{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,2,9]],"date-time":"2024-02-09T23:29:28Z","timestamp":1707521368443},"reference-count":57,"publisher":"Cambridge University Press (CUP)","issue":"2","license":[{"start":{"date-parts":[[2010,9,22]],"date-time":"2010-09-22T00:00:00Z","timestamp":1285113600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/www.cambridge.org\/core\/terms"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J. Funct. Prog."],"published-print":{"date-parts":[[2011,3]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Behavioral type and effect systems regulate properties such as adherence to object and communication protocols, dynamic security policies, avoidance of race conditions, and many others. Typically, each system is based on some specific syntax of constraints, and is checked with an<jats:italic>ad hoc<\/jats:italic>solver. Instead, we advocate types refined with first-order logic formulas as a basis for behavioral type systems, and general purpose automated theorem provers as an effective means of checking programs. To illustrate this approach, we define a triple of security-related type systems: for role-based access control, for stack inspection, and for history-based access control. The three are all instances of a refined state monad. Our semantics allows a precise comparison of the similarities and differences of these mechanisms. In our examples, the benefit of behavioral type-checking is to rule out the possibility of unexpected security exceptions, a common problem with code-based access control.<\/jats:p>","DOI":"10.1017\/s0956796810000134","type":"journal-article","created":{"date-parts":[[2010,9,22]],"date-time":"2010-09-22T13:42:55Z","timestamp":1285162975000},"page":"159-207","source":"Crossref","is-referenced-by-count":5,"title":["Roles, stacks, histories: A triple for Hoare"],"prefix":"10.1017","volume":"21","author":[{"given":"JOHANNES","family":"BORGSTR\u00d6M","sequence":"first","affiliation":[]},{"given":"ANDREW D.","family":"GORDON","sequence":"additional","affiliation":[]},{"given":"RICCARDO","family":"PUCELLA","sequence":"additional","affiliation":[]}],"member":"56","published-online":{"date-parts":[[2010,9,22]]},"reference":[{"key":"S0956796810000134_ref53","doi-asserted-by":"publisher","DOI":"10.1109\/2.485845"},{"key":"S0956796810000134_ref50","first-page":"159","volume-title":"Programming Language Design and Implementation (PLDI'08)","author":"Rondon","year":"2008"},{"key":"S0956796810000134_ref12","volume-title":"Roles, Stacks, Histories: A Triple for Hoare","author":"Borgstr\u00f6m","year":"2009"},{"key":"S0956796810000134_ref10","doi-asserted-by":"crossref","unstructured":"Bengtson J. , Bhargavan K. , Fournet C. , Gordon A. D. & Maffeis S. 2008 Refinement Types for Secure Implementations. Technical Report MSR\u2013TR\u20132008\u2013118, Microsoft Research (a preliminary, abridged version appears in the proceedings of Computer Security Foundations Symposium 2008).","DOI":"10.1109\/CSF.2008.27"},{"key":"S0956796810000134_ref47","doi-asserted-by":"publisher","DOI":"10.1145\/1057387.1057392"},{"key":"S0956796810000134_ref33","volume-title":"Semantics of Programming Languages","author":"Gunter","year":"1992"},{"key":"S0956796810000134_ref32","unstructured":"Gronski J. , Knowles K. , Tomb A. , Freund S. N. & Flanagan C. (2006) Sage: Hybrid checking for flexible specifications. In Scheme and Functional Programming Workshop, Findler R. (ed), pp. 93\u2013104."},{"key":"S0956796810000134_ref29","volume-title":"Inside Java 2 Platform Security: Architecture, API Design, and Implementation","author":"Gong","year":"1999"},{"key":"S0956796810000134_ref36","first-page":"505","volume-title":"European Symposium on Programming (ESOP'07)","author":"Knowles","year":"2007"},{"key":"S0956796810000134_ref55","doi-asserted-by":"publisher","DOI":"10.1017\/S0960129500001560"},{"key":"S0956796810000134_ref48","unstructured":"Ranise S. & Tinelli C. (2006) The SMT-LIB Standard: Version 1.2. [online]. Accessed August 13, 2010. Available at: http:\/\/goedel.cs.uiowa.edu\/smtlib\/papers.html"},{"key":"S0956796810000134_ref43","doi-asserted-by":"crossref","first-page":"409","DOI":"10.1017\/S096012950007002X","article-title":"Typing and subtyping for mobile processes","volume":"6","author":"Pierce","year":"1996","journal-title":"Math. Struct. Comput. Sci."},{"key":"S0956796810000134_ref44","doi-asserted-by":"crossref","unstructured":"Pistoia M. , Banerjee A. & Naumann D. (2007a) Beyond stack inspection: A unified access-control and information-flow security model. In IEEE Security and Privacy, pp. 149\u2013163.","DOI":"10.1109\/SP.2007.10"},{"key":"S0956796810000134_ref19","unstructured":"Ferraiolo D. F. & Kuhn D. R. (1992) Role based access control. In National Computer Security Conference, pp. 554\u2013563."},{"key":"S0956796810000134_ref25","first-page":"141","volume-title":"European Symposium on Programming (ESOP'05)","author":"Fournet","year":"2005"},{"key":"S0956796810000134_ref35","doi-asserted-by":"publisher","DOI":"10.1145\/1411204.1411212"},{"key":"S0956796810000134_ref39","doi-asserted-by":"publisher","DOI":"10.1016\/0890-5401(91)90052-4"},{"key":"S0956796810000134_ref18","unstructured":"Dutertre B. & de Moura L. (2006) The YICES SMT solver [online]. Accessed August 13, 2010. Available at: http:\/\/yices.csl.sri.com\/tool-paper.pdf"},{"key":"S0956796810000134_ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70594-9_17"},{"key":"S0956796810000134_ref6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30569-9_2"},{"key":"S0956796810000134_ref37","unstructured":"Li N. , Mitchell J. C. & Winsborough W. H. (2002) Design of a role-based trust management framework. In IEEE Security and Privacy, pp. 114\u2013130."},{"key":"S0956796810000134_ref17","doi-asserted-by":"publisher","DOI":"10.1145\/1066100.1066102"},{"key":"S0956796810000134_ref4","doi-asserted-by":"publisher","DOI":"10.1016\/S0304-3975(00)00175-4"},{"key":"S0956796810000134_ref1","doi-asserted-by":"crossref","unstructured":"Abadi M. (2006) Access control in a core calculus of dependency. In International Conference on Functional Programming (ICFP'06), pp. 263\u2013273.","DOI":"10.1145\/1159803.1159839"},{"key":"S0956796810000134_ref51","doi-asserted-by":"publisher","DOI":"10.1109\/32.713327"},{"key":"S0956796810000134_ref46","volume-title":"Denotational Semantics with Partial Functions","author":"Plotkin","year":"1985"},{"key":"S0956796810000134_ref15","unstructured":"DeLine R. & F\u00e4hndrich M. (2001) Enforcing high-level protocols in low-level software. In Programming Language Design and Implementation (PLDI'01), pp. 59\u201369."},{"key":"S0956796810000134_ref42","volume-title":"Programming in Martin-L\u00f6f's type Theory","author":"Nordstr\u00f6m","year":"1990"},{"key":"S0956796810000134_ref9","unstructured":"Becker M. Y. & Sewell P. (2004) Cassandra: Flexible trust management, applied to electronic health records. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 139\u2013154."},{"key":"S0956796810000134_ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-88313-5_36"},{"key":"S0956796810000134_ref5","doi-asserted-by":"publisher","DOI":"10.1017\/S095679680900728X"},{"key":"S0956796810000134_ref24","doi-asserted-by":"publisher","DOI":"10.1145\/641909.641912"},{"key":"S0956796810000134_ref28","unstructured":"Gifford D. & Lucassen J. (1986) Integrating functional and imperative programming. In ACM Conference on Lisp and Functional Programming, pp. 28\u201338."},{"key":"S0956796810000134_ref21","first-page":"78","volume-title":"Selected papers from the International Workshop on Types for Proofs and Programs (TYPES '98)","author":"Filli\u00e2tre","year":"1999"},{"key":"S0956796810000134_ref11","doi-asserted-by":"crossref","unstructured":"Besson F. , Blanc T , Fournet C. & Gordon A. D. (2004) From stack inspection to access control: A security analysis for libraries. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 61\u201377.","DOI":"10.1109\/CSFW.2004.1310732"},{"key":"S0956796810000134_ref45","doi-asserted-by":"publisher","DOI":"10.1147\/sj.462.0265"},{"key":"S0956796810000134_ref2","doi-asserted-by":"publisher","DOI":"10.1145\/155183.155225"},{"key":"S0956796810000134_ref20","first-page":"15","volume-title":"International Conference on Formal Engineering Methods (ICFEM 2004)","author":"Filli\u00e2tre","year":"2004"},{"key":"S0956796810000134_ref41","doi-asserted-by":"publisher","DOI":"10.1145\/1411204.1411237"},{"key":"S0956796810000134_ref8","first-page":"203","volume-title":"European Symposium on Research in Computer Security (ESORICS'07)","author":"Becker","year":"2007"},{"key":"S0956796810000134_ref23","first-page":"91","volume-title":"European Symposium on Programming (ESOP'99)","author":"Flanagan","year":"1999"},{"key":"S0956796810000134_ref22","doi-asserted-by":"crossref","unstructured":"Flanagan C. (2006) Hybrid type checking. In ACM Symposium on Principles of Programming Languages (POPL'06), pp. 245\u2013256.","DOI":"10.1145\/1111037.1111059"},{"key":"S0956796810000134_ref52","doi-asserted-by":"publisher","DOI":"10.1007\/BF01019462"},{"key":"S0956796810000134_ref40","doi-asserted-by":"publisher","DOI":"10.1145\/1159803.1159812"},{"key":"S0956796810000134_ref31","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2003-11402"},{"key":"S0956796810000134_ref3","first-page":"107","volume-title":"Network and Distributed System Security Symposium (NDSS'03)","author":"Abadi","year":"2003"},{"key":"S0956796810000134_ref54","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1986.6312929"},{"key":"S0956796810000134_ref56","doi-asserted-by":"publisher","DOI":"10.1145\/363516.363520"},{"key":"S0956796810000134_ref13","first-page":"45","volume-title":"Foundations of Logic and Functional Programming","author":"Cardelli","year":"1986"},{"key":"S0956796810000134_ref14","volume-title":"Implementing Mathematics with the Nuprl Proof Development system","author":"Constable","year":"1986"},{"key":"S0956796810000134_ref34","doi-asserted-by":"publisher","DOI":"10.1145\/54289.871709"},{"key":"S0956796810000134_ref7","doi-asserted-by":"publisher","DOI":"10.1017\/S0956796804005453"},{"key":"S0956796810000134_ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-78800-3_24"},{"key":"S0956796810000134_ref26","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2007.7"},{"key":"S0956796810000134_ref27","first-page":"268","volume-title":"Programming Language Design and Implementation (PLDI'91)","author":"Freeman","year":"1991"},{"key":"S0956796810000134_ref57","unstructured":"Xi H. & Pfenning F. (1999) Dependent types in practical programming. In Principles of Programming Languages (POPL'99), pp. 214\u2013227."},{"key":"S0956796810000134_ref30","volume-title":"Principles and Applications of Refinement Types","author":"Gordon","year":"2009"}],"container-title":["Journal of Functional Programming"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.cambridge.org\/core\/services\/aop-cambridge-core\/content\/view\/S0956796810000134","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,5]],"date-time":"2019-06-05T00:44:46Z","timestamp":1559695486000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.cambridge.org\/core\/product\/identifier\/S0956796810000134\/type\/journal_article"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010,9,22]]},"references-count":57,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2011,3]]}},"alternative-id":["S0956796810000134"],"URL":"https:\/\/doi.org\/10.1017\/s0956796810000134","relation":{},"ISSN":["0956-7968","1469-7653"],"issn-type":[{"value":"0956-7968","type":"print"},{"value":"1469-7653","type":"electronic"}],"subject":[],"published":{"date-parts":[[2010,9,22]]}}}