In a modern programming language, scoping rules determine the visibility of names in various regions of a program. In this work, we examine the idea of allowing an application developer to customize the scoping rules of its underlying language. We demonstrate that such an ability can serve as the cornerstone of a security architecture for dynamically extensible systems. A run-time module system, IsoMod, is proposed for the Java platform to facilitate software isolation. A core application may create namespaces dynamically and impose arbitrary name visibility policies (i.e., scoping rules) to control whether a name is visible, to whom it is visible, and in what way it can be accessed. Because IsoMod exercises name visibility control at load time, loaded code runs at full speed. Furthermore, because IsoMod access control policies are maintained separately, they evolve independently from core application code. In addition, the IsoMod policy language provides a declarative means for expressing a very general form of visibility constraints. Not only can the IsoMod policy language simulate a sizable subset of permissions in the Java 2 security architecture, it does so with policies that are robust to changes in software configurations. The IsoMod policy language is also expressive enough to completely encode a capability type system known as Discretionary Capability Confinement. In spite of its expressiveness, the IsoMod policy language admits an efficient implementation strategy. Name visibility control in the style of IsoMod is therefore a lightweight access control mechanism for Java-style language environments. (C) 2009 Elsevier Ltd. All rights reserved.

Type-based protection mechanisms in a JVM-like environment must be administrated by the code consumer at the bytecode level. Unfortunately, formulating a sound static type system for the full JVM bytecode language can be a daunting task. It is therefore counter-productive for the designer of a bytecode-level type system to address the full complexity of the VM environment in the early stage of design. In this work, a lightweight modelling tool, Featherweight JVM, is proposed to facilitate the early evaluation of bytecode-level, type-based protection mechanisms and, specifically, their ability to enforce security-motivated stack invariants and confinement properties. Rather than modelling the execution of a specific bytecode stream, Featherweight JVM is a nondeterministic event model that captures all the possible access event sequences that may be generated by a JVM-like environment when well-typed bytecode programs are executed. The effect of deploying a type-based protection mechanism can be modelled by a safety policy that constrains the event sequences produced by the VM model. To evaluate the effectiveness of the protection mechanism, security theorems in the form of state invariants can then be proved in the policy-guarded VM model. To demonstrate the utility of the proposed approach, Vitek et al.'s Confined Types has been formulated as a safety policy for the Featherweight JVM, and a corresponding confinement theorem has been established. To reduce class loading overhead, a capability-based reformulation of Confined Types is then studied, and is shown to preserve the confinement theorem. This paper thus provides first evidence on the utility of Featherweight JVM in providing early feedback to the designer of type-based protection mechanisms for JVM-like environments. (c) 2007 Elsevier B.V. All rights reserved.

With the recent advent of dynamically extensible software systems, in which software extensions may be dynamically loaded into the address space of a core application to augment its capabilities, there is a growing interest in protection mechanisms that can isolate untrusted software components from a host application. Existing languagebased environments such as the JVM and the CLI achieves software isolation by an interposition mechanism known as stack inspection. Expressive as it is, stack inspection is known to lack declarative characterization and is brittle in theface of evolving software configurations. A run-time module system, ISOMOD, is proposedfor the Java platform to facilitate software isolation. A core application may create namespaces dynamically and impose arbitrary name visibility policies to control whether a name is visible, to whom it is visible, and in what way it can be accessed. Because ISOMOD exercises name visibility control at load time, loaded code runs atfull speed. Furthermore, because ISOMOD access control policies are maintained separately, they evolve independently from core application code. In addition, the ISOMOD policy language provides a declarative means for expressing a very general form of visibility constraints. Not only can the ISOMOD policy language simulate a sizable subset ofpermissions in the Java 2 security architecture, it does so with policies that are robust to changes in sofiware configurations. The ISOMOD policy language is also expressive enough to completely encode a capability type system known as Discretionary Capability Confinement. In spite of its expressiveness, the ISOMOD policy language admits an efficient implementation strategy. In short, ISOMOD avoids the technical difficulties of interposition by trading off an acceptable level of expressiveness. Name visibility control in the style of ISOMOD is therefore a lightweight alternative to interposition.

In Facebook-style Social Network Systems (FSNSs), which are a generalization of the access control model of Facebook, an access control policy specifies a graph-theoretic relationship between the resource owner and resource accessor that must hold in the social graph in order for access to be granted. Pseudonymous identities may collude to alter the topology of the social graph and gain access that would otherwise be forbidden. We formalize Denning's Principle of Privilege Attenuation (POPA) as a run-time property, and demonstrate that it is a necessary and sufficient condition for preventing the above form of Sybil attacks. A static policy analysis is then devised for verifying that an FSNS is POPA compliant (and thus Sybil free). The static analysis is proven to be both sound and complete. We also extend our analysis to cover a peculiar feature of FSNS, namely, what Fong et al. dubbed as Stage-I Authorization. We discuss the anomalies resulted from this extension, and point out the need to redesign Stage-I Authorization to support a rational POPA-compliance analysis.

Although mobile code systems typically employ link-time code verifiers to protect host computers from potentially malicious code, implementation flaws in the verifiers may still leave the host system vulnerable to attack. Compounding the inherent complexity of the verification algorithms themselves, the need to support lazy, dynamic linking in mobile code systems typically leads to architectures that exhibit strong interdependencies between the loader, the verifier, and the linker, To simplify verifier construction and provide improved assurances of verifier integrity, we propose a modular architecture based on the concept of proof linking. This architecture encapsulates the verification process and removes dependencies between the loader, the verifier, and the linker. We also formally model the process of proof linking and establish properties to which correct implementations must conform. As an example, we instantiate our architecture for the problem of Java bytecode verification and assess the correctness of this instantiation. Finally, we briefly discuss alternative mobile code verification architectures enabled by the proof-linking concept.

The Genetics Society of America's (GSA) George W. Beadle Award honors individuals who have made outstanding contributions to the community of genetics researchers and who exemplify the qualities of its namesake. For his work fostering communication and collaboration among members of the many subfields of genetics, Philip Hieter of the University of British Columbia has been named 2018's recipient of the award. Among his contributions are many initiatives that aim to better link human and model organism geneticists, including the Canadian Rare Diseases Models and Mechanisms Network-a consortium that connects investigators who identify rare disease genes in humans to basic scientists who can study the genes in model organisms.

It is shown that the closure of the infinitesimal symmetry transformations underlying classical W algebras give rise to L-infinity algebras with in general field dependent gauge parameters. Therefore, the class of well understood W algebras provides highly nontrivial examples of such strong homotopy Lie algebras. We develop the general formalism for this correspondence and apply it explicitly to the classical W-3 algebra.