
    @proceedings{SeoLam10_InvisiTypeObjectOrientedSecurityPolicies,
        title = {InvisiType: Object-Oriented Security Policies},
        editor = {Jiwon Seo and Monica S. Lam},
        organization = {Annual Network and Distributed System  Security
                  Symposium},
        year = {2010},
        abstract = {Many modern software platforms today, including
                  browsers, middleware server architectures, cell
                  phone operating systems, web application engines,
                  support thirdparty software extensions. This paper
                  proposes InvisiType, an object-oriented approach
                  that enables platform developers to efficiently
                  enforce fine-grained safety checks on thirdparty
                  extensions without requiring their cooperation.
                  This allows us to harness the true power of
                  third-party software by giving it access to
                  sensitive data while ensuring that it does not
                  leak data. In this approach, a platform developer
                  encapsulates all safety checks in a policy class
                  and selectively subjects objects at risk to these
                  policies. The runtime enforces these policies
                  simply by changing the types of these objects
                  dynamically. It uses the virtual method dispatch
                  mechanism to substitute the original methods and
                  operations with code laced with safety checks
                  efficiently. The runtime hides the type changes
                  from application code so the original code can run
                  unmodified. We have incorporated the notion of
                  InvisiType into the Python language. We have
                  applied the technique to 4 realworld Python web
                  applications totaling 156,000 lines of code.
                  InvisiType policies greatly enhance the security
                  of the web applications, including MoinMoin, a
                  popular, 94,000- line Wiki Engine. MoinMoin has a
                  large number of thirdparty extensions, which makes
                  security enforcement important. With less than 150
                  lines of Python code, we found 16 security bugs in
                  MoinMoin. This represents a significant reduction
                  in developers’ effort from a previous proposal,
                  Flume, which required 1,000 lines of C++ code and
                  modifications to 1,000 lines of Python code. Our
                  InvisiType policies successfully found 19
                  cross-site scripting vulnerabilities and 6 access
                  control errors in total. The overhead of applying
                  the policies is less than 4 percent, indicating
                  that the technique is practical.},
        URL = {http://www.truststc.org/pubs/734.html}
    }
    

Posted by Jessica Gamble on 3 May 2010.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.