SAFKASI: A security mechanism for language-based systems

In order to run untrusted code in the same process as trusted code, there m ust be a mechanism to allow dangerous calls to determine if their caller is authorized to exercise the privilege of using the dangerous routine. Java systems have adopted a technique called stack inspection to address this co ncern. But its original definition, in terms of searching stack frames, had an unclear relationship to the actual achievement of security, overconstra ined the implementation of a Java system, limited many desirable optimizati ons such as method inlining and tail recursion, and generally interfered wi th interprocedural optimization. We present a new semantics for stack inspe ction based on a belief logic and its implementation using the calculus of security-passing style which addresses the concerns of traditional stack in spection. With security-passing style, we can efficiently represent the sec urity context for any method activation, and we can build a new implementat ion strictly by rewriting the Java bytecodes before they are loaded by the system. No changes to the JVM or bytecode semantics are necessary. With a c ombination of static analysis and runtime optimizations, our prototype impl ementation shows reasonable performance (although traditional stack inspect ion is still faster), and is easier to consider for languages beyond Java. We call our system SAFKASI (the Security Architecture Formerly Known as Sta ck Inspection).