SAFKASI: A security mechanism for language-based systems

Dan S. Wallach, Andrew W. Appel, Edward W. Felten

Research output: Contribution to journalArticlepeer-review

95 Scopus citations


In order to run untrusted code in the same process as trusted code, there must be a mechanism to allow dangerous calls to determine if their caller is authorized to exercise the privilege of using the dangerous routine. Java systems have adopted a technique called stack inspection to address this concern. But its original definition, in terms of searching stack frames, had an unclear relationship to the actual achievement of security, overconstrained the implementation of a Java system, limited many desirable optimizations such as method inlining and tail recursion, and generally interfered with interprocedural optimization. We present a new semantics for stack inspection based on a belief logic and its implementation using the calculus of security-passing style which addresses the concerns of traditional stack inspection. With security-passing style, we can efficiently represent the security context for any method activation, and we can build a new implementation strictly by rewriting the Java bytecodes before they are loaded by the system. No changes to the JVM or bytecode semantics are necessary. With a combination of static analysis and runtime optimizations, our prototype implementation shows reasonable performance (although traditional stack inspection is still faster), and is easier to consider for languages beyond Java. We call our system SAFKASI (the Security Architecture Formerly Known as Stack Inspection).

Original languageEnglish (US)
Pages (from-to)341-378
Number of pages38
JournalACM Transactions on Software Engineering and Methodology
Issue number4
StatePublished - Oct 2000

All Science Journal Classification (ASJC) codes

  • Software


  • D.1.5 [Programming Techniques]: Object-oriented Programming
  • D.2.0 [Software Engineering]: General - Protection mechanisms
  • D.3.2 [Programming Languages]: Language Classifications - Object-oriented languages


Dive into the research topics of 'SAFKASI: A security mechanism for language-based systems'. Together they form a unique fingerprint.

Cite this