Article

Saving the world from bad beans: deployment-time confinement checking

Authors:

Michael Richmond,

James NobleAuthors Info & Claims

OOPSLA '03: Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications

Pages 374 - 387

https://doi.org/10.1145/949305.949339

Published: 26 October 2003 Publication History

Abstract

The Enterprise JavaBeans (EJB) framework requires developers to preserve architectural integrity constraints when writing EJB components. Breaking these constraints allows components to violate the transaction protocol, bypass security mechanisms, disable object persistence, and be susceptible to malicious attacks from other EJBs. We present an object confinement discipline that allows static verification of components' integrity as they are deployed into an EJB server. The confinement rules are simple for developers to understand, require no annotation to the code of EJB components, and can be efficiently enforced in existing EJB servers.

References

[1]

J. Aldrich, V. Kostadinov, and C. Chambers. Alias annotations for program understanding. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 311--330. ACM Press, 2002.

Digital Library

[2]

P. S. Almeida. Balloon Types: Controlling sharing of state in data types. In European Conference on Object-Oriented Programming, June 1997.

[3]

D. Ancona and E. Zucca. True modules for Java classes. In European Conference on Object-Oriented Programming, June 2001.

Digital Library

[4]

A. Banerjee and D. A. Naumann. Ownership confinement ensures representation independence in object-oriented languages. Submitted for publication, December 2002.

[5]

A. Banerjee and D. A. Naumann. Representation independence, confinement, and access control. In ACM Symposium on Principles of Programming Languages, Portland, Oregon, January 2002.

Digital Library

[6]

L. Bauer, A. W. Appel, and E. W. Felten. Mechanisms for secure modular programming in Java. Software--Practice and Experience, 2003.

Digital Library

[7]

B. Blanchet. Escape analysis for object-oriented languages: Application to Java. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications. ACM Press, October 1999.

Digital Library

[8]

C. Boyapati, R. Lee, and M. Rinard. Ownership types for safe programming: preventing data races and deadlocks. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 211--230. ACM Press, 2002.

Digital Library

[9]

C. Boyapati and M. Rinard. A parameterized type system for race-free Java programs. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 56--69. ACM Press, 2001.

Digital Library

[10]

C. Boyapati, A. Salcianu, W. Beebee, and M. Rinard. Ownership types for safe region-based memory management in real-time Java. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 118--125, San Diego, California, June 2003.

Digital Library

[11]

J. Boyland, J. Noble, and W. Retert. Capabilities for Sharing: A Generalization of Uniqueness and Read-Only. In European Conference on Object-Oriented Programming, June 2001.

Digital Library

[12]

D. Clarke. Object Ownership and Containment. PhD thesis, University of New South Wales, 2001.

Digital Library

[13]

D. Clarke and S. Drossopoulou. Ownership, encapsulation and the disjointness of type and effect. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 292--310. ACM Press, 2002.

Digital Library

[14]

D. Clarke, J. M. Fox, J. Noble, and J. Vitek. Scopedjava: Ownership for real-time Java. Under revision, Nov. 2002.

[15]

D. Clarke and T. Wrigstad. External uniqueness is unique enough. In European Conference on Object-Oriented Programming, July 2003.

[16]

D. G. Clarke, J. M. Potter, and J. Noble. Ownership types for flexible alias protection. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 48--64. ACM Press, October 1998.

Digital Library

[17]

C. Colby, P. Lee, G. C. Necula, F. Blau, M. Plesko, and K. Cline. A certifying compiler for Java. PLDI 2000. ACM SIGPLAN Notices, 35(5):95--107, 2000.

Digital Library

[18]

E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, January 1995.

Digital Library

[19]

C. Grothoff, J. Palsberg, and J. Vitek. Encapsulating objects with confined types. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 241--255. ACM Press, 2001.

Digital Library

[20]

J. Hogg. Islands: Aliasing protection in object-oriented languages. In ACM SIGPLAN Conference on Object-Oriented Pogramming, Systems, Languages and Applications, pages 271--285. ACM Press, 1991.

Digital Library

[21]

J. Hogg, D. Lea, A. Wills, D. de Champeaux, and R. Holt. The Geneva convention on the treatment of object aliasing. OOPS Messenger, 3(2), April 1992.

Digital Library

[22]

IBM. WebSphere end-to-end benchmark and performance sample application: Trade 3. http://www-3.ibm.com/software/webservers/appserv/benchmark3.html.

[23]

A. Igarashi, B. C. Pierce, and P. Wadler. A recipe for raw types. In Foundations of Object-oriented Programming (FOOL8), London, January 2001.

[24]

N. Kassem and the Enterprise Team. Designing Enterprise Applications with the Java\texttrademark Platform, Enterprise Edition. Addison-Wesley, June 2000.

Digital Library

[25]

B. Kernighan and D. Ritchie. The C Programming Language. Prentice-Hall, March 1988.

Digital Library

[26]

B. W. Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613--615, October 1973.

Digital Library

[27]

X. Leroy and F. Rouaix. Security properies of typed applets. In Secure Internet Programming, volume 1603 of Lecture Notes in Computer Science. Springer, 1999. Also appears in 25th ACM Conference on Principles of Programming Languages, 1998.

Digital Library

[28]

J. L. Lujo Bauer and D. Walker. Types and effects for non-interfering runtime monitors. In International Symposium on Software Security, November 2002.

[29]

F. Marinescu. EJB Design Patterns. John Wiley, February 2002.

[30]

Java Community Process. Application Isolation API Specification, 2003. http://jcp.org/jsr/detail/121.jsp.

[31]

JBoss Group. JBoss Application Server. http://www.jboss.org.

[32]

G. McGraw and E. Felten. Securing Java. John Wiley and Sons, January 1999.

[33]

P. Müller and A. Poetzsch-Heffter. Universes: A type system for controlling representation exposure. In A. Poetzsch-Heffter and J. Meyer, editors, Programming Languages and Fundamentals of Programming. Fernuniversität Hagen, 1999.

[34]

G. C. Necula. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pages 106--119. ACM Press, 1997.

Digital Library

[35]

J. Noble, J. Vitek, and J. Potter. Flexible alias protection. In E. Jul, editor, European Conference on Object-Oriented Programming, volume 1445 of Lecture Notes In Computer Science, pages 158--185, Berlin, Heidelberg, New York, July 1988. Springer-Verlag.

Digital Library

[36]

Oracle Corporation. Oracle9i Application Server, September 2002.

[37]

A. Potanin. The Fox -- a tool for object graph analysis, 2002. Honours Report, Computer Science, Victoria University of Wellington, New Zealand.

[38]

M. Richmond. Flexible Migration Support for Component Frameworks. PhD thesis, Macquarie University, Sydney, Australia, 2003.

[39]

M. Richmond and J. Noble. Reflections on remote reflection. In Proceedings of the 24th Australasian Computer Science Conference (ACSC-01), volume 23.1 of Australian Computer Science Communications, pages 163--170. IEEE Computer Society, January 2001.

Digital Library

[40]

A. Rudys and D. S. Wallach. Enforcing Java run-time properties using bytecode rewriting. In International Symposium on Software Security, November 2002.

Digital Library

[41]

M. Shapiro. Structure and encapsulation in distributed systems: the Proxy Principle. In Proc. 6th Intl. Conf. on Distributed Computing Systems, pages 198--204. IEEE, May 1986.

[42]

Sun Microsystems. Java 2 Enterprise Edition Reference Implementation. http://java.sun.com/j2ee/.

[43]

Sun Microsystems. Java Pet Store Sample Application. http://java.sun.com/blueprints/code/.

[44]

Sun Microsystems. Java™ Remote Method Invocation Specification revision 1.8.

[45]

Sun Microsystems. Enterprise JavaBeans Specification version 2.3, Aug 2002.

[46]

C. Szyperski. Component Software: Beyond Object-Oriented Programming. Addison-Wesley Longman, Harlow, Essex, 1997.

Digital Library

[47]

R. Vallée-Rai, L. Hendren, V. Sundaresan, P. Lam, E. Gagnon, and P. Co. SOOT - A Java Optimization Framework. In Proceedings of CASCON 1999, pages 125--135, November 1999.

Digital Library

[48]

J. Vitek and B. Bokowski. Confined types in Java. Software Practice and Experience, 31(6):507--532, 2001.

Digital Library

Cited By

Chavez HShen WFrance RMechling BLi G(2016)An Approach to Checking Consistency between UML Class Model and Its Java ImplementationIEEE Transactions on Software Engineering10.1109/TSE.2015.248864542:4(322-344)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TSE.2015.2488645
Clarke DÖstlund JSergey IWrigstad T(2013)Ownership typesAliasing in Object-Oriented Programming10.5555/2554511.2554516(15-58)Online publication date: 1-Jan-2013
https://dl.acm.org/doi/10.5555/2554511.2554516
Potanin ADamitio MNoble JNotkin DCheng BPohl K(2013)Are your incoming aliases really necessary? counting the cost of object ownershipProceedings of the 2013 International Conference on Software Engineering10.5555/2486788.2486886(742-751)Online publication date: 18-May-2013
https://dl.acm.org/doi/10.5555/2486788.2486886
Show More Cited By

Index Terms

Recommendations

Saving the world from bad beans: deployment-time confinement checking
Special Issue: Proceedings of the OOPSLA '03 conference

The Enterprise JavaBeans (EJB) framework requires developers to preserve architectural integrity constraints when writing EJB components. Breaking these constraints allows components to violate the transaction protocol, bypass security mechanisms, ...
Testing Conformance of EJB 3 Enterprise Application Servers
ICEIS 2014: Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 3

Enterprise JavaBeans (EJB) is a component technology used for enterprise application development. EJB

is currently being implemented by such application servers as GlassFish, OpenEJB, JBoss, WebLogic and

Apache Geronimo. Through the entire history EJB ...
Java Beans: Developer's Resource with Cdrom

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

OOPSLA '03: Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications

October 2003

430 pages

ISBN:1581137125

DOI:10.1145/949305

Conference Chair:
Ron Crocker
Motorola, Inc.
,
Program Chair:
Guy L. Steele
Sun Microsystems Laboratories

ACM SIGPLAN Notices Volume 38, Issue 11
Special Issue: Proceedings of the OOPSLA '03 conference
November 2003
417 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/949343
Issue’s Table of Contents

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

OOPSLA03

Sponsor:

OOPSLA03: ACM SIGPLAN Object Oriented Programming Systems Languages and Applications Conference

October 26 - 30, 2003

California, Anaheim, USA

Acceptance Rates

OOPSLA '03 Paper Acceptance Rate 26 of 147 submissions, 18%;

Overall Acceptance Rate 268 of 1,244 submissions, 22%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
804
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chavez HShen WFrance RMechling BLi G(2016)An Approach to Checking Consistency between UML Class Model and Its Java ImplementationIEEE Transactions on Software Engineering10.1109/TSE.2015.248864542:4(322-344)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TSE.2015.2488645
Clarke DÖstlund JSergey IWrigstad T(2013)Ownership typesAliasing in Object-Oriented Programming10.5555/2554511.2554516(15-58)Online publication date: 1-Jan-2013
https://dl.acm.org/doi/10.5555/2554511.2554516
Potanin ADamitio MNoble JNotkin DCheng BPohl K(2013)Are your incoming aliases really necessary? counting the cost of object ownershipProceedings of the 2013 International Conference on Software Engineering10.5555/2486788.2486886(742-751)Online publication date: 18-May-2013
https://dl.acm.org/doi/10.5555/2486788.2486886
Dietl WDrossopoulou SMüller P(2012)Separating ownership topology and encapsulation with generic universe typesACM Transactions on Programming Languages and Systems10.1145/2049706.204970933:6(1-62)Online publication date: 3-Jan-2012
https://dl.acm.org/doi/10.1145/2049706.2049709
Patrignani MClarke DSangiorgi D(2011)Ownership types for the join calculusProceedings of the joint 13th IFIP WG 6.1 and 30th IFIP WG 6.1 international conference on Formal techniques for distributed systems10.5555/2022067.2022086(289-303)Online publication date: 6-Jun-2011
https://dl.acm.org/doi/10.5555/2022067.2022086
Cameron NNoble J(2009)OGJ gone wildInternational Workshop on Aliasing, Confinement and Ownership in Object-Oriented Programming10.1145/1562154.1562161(1-10)Online publication date: 6-Jul-2009
https://dl.acm.org/doi/10.1145/1562154.1562161
Trofin MMurphy J(2008)Static verification of component composition in contextual composition frameworksInternational Journal on Software Tools for Technology Transfer (STTT)10.5555/3220883.322099210:3(247-261)Online publication date: 1-Jun-2008
https://dl.acm.org/doi/10.5555/3220883.3220992
Schneider FMenon VShpeisman TAdl-Tabatabai A(2008)Dynamic optimization for efficient strong atomicityACM SIGPLAN Notices10.1145/1449955.144977943:10(181-194)Online publication date: 19-Oct-2008
https://dl.acm.org/doi/10.1145/1449955.1449779
Schneider FMenon VShpeisman TAdl-Tabatabai AHarris GKiczales GRiehle DBlack A(2008)Dynamic optimization for efficient strong atomicityProceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications10.1145/1449764.1449779(181-194)Online publication date: 19-Oct-2008
https://dl.acm.org/doi/10.1145/1449764.1449779
Zhao TBaker JHunt JNoble JVitek J(2008)Implicit ownership types for memory managementScience of Computer Programming10.1016/j.scico.2008.04.00171:3(213-241)Online publication date: 1-May-2008
https://dl.acm.org/doi/10.1016/j.scico.2008.04.001
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents