Department of Computer
Science University of Virginia
Describing Resources |
This page is based on:
David Evans and Andrew Twyman. Policy-Directed Code Safety. 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 9-12, 1999. Resource descriptions provide a way to identify resources and the ways in which they are manipulated. Examples of resources include a file system, a network connection, a system property, and a thread. Resource descriptions are platform independent, but may be used to describe platform specific resources such as the Windows registry. We describe resources by listing their operations and observers. Resource operations have no implementation - they are merely hooks for use in describing safety policies. The meaning of a resource operation is indicated by its associated documentation. The essential promise is that a transformed program will invoke the related resource operation with the correct arguments whenever the documented event would occur. It is up to the policy generator and platform interface to ensure that this is the case. RFileSystem is an example resource description that describes a resource corresponding to the file system. The global modifier indicates that only one RFileSystem instance exists for an execution. Resources declared without a global modifier are associated with a particular run-time object. Most of the RFileSystem operations take an RFile parameter, a resource object that identifies a particular file. Resource manipulations may be split into more than one resource operation, for example the reading is divided into preRead and postRead operations. This division allows more precise safety policies to be expressed, since some information, in this case the exact number of bytes read, may not be available until after the platform call is made. Pre-operations allow necessary safety checks to be performed before the action takes place, while post-operations can be used to maintain state and perform additional checks after the action has been completed and more information is available. Resource descriptions also define observers, functions that reveal some aspect of the state of a resource. We provide observers so that safety properties can determine information about a resource in a platform independent way. Resource descriptions must provide an implementation for every observer. Observers are often implemented using Naccio library functions that provide platform independent ways of accessing system state. For example, the RFileSystem.exists observer calls the fileExists library function to determine if the given file exists.
Next - Expressing Safety Policies
Naccio Home Page |