| | |
Summary: Built-in Object Security
Mart´in Abadi
Computer Science Department
University of California, Santa Cruz
abadi@cs.ucsc.edu
Modern programming languages and systems provide much support for secu-
rity. Through strong typing, they can substantially reduce the opportunities for
low-level coding errors that could result in buffer overflows and other vulnerabil-
ities. They also allow protection by encapsulation and the treatment of objects
as unforgeable capabilities. In addition, they sometimes include rich security
infrastructures, for example libraries for authentication and authorization.
Although common programming languages are not primarily concerned with
security, language definitions can be the basis for security guarantees. A language
specification may imply, for instance, that object references are unguessable. An
implementation may resort to cryptography in order to enforce this property
and others built into the language.
Conversely, for better or for worse, security machinery can have a significant
effect on language semantics and implementations, even when it is regarded as
an add-on. For instance, access-control techniques that depend on the contents
of the execution stack give an observable role to the stack, affecting program
|
