Understanding Java stack inspection

Dan S. Wallach, Edward W. Felten

Research output: Contribution to journalConference articlepeer-review

103 Scopus citations


Current implementations of Java make security decisions by searching the runtime call stack. These systems have attractive security properties, but they have been criticized as being dependent on specific artifacts of the Java implementation. This paper models the stack inspection algorithm in terms of a we!l-understood logic for access control and demonstrates how stack inspection is a useful tool for expressing and managing complex trust relationships. We show that an access control decision based on stack inspection corresponds to the construction of a proof in the logic, and we present an efficient decision procedure for generating these proofs. By examining the decision procedure, we demonstrate that many statements in the logic are. equivalent and can thus be expressed in a simpler form. We show that there are a finite number of such statements, allowing us to represent the security state of the system as a pushdown automaton. We also show that this automaton may be embedded in Java by rewriting all Java classes to pass an additional argument when a procedure is invoked. We call this security-passing style and describe its benefits over previous stack inspection systems. Finally, we show how the logic allows us to describe a straightforward design for extending stack inspection across remote procedure calls.

Original languageEnglish (US)
Pages (from-to)52-63
Number of pages12
JournalProceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
StatePublished - Jan 1 1998
EventProceedings of the 1998 IEEE Symposium on Security and Privacy - Oakland, CA, USA
Duration: May 3 1998May 6 1998

All Science Journal Classification (ASJC) codes

  • Software


Dive into the research topics of 'Understanding Java stack inspection'. Together they form a unique fingerprint.

Cite this