Lambda-RBAC: Programming with Role-Based Access Control

Logical Methods in Computer Science V ol. 4 (1:2) 2008, pp. 1–24 www .lmcs-online.org Submitted Nov . 21, 2006 Published Jan. 9, 2008 λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL RADHA JA GADEESAN a , ALAN JEFFREY b , CORIN PITCHER c , AND JAMES RIEL Y d a,c,d CTI, DeP aul Univ ersit y e-mail addr ess : {rjagadeesan,pit her,jriely}ti.depaul.edu b Bell Labs e-mail addr ess : a jereyb ell-labs.om Abstra t. W e study me hanisms that p ermit program omp onen ts to express role on- strain ts on lien ts, fo using on programmati seurit y me hanisms, whi h p ermit aess on trols to b e expressed, in situ , as part of the o de realizing basi funtionalit y . In this setting, t w o questions immediately arise. (1) The user of a omp onen t faes the issue of safet y: is a partiular role suien t to use the omp onen t? (2) The omp onen t designer faes the dual issue of protetion: is a partiular role demanded in all exeution paths of the omp onen t? W e pro vide a formal alulus and stati analysis to answ er b oth questions. 1. Intr odution This pap er addresses programmati seurit y me hanisms as realized in systems su h as Ja v a Authen tiation and Authorization Servie ( jaas ) and .net . These systems enable t w o forms of aess on trol me hanisms 1 . First, they p ermit de lar ative aess on trol to desrib e seurit y sp eiations that are orthogonal and separate from desriptions of funtionalit y , e.g., in an in terfae I , a delarativ e aess on trol me hanism ould require the aller to p ossess a minim um set of righ ts. While oneptually elegan t, su h sp eiations do not diretly p ermit the enforemen t of aess on trol that is sensitiv e to the on trol and datao w of the o de implemen ting the funtionalit y  onsider for example history sensitiv e seurit y p oliies that require run time monitoring of relev an t ev en ts. Consequen tly , jaas and .net also inlude pr o gr ammati me hanisms that p ermit aess on trol o de to b e in tert wined with funtionalit y o de, e.g., in the o de of a omp onen t implemen ting in terfae I . On the one hand, su h programmati me hanisms p ermit the diret expression of aess on trol p oliies. Ho w ev er, the programmati approa h leads to the ommingling of the oneptually separate onerns of seurit y and funtionalit y . 1998 A CM Subje t Classi ation: D.3, K.6.5. Key wor ds and phr ases: role-based aess on trol, lam b da-alulus, stati analysis. a,c Radha Jagadeesan and Corin Pit her w ere supp orted in part b y NSF Cyb erT rust 0430175. d James Riely w as supp orted in part b y NSF CAREER 0347542. 1 In this pap er, w e disuss only authorization me hanisms, ignoring the authen tiation me hanisms that are also part of these infrastrutures. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-4 (1:2) 2008 © R. Jagadeesan, A. Jeffrey, C. Pitcher , and J. Riely CC  Creative Commons 2 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y There is extensiv e literature on p oliy languages to sp eify and implemen t p oliies (e.g., [16, 28, 15 , 5, 29, 13℄ to name but a few). This resear h studies seurit y p oliies as separate and orthogonal additions to omp onen t o de, and is th us fo used on delarativ e seurit y in the parlane of jaas / .net . In on trast, w e study programmati seurit y me hanisms. Our motiv ation is to extr at the seurit y guaran tees pro vided b y aess on trol o de whi h has b een written inline with omp onen t o de. W e address this issue from t w o viewp oin ts: • The user of a omp onen t faes the issue of safet y: is a partiular set of righ ts suien t to use the omp onen t? (ie. with that set of righ ts, there is no p ossible exeution path that w ould fail a seurit y  he k. F urthermore, an y greater set of righ ts will also b e allo w ed to use the omp onen t) • The omp onen t designer faes the dual issue of protetion: is a partiular set of righ ts demanded in all exeution paths of the omp onen t? (ie. ev ery exeution path requires that set of righ ts. F urthermore, an y lesser set of righ ts will not b e allo w ed to use the omp onen t) The main on tribution of this pap er is separate stati analyses to alulate appro ximations to these t w o questions. An appro ximate answ er to the rst question is a set of righ ts, p erhaps bigger than neessary , that is suient to use the omp onen t. On the other hand, an appro ximate answ er to the seond question, is a set of righ ts, p erhaps smaller than what is atually enfored, that is ne  essary to use the omp onen t. 1.1. An o v erview of our te hnial on tributions. There is extensiv e literature on Role- Based A ess-Con trol ( rba  ) mo dels inluding nist standards for rba  [26 , 12 ℄; see [11℄ for a textb o ok surv ey . The main motiv ation for rba  , in soft w are ar hitetures (e.g., [22, 21 ℄) and framew orks su h as jaas / .net , is that it enables the enforemen t of seurit y p oliies at a gran ularit y demanded b y the appliation. In these examples, rba  allo ws p ermissions to b e de-oupled from users: Roles are the unit of administration for users and p ermissions are assigned to roles. Roles are often arranged in a hierar h y for suint represen tation of the mapping of p ermissions. Comp onen t programmers design o de in terms of a stati olletion of roles. When the appliation is deplo y ed, administrators map the roles dened in the appliation to users in the partiular domain. In this pap er, w e study a lam b da alulus enri hed with primitiv es for aess on trol, dubb ed λ - RBAC . The underlying lam b da alulus serv es as an abstration of the am bien t programming framew ork in a real system. W e dra w inspiration from the programming idioms in jaas and .net , to determine the expressiv eness required for the aess on trol me hanisms. In a sequene of .net examples 2 , losely based on [18 ℄, w e giv e the reader a a v or of the basi programming idioms. Example 1 ( [18 ℄) . In the .net F ramew ork lr , ev ery thread has a Prinipal ob jet that arries its role. This Prinipal ob jet an b e view ed as represen ting the user exeuting the thread. In programming, it often needs to b e determined whether a sp ei Prinipal ob jet b elongs to a familiar role. The o de p erforms  he ks b y making a seurit y all for a PrinipalPermission ob jet. The PrinipalPermission lass denotes the role that a sp ei prinipal needs to mat h. A t the time of a seurit y  he k, the lr  he ks whether 2 In order to minimize the syn tati barrage on the unsusp eting reader, our examples to illustrate the features are dra wn solely from the .net programming domain. A t the lev el of our disussion, there are no real distintions b et w een jaas and .net seurit y servies. λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 3 the role of the Prinipal ob jet of the aller mat hes the role of the PrinipalPermission ob jet b eing requested. If the role v alues of the t w o ob jets do not mat h, an exeption is raised. The follo wing o de snipp et illustrates the issues: PrinipalPermission usrPerm = new PrinipalPermission (null,"Manager"); usrPerm.Demand() If the urren t thread is asso iated with a prinipal that has the the role of manager, the PrinipalPermission ob jets are reated and seurit y aess is giv en as required. If the reden tials are not v alid, a seurit y exeption is raised. In this v ein, the in tuitiv e op eration of λ - RBAC is as follo ws. λ - RBAC program exeution tak es plae in the on text of a role, sa y r , whi h an b e view ed onretely as a set of p ermissions. The set of roles used in a program is stati: w e do not allo w the dynami reation of roles. λ - RBAC supp orts run-time op erations to reate ob jets (i.e. higher-order funtions) that are wrapp ed with proteting roles. The use of su h guarded ob jets is failitated b y op erations that  he k that the role-on text r is at least as strong as the guarding role: an exeption is raised if the  he k fails. The next example illustrates that b o olean om binations of roles are p ermitted in pro- grams. In lassial rba  terms, this is abstrated b y a lattie or b o olean struture on roles. Example 2 ( [18℄) . The Union metho d of the PrinipalPermission lass om bines m ultiple PrinipalPermission ob jets. The follo wing o de represen ts a seurit y  he k that sueeds only if the Prinipal ob jet represen ts a user in the CourseAdmin or BudgetManager roles: PrinipalPermission Perm1 = new PrinipalPermission (null,"CourseAdmin"); PrinipalPermission Perm2 = new PrinipalPermission(null,"BudgetManager'); // Demand at least one of the roles using Union perm1.Union (perm2).Demand () Similarly , there is an Interset metho d to represen t a join op eration in the role lattie. In λ - RBAC , w e assume that roles form a lattie: abstrating the onrete union/in ter- setion op erations of these examples. In the onrete view of a role as a set of p ermissions, role ordering is giv en b y sup ersets, ie. a role is stronger than another role if it has more p ermissions; join of roles orresp onds to the union of the sets of p ermissions and meet of roles orresp onds to the in tersetion of the sets of p ermissions. Some of our results assume that the lattie is b o olean, i.e. the lattie has a negation op eration. In the onrete view of the motiv ating examples, the negation op eration is in terpreted b y set omplemen t with resp et to a maxim um olletion of p ermissions Our study is parametri on the underlying role lattie. The k ey op eration in su h programming is rights mo dulation . F rom a programming viewp oin t, it is on v enien t, indeed sometimes required, for an appliation to op erate under the guise of dieren t users at dieren t times. Righ ts mo dulation of ourse omes in t w o a v ors: righ ts w eak ening is o v erall a safe op eration, sine the aller  ho oses to exeute with few er righ ts. On the other hand, righ ts ampliation is learly a more dangerous op eration. In the .net framew ork, righ ts mo dulation is a hiev ed via a te hnique alled imp ersonation. 4 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y Example 3. Imp ersonation of an aoun t is a hiev ed using the aoun t's tok en, as sho wn in the follo wing o de snipp et: WindowsIdentity stIdentity = new WindowsIdentity (StToken); // StToken is the token assoiated with the Windows at being impersonated WindowsImpersonationContext stImp = stIdentity.Impersonate(); // now operating under the new identity stImp.Undo(); // revert bak λ - RBAC has om binators to p erform sop ed righ ts w eak ening and ampliation. W e demonstrate the expressiv eness of λ - RBAC b y building a range of useful om binators and a v ariet y of small illustrativ e examples. W e disuss t yp e systems to p erform the t w o analyses alluded to earlier: (a) an analysis to detet and remo v e unneessary role- he ks in a piee of o de for a aller at a suien tly high role, and (b) an analysis to determine the (maximal) role that is guaran teed to b e required b y a piee of o de. The latter analysis a- quires partiular v alue in the presene of righ ts mo dulation. F or b oth w e pro v e preserv ation and progress prop erties. 1.2. Related w ork. Our pap er falls in to the broad area of resear h enlarging the sop e of foundational, language-based seurit y metho ds (see [27 , 19, 3℄ for surv eys). Our w ork is lose in spirit, if not in te hnial dev elopmen t, to edit automata [16 ℄, whi h use asp ets to a v oid the expliit in termingling of seurit y and baseline o de. The pap ers that are most diretly relev an t to the urren t pap er are those of Braghin, Gorla and Sassone [7 ℄ and Compagnoni, Garalda and Gun ter [10℄. [7℄ presen ts the rst on- urren t alulus with a notion of rba  , whereas [10℄'s language enables privileges dep ending up on lo ation. Both these pap ers start o with a mobile pro ess-based omputational mo del. Both al- uli ha v e primitiv es to ativ ate and deativ ate roles: these roles are used to prev en t undesired mobilit y and/or omm uniation, and are similar to the primitiv es for role restrition and ampliation in this pap er. The am bien t pro ess alulus framew ork of these pap ers pro- vides a diret represen tation of the sessions of rba   in on trast, our sequen tial alulus is b est though t of as mo deling a single session. [7, 10℄ dev elop t yp e systems to pro vide guaran tees ab out the minimal role required for exeution to b e suessful  our rst t yp e system o upies the same oneptual spae as this stati analysis. Ho w ev er, our seond t yp e system that alulates minim um aess on trols do es not seem to ha v e an analogue in these pap ers. More globally , our pap er has b een inuened b y the desire to serv e lo osely as a metalan- guage for programming rba  me hanisms in examples su h as the jaas / .net framew orks. Th us, our treatmen t in ternalizes righ ts ampliation b y program om binators and the am- plify role onstrutor in role latties. In on trast, the ab o v e pap ers use external  i.e. not part of the pro ess language  me hanisms (namely , user p oliies in [10 ℄, and rba  - s hemes in [7℄) to enfore on trol on righ ts ativ ation. W e exp et that our ideas an b e adapted to the pro ess aluli framew ork. In future w ork, w e also hop e to in tegrate the p o w erful bisim ulation priniples of these pap ers. Our pap er deals with aess on trol, so the extensiv e w ork on information o w, e.g., see [24℄ for a surv ey , is not diretly relev an t. Ho w ev er, w e note that righ ts ampliation pla ys the same role in λ - RBAC that delassiation and delimited release [9, 25, 20 ℄ pla ys in λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 5 the on text of information o w; namely that of p ermitting aess that w ould not ha v e b een p ossible otherwise. In addition, b y supp orting the in ternalizing of the abilit y to amplify o de righ ts in to the role lattie, our system p ermits aess on trol o de to ativ ely partiipate in managing righ ts ampliation. 1.3. Rest of the pap er. W e presen t the language in Setion 2, the t yp e system in Se- tion 3 and illustrate its expressiv eness with examples in Setion 4. W e disuss metho ds for on trolling righ ts ampliation in Setion 5. Setion 6 pro vides pro ofs of the theorems from Setion 3. 2. The Langua ge After a disussion of roles, w e presen t an o v erview of the language design. The remaining subsetions presen t the formal syn tax, ev aluation seman tis, t yping system, and some simple examples. 2.1. Roles. The language of roles is built up from r ole  onstrutors . The  hoie of role onstrutors is appliation dep enden t, but m ust inlude the lattie onstrutors disussed b elo w. Ea h role onstrutor, κ , has an asso iated arit y , arity ( κ ) . Roles A  E ha v e the form κ ( A 1 , . . . , A n ) . W e require that roles form a b o olean lattie; that is, the set of onstrutors m ust inlude the n ullary onstrutors 0 0 0 and 1 1 1 , binary onstrutors ⊔ and ⊓ (written inx), and unary onstrutor ⋆ (written p ostx). 0 0 0 is the least elemen t of the role lattie. 1 1 1 is the greatest elemen t. ⊓ and ⊔ are idemp oten t, omm utativ e, asso iativ e, and m utually distributiv e meet and join op erations resp etiv ely . ⋆ is the omplemen t op erator. A role ma y b e though t of as a set of p ermissions. Under this in terpretation, 0 0 0 is the empt y set, while 1 1 1 is the set of all p ermissions. The syn tax of terms uses r ole mo diers , ρ , whi h ma y b e of the form ↑ A or ↓ A . W e use role mo diers as funtions from roles to roles, with ρ L A M dened as follo ws: ↑ A L B M = A ⊔ B ↓ A L B M = A ⊓ B In summary , the syn tax of roles is as follo ws. κ : : = 0 0 0 | 1 1 1 | ⊔ | ⊓ | ⋆ | · · · Role onstrutors A  E : : = κ ( A 1 , . . . , A n ) Roles ρ : : = ↑ A | ↓ A Role mo diers Throughout the pap er, w e assume that all roles (and therefore all t yp es) are w ell-formed, in the sense that role onstrutors ha v e the orret n um b er of argumen ts. The seman tis of roles is dened b y the relation  A . = B  stating that A and B are pro v ably equiv alen t. In addition to an y appliation-sp ei axioms, w e assume the standard axioms of b o olean algebra. W e sa y that A dominates B (notation A > B ) if A . = A ⊔ B (equiv alen tly B . = A ⊓ B ) is deriv able. Th us w e an onlude 1 1 1 > A ⊔ B > A > A ⊓ B > 0 0 0 , for an y A , B . The role mo dier ↓ A reates a w eak er role (loser to 0 0 0 ), th us w e refer to it as a r estrition . Dually , the mo dier ↑ A reates a stronger role (loser to 1 1 1 ), and th us w e refer to it as an 6 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y ampli ation . While this ordering follo ws that of the nist rba  standard [12 ℄, it is dual to the normal logial reading; it ma y b e helpful to k eep in mind that, view ed as a logi, 1 1 1 is false, 0 0 0 is true, ⊔ is and, ⊓ is or and > is implies. 2.2. Language o v erview. Our goal is to apture the essene of role-based systems, where roles are used to regulate the in teration of omp onen ts of the system. W e ha v e  hosen to base our language on Moggi's monadi metalanguage b eause it is simple and w ell under- sto o d, y et ri h enough to apture the k ey onepts. By design, the monadi metalanguage is partiularly w ell suited to studying omputational side eets (or simply ee ts ), whi h are en tral to our w ork. (W e exp et that our ideas an b e adapted to b oth pro ess and ob jet aluli.) The omp onen ts in the monadi metalanguage are terms and the on texts that use them. T o protet terms, w e in tro due guards of the form { A }[ M ℄ , whi h an only b e dis harged b y a on text whose role dominates A . The notion of  ontext r ole is formalized in the denition of ev aluation, where A ⊲ M → N indiates that on text role A is suien t to redue M to N . The term check M dis harges the guard on M . The ev aluation rule allo ws A ⊲ che ck { B } [ M ℄ → [ M ℄ only if A > B . The on text role ma y v ary during ev aluation: giv en on text role A , the term ρ ( M ) ev aluates M with on text role ρ L A M . Th us, when ↓ B ( M ) is ev aluated with on text role A , M is ev aluated with on text role A ⊓ B . A on text ma y protet itself from a term b y plaing the use of the term in su h a restrited on text. (The syn tax enfores a sta k disipline on role mo diers.) By om bining up w ards and do wn w ards mo diers, o de ma y assume an y role and th us irum v en t an in tended p oliy . W e address this issue in Setion 5. These onstruts are suien t to allo w protetion for b oth terms and on texts: terms an b e proteted from on texts using guards, and on texts an b e proteted from terms using (restritiv e) role mo diers. 2.3. Syn tax. Let x, y , z , f , g range o v er v ariable names, and let bv range o v er base v alues. Our presen tation is abstrat with resp et to base v alues; w e use the t yp es String , Int and Unit (with v alue unit ) in examples. W e use the standard eno dings of b o oleans and pairs (see Example 14). The syn tax of v alues and terms are as follo ws. V , U, W : : = M , N , L : : = V alues; T erms bv | x V Base V alue λx . M M N | fix M Abstration { A }[ M ℄ check M Guard [ M ℄ let x = M ; N Computation ρ ( M ) Role Mo dier Notation. In examples, w e write A ( M ) to abbreviate ↓ 0 0 0 ( ↑ A ( M )) , whi h exeutes M at exatly role A . The v ariable x is b ound in the v alue  λx . M  (with sop e M ) and in the term  let x = M ; N  (with sop e N ). If x do es not app ear free in M , w e abbreviate  λx . M  as  λ . M . Similarly , if x do es not app ear free in N , w e abbreviate  let x = M ; N  as  M ; N . W e iden tify syn tax up to renaming of b ound v ariables and write N { x : = M } for the apture- a v oiding substitution of M for x in N . λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 7 In the presen tation of the syn tax ab o v e, w e ha v e paired the onstrutors on v alues on the left with the destrutors on omputations on the righ t. F or example, the monadi metalanguage distinguishes 2 from [ 2 ℄ and [ 1 + 1 ℄ : the former is an in teger, whereas the latter are omputations that, when b ound, pro due an in teger. The omputation v alue [ M ℄ m ust b e dis harged in a binding on text  see the redution rule for let, b elo w. Similarly , the funtion v alue λx . M m ust b e dis harged b y appliation; in the redution seman tis that follo ws, ev aluation pro eeds in an appliation till the term in funtion p osition redues to a lam b da abstration. { A }[ M ℄ onstruts a guarded v alue; the asso iated destrutor is check . The monadi metalanguage distinguishes omputations from the v alues they pro due and treats omputations as rst lass en tities. (An y term ma y b e treated as a v alue via the unit onstrutor [ M ℄ .) Both appliation and the let onstrut result in omputations; ho w- ev er, the w a y that they handle their argumen ts is dieren t. The appliation  ( λx . N ) [ M ℄  results in N { x : = [ M ℄ } , whereas the binding  let x = [ M ℄; M  results in N { x : = M } . 2.4. Ev aluation and role error. The small-step ev aluation relation A ⊲ M → M ′ is dened indutiv ely b y the follo wing redution and on text rules. (r-app) A ⊲ ( λx . M ) N → M { x : = N } (-app) A ⊲ M → M ′ A ⊲ M N → M ′ N (r-fix) A ⊲ fix ( λx . M ) → M { x : = fix ( λx . M ) } (-fix) A ⊲ M → M ′ A ⊲ fix M → fix M ′ (r-hk) A ⊲ che ck { B }[ M ℄ → [ M ℄ A > B (-hk) A ⊲ M → M ′ A ⊲ che ck M → check M ′ (r-bind) A ⊲ let x = [ M ℄; N → N { x : = M } (-bind) A ⊲ M → M ′ A ⊲ let x = M ; N → let x = M ′ ; N (r-mod) A ⊲ ρ ( V ) → V (-mod) ρ L A M ⊲ M → M ′ A ⊲ ρ ( M ) → ρ ( M ′ ) The rules r/-app for appliation, r/-fix for xed p oin ts and r/-bind for let are standard. r-hk ensures that the on text role is suien t b efore dis harging the relev an t guard. -mod mo dies the on text role un til the relev an t term is redued to a v alue, at whi h p oin t r-mod disards the mo dier. The ev aluation seman tis is designed to ensure a role-monotoniit y prop ert y . Inreasing the a v ailable role-on text annot in v alidate transitions, it an only enable more ev olution. Lemma 4. If B ⊲ M → M ′ and A > B then A ⊲ M → M ′ . Pr o of. (Sk et h) The on text role is used only in r-hk . Result follo ws b y indution on the ev aluation judgemen t. 8 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y Via a series of onseutiv e small steps, the nal v alue for the program an b e determined. Suessful termination is written A ⊲ M ։ V whi h indiates that A is authorized to run the program M to ompletion, with result V . View ed as a role-indexed relation on terms, ։ is reexiv e and transitiv e. Denition 5. (a) M 0 evaluates to M n at A (notation A ⊲ M 0 ։ M n ) if there exist terms M i su h that A ⊲ M i → M i +1 , for all i ( 0 ≤ i ≤ n − 1 ). (b) M diver ges at A (notation A ⊲ M → ω ) if there exist terms M i su h that A ⊲ M i → M i +1 , for all i ∈ N . Ev aluation an fail b eause a term div erges, b eause a destrutor is giv en a v alue of the wrong shap e, or b eause an inadequate role is pro vided at some p oin t in the omputation. W e refer to the latter as a r ole err or (notation A ⊲ M err ), dened indutiv ely as follo ws. A ⊲ che ck { B } [ M ℄ err A 6 > B ρ L A M ⊲ M err A ⊲ ρ ( M ) err A ⊲ M err A ⊲ M N err A ⊲ M err A ⊲ fix M err A ⊲ M err A ⊲ let x = M ; N err A ⊲ M err A ⊲ check M err Example 6. Reall from Setion 2.3 that B ( M ) abbreviates ↓ 0 0 0 ( ↑ B ( M )) , and dene test < B > as follo ws 3 . test < B > △ = check { B } [ unit ℄ test < B > is a omputation that requires on text role B to ev aluate. F or example, ↓ B ⋆ ( test < B >) pro dues a role error in an y on text, sine ↓ B ⋆ restrits an y role-on text to the negation of the role B . Example 7. W e no w illustrate ho w terms an pro vide roles for themselv es. Consider the follo wing guarded funtion: from < A , B > △ = { A }[ λ y . B ( y )℄ from < A , B > is a guarded v alue that ma y only b e dis harged b y A , resulting in a funtion that runs an y omputation at B . Let test < B > △ = check { B }[ unit ℄ . No matter what the relationship is b et w een A and B , the follo wing ev aluation sueeds: A ⊲ let z = check from < A , B >; z test < B > ։ B ( test < B >) ։ [ unit ℄ from < A , B > is far to o p o w erful to b e useful. After the A -guard is dis harged, the resulting funtion will run any o de at role B . One an pro vide sp ei o de, of ourse, as in λ y . B ( M ) . Su h funtions are inheren tly dangerous and therefore it is desirable onstrain the w a y in whi h su h funtions are reated. The essen tial idea is to atta h suitable  he ks to a funtion su h as λ g . λ y . B ( g y ) , whi h tak es a non-privileged funtion and runs it under B . There are a n um b er of subtleties to onsider in pro viding a general purp ose infrastruture to reate terms with righ ts ampliation. When should the guard b e  he k ed? What funtions should b e allo w ed to run, and in what on text? In Example 21, w e disuss the treatmen t of these issues using the Domain and T yp e Enforemen t aess on trol me hanism. 3 W e do not address parametriit y here; the bra k ets in the names test < B > and from < A , B > are merely suggestiv e. λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 9 3. Typing W e presen t t w o t yping systems that on trol role errors in addition to shap e errors. The rst t yping system determines a on text role suient to a v oid role errors; that is, with this role, there is no p ossible exeution path that auses a role error. This system enables the remo v al of unneessary role- he ks in a piee of o de for a aller at a suien tly high role. The seond system determines a on text role ne  essary to a v oid role errors; that is, an y role that do es not dominate this role will ause ev ery exeution path to result in a role error. Stated dieren tly , the seond system alulates the role that is  he k ed and tested on ev ery exeution path and th us determines the amoun t of protetion that is enfored b y the allee. T e hnially , the t w o systems dier primarily in their notions of subt yping. In the absene of subt yping, the t yping system determines a on text role that is b oth neessary and suien t to exeute a term without role errors. Beause it learly indiates the p oin t at whi h omputation is p erformed, the monadi metalanguage is attrativ e for reasoning ab out seurit y prop erties, whi h w e understand as omputational eets. The t yp e [ T ] is the t yp e of omputations of t yp e T . W e extend the omputation t yp e [ T ] to inlude an eet that indiates the guards that are dis harged during ev aluation of a term. Th us the term check { A }[ 1 + 1 ℄ has t yp e h A i [ Int ]  this t yp e indiates that the redution of the term to a v alue (at t yp e Int ) requires A . Guarded v alues inhabit t yp es of the form { A } [ T ]  this t yp e indiates the protetion of A around an underlying v alue at t yp e T . These ma y b e dis harged with a check , resulting in a term inhabiting the omputation t yp e h A i [ T ] . The syn tax of t yp es is giv en b elo w, with the onstrutors and destrutors at ea h t yp e realled from Setion 2.3. T , S : : = V , U, W : : = M , N , L : : = T yp es; V alues; T erms Base bv | x V Base V alue T  S λx . M M N | fix M Abstration { A } [ T ] { A }[ M ℄ check M Guard h A i [ T ] [ M ℄ let x = M ; N Computation ρ ( M ) Role Mo dier 3.1. Subt yping. The judgmen ts of the subt yping and t yping relations are indexed b y α whi h ranges o v er { 1 , 2 } . The subt yping relation for h A i [ T ] reets the dierene b et w een the t w o t yp e systems. If role A sues to enable a term to ev aluate without role errors, then an y higher role on text also a v oids role errors (using Lemma 4). This explains the subt yping rule for the rst t yp e system  in partiular, ⊢ 1 h A i [ T ] < : h 1 1 1 i [ T ] , reeting the fat that the top role is suien t to run an y omputation. On the other hand, if a role A of the role-on text is  he k ed and tested on ev ery exeution path of a term, then so is an y smaller role. This explains the subt yping rule for the rst t yp e system  in partiular, ⊢ 2 h A i [ T ] < : h 0 0 0 i [ T ] , reeting the fat that the b ottom role is v auously  he k ed in an y omputation. 10 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y ⊢ α Base < : Base ⊢ α T < : T ′ ⊢ α { A } [ T ] < : { A ′ } [ T ′ ] if α = 1 then A ′ > A if α = 2 then A > A ′ ⊢ α T ′ < : T ⊢ α S < : S ′ ⊢ α T  S < : T ′  S ′ ⊢ α T < : T ′ ⊢ α h A i [ T ] < : h A ′ i [ T ′ ] if α = 1 then A ′ > A if α = 2 then A > A ′ Lemma 8. The r elations ⊢ α T < : S ar e r eexive and tr ansitive. 3.2. T yp e systems. T yping is dened using en vironmen ts. An envir onment , Γ : : = x 1 : T 1 , . . . , x n : T n is a nite partial map from v ariables to t yp es. As usual, there is one t yping rule for ea h syn tati form plus the rule t-sub for sub- sumption, whi h allo ws the use of subt yping. Up w ards and do wn w ards role mo diers ha v e separate rules, disussed b elo w. The t yping rules for the t w o systems dier only in their no- tion of subt yping and in the side ondition on t-mod-dn ; w e disuss the latter in Example 15. (t-base) Γ ⊢ α bv : B ase (t-v ar) Γ , x : T , Γ ′ ⊢ α x : T (t-sub) Γ ⊢ α M : T Γ ⊢ α M : T ′ ⊢ α T < : T ′ (t-abs) Γ , x : T ⊢ α M : S Γ ⊢ α λx . M : T  S x / ∈ dom (Γ) (t-app) Γ ⊢ α M : T  S Γ ⊢ α N : T Γ ⊢ α M N : S (t-fix) Γ ⊢ α M : T  T Γ ⊢ α fix M : T (t-grd) Γ ⊢ α M : T Γ ⊢ α { A }[ M ℄ : { A } [ T ] (t-hk) Γ ⊢ α M : { A } [ T ] Γ ⊢ α check M : h A i [ T ] (t-unit) Γ ⊢ α M : T Γ ⊢ α [ M ℄ : h 0 0 0 i [ T ] (t-bind) Γ ⊢ α M : h A i [ T ] Γ , x : T ⊢ α N : h B i [ S ] Γ ⊢ α let x = M ; N : h A ⊔ B i [ S ] x / ∈ dom (Γ) (t-mod-up) Γ ⊢ α M : h B i [ T ] Γ ⊢ α ↑ A ( M ) : h B ⊓ A ⋆ i [ T ] (t-mod-dn) Γ ⊢ α M : h B i [ T ] Γ ⊢ α ↓ A ( M ) : h B i [ T ] if α = 1 then A > B The rules t-base , t-v ar , t-sub , t-abs , t-app and t-fix are standard. F or example, the iden tit y funtion has the exp eted t yping, ⊢ α λx . x : T  T , for an y T . Non terminating omputations an also b e t yp ed; for example, ⊢ α fix ( λx . x ) : T , for an y T . An y term ma y b e injeted in to a omputation t yp e at the least role using t-unit . Th us, in the ligh t of the earlier disussion on subt yping, if ⊢ α M : T then, in the rst system, [ M ℄ inhabits h A i [ T ] for ev ery role A ; in the seond system, the term inhabits only t yp e h 0 0 0 i [ T ] , indiating that no  he ks are required to suessfully ev aluate the v alue [ M ℄ . λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 11 Computations ma y b e om bined using t-bind 4 . If M inhabits h A i [ T ] and N inhabits h B i [ S ] , then  M ; N  inhabits h A ⊔ B i [ S ] . More generally , w e an dedue: ⊢ α λx . let x ′ = x ; x ′ : h A i [ h B i [ T ]]  h A ⊔ B i [ T ] In the rst t yp e system, this rule is motiv ated b y noting that the role on text A ⊔ B sues to suessfully a v oid role errors in the om bined omputation if A (resp. B ) sues for M (resp. N ). F or the seond t yp e system, onsider a role C that is not bigger than A ⊔ B  th us C is not bigger than at least one of A, B . If it is not greater than A , b y assumption on t yping of M , ev ery omputation path of M in role on text C leads to a role-error. Similarly for B . Th us, in role on text C , ev ery omputation path in the om bined omputation leads to a role error. F urthermore, using the earlier subt yping disussion, the sequene also inhabits h 1 1 1 i [ S ] in the rst system and h 0 0 0 i [ S ] in the seond. The rule t-grd t yp es basi v alues with their protetion lev el. The higher-order v ersion of { A }[℄ has the natural t yping: ⊢ α λx . { A }[ x ℄ : T  { A } [ T ] Reall that in the transition relation, check { A }[ N ℄  he ks the role on text against A . The t yping rule t-hk mirrors this b eha vior b y on v erting the protetion lev el of v alues in to onstrain ts on role on texts. F or example, w e ha v e the t yping: ⊢ α λx . check x : { A } [ T ]  h A i [ T ] In the sp eial ase of t yping Γ ⊢ α check { A }[ N ℄ : h A i [ T ] , w e an further justify in the t w o systems as follo ws. In terms of the rst t yp e system, the role on text passes this  he k if it is at least A . In terms of the seond t yp e system, an y role on text that do es not inlude A will ause a role-error. Role mo diers are treated b y separate rules for up w ards and do wn w ards mo diers. The rule for t-mod-up is justied for the rst t yp e system as follo ws. Under assumption that B sues to ev aluate M without role-errors, onsider ev aluation of ↑ A ( M ) in role on text B ⊓ A ⋆ . This term on tributes A to role on text yielding A ⊔ ( B ⊓ A ⋆ ) = ( A ⊔ B ) ⊓ ( A ⊔ A ⋆ ) = B for the ev aluation of M . F or the seond t yp e system, assume that if a role is not greater than B , then the ev aluation of N leads to a role error. Consider the ev aluation of ↑ A ( M ) in a role on text C that do es not exeed B ⊓ A ⋆ . Then, the ev aluation of M pro eeds in role on text C ⊔ A whi h do es not exeed B and hene auses a role error b y assumption. The rule for t-mod-dn is justied for the rst t yp e system as follo ws. Under assumption that B sues to ev aluate M without role-errors, and A is greater than B onsider ev aluation of ↓ A ( M ) in role on text B . This term alters role-on text B to B ⊓ A = B for the ev aluation of M , whi h sues. F or the seond t yp e system, assume that if a role is not greater than B , then the ev aluation of N leads to a role error. Consider the ev aluation of ↓ A ( M ) in a role on text C that do es not exeed B . Then, C ⊓ A ertainly do es not exeed B and so the ev aluation of M auses a role error b y assumption. Example 16 and Example 15 disuss alternate presen tations for the rules of t yping for the role mo diers. In stating the results, w e distinguish omputations from other t yp es. Lemma 10 holds trivially from the denitions. 4 The distintion b et w een our system and dep endeny-based systems an b e see in t-bind , whi h in d [1 , 2, 30 ℄ states that ⊢ let x = M ; N : h B i [ S ] if B > A , where ⊢ M : h A i [ T ] and x : T ⊢ N : h B i [ S ] . 12 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y Denition 9. Role A dominates t yp e T (notation A ≥ T ) if T is not a omputation t yp e, or T is a omputation t yp e h B i [ S ] and A > B . Lemma 10. (a) If A > B and B ≥ T then A ≥ T . (b) If ⊢ 1 T < : S and A ≥ S then A ≥ T . () If ⊢ 2 T < : S and A ≥ T then A ≥ S . The follo wing theorems formalize the guaran tees pro vided b y the t w o systems. The pro ofs ma y b e found in Setion 6. Theorem 11. If ⊢ 1 M : T and A ≥ T , then either A ⊲ M → ω or A ⊲ M ։ V for some V . Theorem 12. If ⊢ 2 M : T and A 6≥ T , then either A ⊲ M → ω or ther e exists N suh that A ⊲ M ։ N and A ⊲ N err . F or the rst system, w e ha v e a standard t yp e-safet y theorem. F or the seond system, su h a safet y theorem do es not hold; for example ⊢ 2 check { 1 1 1}[ unit ℄ : h 1 1 1 i [ Unit ] and 1 1 1 ⊲ check { 1 1 1}[ unit ℄ → [ unit ℄ but 6⊢ 2 [ unit ℄ : h 1 1 1 i [ Unit ] . Instead Theorem 12 states that a term run with an insuien t on text role is guaran teed either to div erge or to pro due a role error. 3.3. Simple examples. Example 13. W e illustrate om binators of the language with some simple funtions. The iden tit y funtion ma y b e giv en its usual t yp e: ⊢ α λ x . x : T  T The unit of omputation an b e used to reate a omputation from an y v alue: ⊢ α λ x . [ x ℄ : T  h 0 0 0 i [ T ] The let onstrut ev aluates a omputation. In this follo wing example, the result of the omputation x ′ m ust itself b e a omputation b eause it is returned as the result of the funtion: ⊢ α λ x . let x ′ = x ; x ′ : h A i [ h B i [ T ]]  h A ⊔ B i [ T ] The guard onstrut reates a guarded term: ⊢ α λ x . { A } [ x ℄ : T  { A } [ T ] The  he k onstrut dis harges a guard, resulting in a omputation: ⊢ α λ x . check x : { A } [ T ]  h A i [ T ] The up w ards role mo dier redues the role required b y a omputation. ⊢ α λ x . ↑ B ( x ) : h A i [ T ]  h A ⊓ B ⋆ i [ T ] The rst t yping system requires that an y omputation p erformed in the on text of a do wn- w ard role mo dier ↓ B () m ust not require more than role B : ⊢ α λ x . ↓ B ( x ) : h A i [ T ]  h A i [ T ] (where B > A if α = 1 ) In the rst t yp e system, the last t w o judgmen ts ma y b e generalized as follo ws: ⊢ 1 λ x . ρ ( x ) : h ρ L A M i [ T ]  h A i [ T ] Th us a role mo dier ma y b e seen as transforming a omputation that requires the mo dier in to one that do es not. F or further disussion see Example 16. λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 13 Example 14 (Bo oleans) . The Ch ur h Bo oleans, tru △ = λ t . λ f . t and fls △ = λ t . λ f . f , illustrate the use of subt yping. In the t w o systems, these ma y b e giv en the follo wing t yp es. Bo ol 1 △ = h A i [ T ]  h B i [ T ]  h A ⊔ B i [ T ] ⊢ 1 tru , fls : Bo ol 1 Bo ol 2 △ = h A i [ T ]  h B i [ T ]  h A ⊓ B i [ T ] ⊢ 2 tru , fls : Bo ol 2 These t yp es reet the in tuitions underlying the t w o t yp e systems. The rst t yp e system reets a maxim um o v er all paths t yping, whereas the seond reets a minim um o v er all paths t yping. The onditional ma y b e in terpreted using the follo wing deriv ed rules. Γ ⊢ 1 L : B ool 1 Γ ⊢ 1 M : h A i [ T ] Γ ⊢ 1 N : h B i [ T ] Γ ⊢ 1 if L th en M else N : h A ⊔ B i [ T ] Γ ⊢ 2 L : B ool 2 Γ ⊢ 2 M : h A i [ T ] Γ ⊢ 2 N : h B i [ T ] Γ ⊢ 2 if L th en M else N : h A ⊓ B i [ T ]  Example 15 ( t-mod-dn ) . The side ondition on t-mod-dn do es not eet t ypabilit y in seond t yping system, but ma y unneessarily derease the auray of the analysis, as an b e seen from the follo wing onrete example. Let M , N b e terms of t yp e h B i [ T ] . Γ ⊢ α M : h B i [ T ] Γ ⊢ α M : h A ⊓ B i [ T ] ( t-sub ) Γ ⊢ α ↓ A ( M ) : h A ⊓ B i [ T ] ( t-mod-dn ) With the side ondition, the term let x = ↓ A ( M ); N w ould ha v e to b e giv en a t yp e of the form h A ⊓ B i [ T ] , ev en though b oth M and N ha v e t yp e h B i [ T ] . Without the side ondition, the b etter t yp e h B i [ T ] ma y b e giv en to the en tire let expression. Example 16 (Alternativ e rule for role mo diers) . In the rst t yping system, t-mod-up and t-mod-dn ma y b e replaed with the follo wing rule, whi h w e all t-mod-* . Γ ⊢ 1 M : h ρ L B M i [ T ] Γ ⊢ 1 ρ ( M ) : h B i [ T ] Consider ρ = ↑ A . Beause C > ( A ⊔ C ) ⊓ A ⋆ , the follo wing are equiv alen t. Γ ⊢ 1 M : h A ⊔ C i [ T ] Γ ⊢ 1 ↑ A ( M ) : h C i [ T ] ( t-mod-* ) Γ ⊢ 1 M : h A ⊔ C i [ T ] Γ ⊢ 1 ↑ A ( M ) : h ( A ⊔ C ) ⊓ A ⋆ i [ T ] ( t-mod-up ) Γ ⊢ 1 ↑ A ( M ) : h C i [ T ] ( t-sub ) Beause ( D ⊓ A ⋆ ) ⊔ A > D , the follo wing are equiv alen t. Γ ⊢ 1 M : h D i [ T ] Γ ⊢ 1 M : h ( D ⊓ A ⋆ ) ⊔ A i [ T ] ( t-sub ) Γ ⊢ 1 ↑ A ( M ) : h D ⊓ A ⋆ i [ T ] ( t-mod-* ) Γ ⊢ 1 M : h D i [ T ] Γ ⊢ 1 ↑ A ( M ) : h D ⊓ A ⋆ i [ T ] ( t-mod-up ) Consider ρ = ↓ A . Beause A > A ⊓ C and C > A ⊓ C , the follo wing are equiv alen t. Γ ⊢ 1 M : h A ⊓ C i [ T ] Γ ⊢ 1 ↓ A ( M ) : h C i [ T ] ( t-mod-* ) Γ ⊢ 1 M : h A ⊓ C i [ T ] Γ ⊢ 1 ↓ A ( M ) : h A ⊓ C i [ T ] ( t-mod-dn ) Γ ⊢ 1 ↓ A ( M ) : h C i [ T ] ( t-sub ) 14 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y Supp ose A > D . Then D ⊓ A > D , and the follo wing are equiv alen t. Γ ⊢ 1 M : h D i [ T ] Γ ⊢ 1 M : h D ⊓ A i [ T ] ( t-sub ) Γ ⊢ 1 ↓ A ( M ) : h D i [ T ] ( t-mod-* ) Γ ⊢ 1 M : h D i [ T ] Γ ⊢ 1 ↓ A ( M ) : h D i [ T ] ( t-mod-dn )  Example 17 (A sublanguage) . The follo wing prop er sublanguage is suien t to eno de the omputational lam b da alulus. Here v alues and terms are disjoin t, with v alues assigned v alue t yp es T and terms assigned omputation t yp es h A i [ T ] . T , S : : = Base | T  h A i [ S ] | { A } [ T ] V , U, W : : = bv | x | λx . M | { A }[ V ℄ M , N , L : : = [ V ℄ | V U | fix V | check V | let x = M ; N | ρ ( M ) Eno ding the Ch ur h Bo oleans in this sublanguage is sligh tly more ompliated than in Example 14; tru and fls m ust aept th unks of t yp e Unit  h A i [ S ] rather than the simpler blo  ks of t yp e h A i [ S ] . Op erations on base v alues that ha v e no omputational eet are plaed in the language of v alues rather than the language of terms. The resulting terms ma y b e simplied at an y time without aeting the omputation (e.g., [ 1 + 2 == 3 ℄ ma y b e simplied to [ tru ℄ ). Example 18 (Relation to onferene v ersion) . The language presen ted here is m u h simpler than that of the onferene v ersion of this pap er [14 ℄. In partiular, the onferene v ersion ollapsed guards and abstrations in to a single form { A }[ λx . M ℄ with t yp es of the form T  { A ⊲ B } [ S ] , whi h translates here as { A }  T  h B i [ S ]  : the immediate guard of the abstration is A , whereas the eet of applying the abstration is B . In addition, the onferene v ersion ollapsed role mo diation and appliation: the appliation ↓ C V U rst  he k ed the guard of V , then p erformed the appliation in a on text mo died b y ↓ C . In the urren t presen tation, this translates as  let x = check V ; ↓ C ( x U ) . 4. Examples In this setion w e assume n ullary role onstrutors for user roles, su h as Alice , Bob , Cha rlie , Admin , and Daemon . Example 19 (A CLs) . Consider a read-only lesystem proteted b y A ess Con trol Lists (A CLs). One an mo del su h a system as: filesystem △ = λ name . if name ==" file1 " then check { Admin }[" data1 " ℄ else if name ==" file2 " then check { Alice ⊓ B o b }[" data2 " ℄ else [" error : file not f oun d " ℄ If Admin ≥ Alice ⊓ Bob then o de running in the Admin role an aess b oth les: Admin ⊲ filesystem " file1 " ։ check { Admin }[" data1 " ℄ ։ [" data1 " ℄ Admin ⊲ filesystem " file2 " ։ check { Alice ⊓ Bob }[" data2 " ℄ ։ [" data2 " ℄ If Alice 6≥ Admin then o de running as Alice annot aess the rst le but an aess the seond: Alice ⊲ filesystem " file1 " ։ check { Admin }[" data1 " ℄ err Alice ⊲ filesystem " file2 " ։ check { Alice ⊓ Bob }[" data2 " ℄ ։ [" data2 " ℄ λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 15 Finally , if Cha rlie 6≥ Alice ⊓ B ob then o de running as Cha rlie annot aess either le: Cha rlie ⊲ filesystem " file1 " ։ check { Admin }[" data1 " ℄ err Cha rlie ⊲ filesystem " file2 " ։ check { Alice ⊓ Bob }[" data2 " ℄ err The lesystem o de an b e assigned the follo wing t yp e, meaning that a aller m ust p ossess a role from ea h of the A CLs in order to guaran tee that aess  he ks will not fail. If, in addition, Admin ≥ Alice ⊓ Bob then the nal role is equal to Admin . ⊢ 1 filesystem : String  h Admin ⊔ ( Al i ce ⊓ Bob ) ⊔ 0 0 0 i [ String ] In the ab o v e t yp e, the nal role 0 0 0 arises from the unkno wn le bran h that do es not require an aess  he k. The la k of an aess  he k explains the w eak er ⊢ 2 t yp e: ⊢ 2 filesystem : String  h Admin ⊓ ( Al i ce ⊓ Bob ) ⊓ 0 0 0 i [ String ] This t yp e indiates that filesystem has the p oten tial to exp ose some information to unprivi- leged allers with role Admin ⊓ ( Al ice ⊓ Bob ) ⊓ 0 0 0 . = 0 0 0 , p erhaps ausing the o de to b e agged for seurit y review. Example 20 (W eb serv er) . Consider a w eb serv er that pro vides remote aess to the lesys- tem desrib ed ab o v e. The w eb serv er an use the role assigned to a aller to aess the lesystem (unless the w eb serv er's aller withholds its role). T o prev en t an atta k er deter- mining the non-existene of les via the w eb serv er, the w eb serv er fails when an attempt is made to aess an unkno wn le unless the Debug role is ativ ated. w ebserver △ = λ name . if name ==" file1 " then filesystem name else i f name ==" file2 " then filesystem name else check { Debug }[" error : file not f o und " ℄ F or example, o de running as Alie an aess " file2 " via the w eb serv er: Alice ⊲ webserver " file2 " ։ filesystem " file2 " ։ [" data2 " ℄ The aess  he k in the w eb serv er do es prev en t the le not found error message leaking unless the Debug role is ativ e, but, unfortunately , it is not p ossible to assign a role stritly greater than 0 0 0 to the w eb serv er using the seond t yp e system. The filesystem t yp e do es not reord the dieren t roles that m ust b e  he k ed dep ending up on the lename argumen t. ⊢ 2 w ebserver : Stri n g  h Admin ⊓ ( Alice ⊓ Bob ) ⊓ 0 0 0 i [ String ] (deriv able) 6⊢ 2 w ebserver : Stri n g  h Admin ⊓ ( Alice ⊓ Bob ) ⊓ Debug i [ Stri ng ] (not deriv able)  Example 21 illustrates ho w the Domain-T yp e Enfor  ement ( dte ) aess on trol me ha- nism [6, 31℄, found in Seurit y-Enhaned Lin ux ( selinux ) [17 ℄, an b e mo delled in λ - RBAC . F urther disussion of the relationship b et w een rba  and dte an b e found in [11 , 13℄. Example 21 (Domain-T yp e Enforemen t) . The dte aess on trol me hanism gran ts or denies aess requests aording to the urren t domain of running o de. The urren t domain  hanges as new programs are exeuted, and transitions b et w een domains are restrited in order to allo w, and also fore, o de to run with an appropriate domain. The restritions up on domain transitions are based up on a dte t yp e asso iated with ea h program to exeute. F or example, the dte p oliy in [31℄ only p ermits transitions from a domain for daemon pro esses to a domain for login pro esses when exeuting the login program, b eause o de running in the login domain is highly privileged. This eet is a hiev ed b y allo wing transitions from 16 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y the daemon domain to the login domain only up on exeution of programs asso iated with a partiular dte t yp e, and that dte t yp e is assigned only to the login program. The essene of dte an b e aptured in λ - RBAC , using roles to mo del b oth domains and dte t yp es, and the on text role to mo del the urren t domain of a system. W e start b y building up on the o de fragmen t λ g . λ y . B ( g y ) , disussed in Example 7, that allo ws a funtion  he king role B to b e exeuted in the on text of o de running at a dieren t role. W e ha v e the t yping (for emphasis w e use extra paren theses that are not stritly neessary giv en the usual righ t asso iativit y for the funtion t yp e onstrutor): ⊢ α λ g . λ y . B ( g y ) : ( T  h B i [ S ])  ( T  h 0 0 0 i [ S ]) T o aid readabilit y , and xing t yp es T and S for the remainder of this example, dene: R △ = R  ( T  h 0 0 0 i [ S ]) So that the previous t yping b eomes: ⊢ α λ g . λ y . B ( g y ) : T  h B i [ S ] T o restrit the use of the privileged funtion λ g . λ y . B ( g y ) , it an b e guarded b y a role E ating as a dte t yp e, where the asso iation of the dte t yp e E with a funtion is mo delled in the sequel b y o de that an ativ ate role E . The guarded funtion an b e t yp ed as: ⊢ α { E } [ λ g . λ y . B ( g y )℄ : { E } [ T  h B i [ S ]] W e no w dene a funtion domtrans < A , E , B > for a domain transition from domain (role) A to domain (role) B up on exeution of a funtion asso iated with dte t yp e (also a role) E . The funtion rst v eries that the on text role dominates A , and then p ermits use of the privileged funtion λ g . λ y . B ( g y ) b y o de that an ativ ate role E . The funtion domtrans < A , E , B > is dened b y: domtrans < A , E , B > △ = λ f . λ x . check { A }[ unit ℄; f { E } [ λ g . λ y . B ( g y )℄ x W e ha v e the t yping: ⊢ α domtrans < A , E , B > : { E } [ T  h B i [ S ]]  ( T  h A i [ S ]) The ab o v e t yp e sho ws that domtrans < A , E , B > an b e used to turn a funtion  he king role B in to a funtion  he king role A , but only when the role E is a v ailablein on trast to the t yp e ( T  h B i [ S ])  ( T  h A i [ S ]) that do es not require E . In order to mak e use of domtrans < A , E , B > , w e m ust also onsider o de that an ativ ate E . W e dene a funtion assign < E > that tak es a funtion f and ativ ates E in order to aess the privileged o de λ g . λ y . B ( g y ) from domtrans < A , E , B > . The funtion assign < E > is dened b y: assign < E > △ = λ f . λ x . λ y . let g = E ( check x ) ; g f y And w e ha v e the t yping: ⊢ α assign < E > : ( T  h B i [ S ])  { E } [ T  h B i [ S ]] Therefore the funtional omp osition of assign < E > and domtrans < A , E , B > has t yp e: ( T  h B i [ S ])  ( T  h A i [ S ]) T o sho w that in the presene of b oth assign < E > and domtrans < A , E , B > , o de running with on text A an exeute o de  he king for role on text B , w e onsider the follo wing redutions λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 17 in role on text A , where w e tak e F △ = λ z . check { B } [ unit ℄ and underline terms to indiate the redex: domtrans < A , E , B > ( assign < E > F ) unit = ( λ f . λ x . check { A }[ unit ℄; f ( { E }[ λ g . λ y . B ( g y )℄ ) x ) ( assign < E > F ) unit → ( λ x . check { A }[ unit ℄; ( assign < E > F ) ( { E }[ λ g . λ y . B ( g y )℄ ) x ) unit → check { A }[ unit ℄ ; ( assign < E > F ) ( { E }[ λ g . λ y . B ( g y )℄ ) uni t → ( a ssign < E > F ) ( { E }[ λ g . λ y . B ( g y )℄ ) uni t =  ( λ f . λ x . λ y . let g = E ( check x ) ; g f y ) F  ( { E }[ λ g . λ y . B ( g y ) ℄ ) unit → ( λ x . λ y . let g = E ( check x ) ; g F y ) ( { E } [ λ g . λ y . B ( g y )℄ ) uni t → ( λ y . let g = E ( check { E } [ λ g . λ y . B ( g y ) ℄); g F y ) uni t → let g = E ( check { E }[ λ g . λ y . B ( g y ) ℄ ); g F uni t → let g = E ([ λ g . λ y . B ( g y )℄) ; g F unit ։ let g = [ λ g . λ y . B ( g y )℄; g F uni t → ( λ g . λ y . B ( g y ) ) F unit → ( λ y . B ( F y ) ) uni t → B ( F unit ) = B ( ( λ z . check { B }[ unit ℄ ) uni t ) → B ( check { B }[ unit ℄ ) → B ([ unit ℄) ։ [ unit ℄ The strength of dte lies in the abilit y to fator aess on trol p oliies in to t w o omp o- nen ts: the set of p ermitted domain transitions and the assignmen t of dte t yp es to o de. W e illustrate this b y adapting the aforemen tioned login example from [31℄ to λ − RBAC . In this example, the dte me hanism is used to fore ev ery in v o ation of user o de (running at role User ) from daemon o de (running at role Daemon ) to o ur via trusted login o de (running at role Login ). This is a hiev ed b y pro viding domain transitions from Login to User , and Daemon to Login , but no others. Moreo v er, o de p ermitted to run at Login m ust b e assigned dte t yp e LoginEXE , and similarly for User and UserEXE . Th us a full program running daemon o de M has the follo wing form, where neither M nor N on tain diret righ ts ampliation. let dtLogin T oUser = domtrans < Login , UserEXE , User >; let dtDa e mon T oLogin = domtrans < Daemon , Log inEXE , Login >; let shell = assign < UserEXE > ( λ . M ) ; let login = assign < LoginEXE > ( λ p wd . if p wd == "seret" then dtLogin T oUser shell unit else . . . ) ; Daemon ( N ) Beause login pro vides the sole gatew a y to the role User , the daemon o de N m ust pro vide the orret passw ord in order to exeute the shell at User (in order to aess resoures that are a v ailable at role User but not at role Daemon ). In addition, remo v al of the domain transition dtDaemon T oLogin mak es it imp ossible for the daemon o de to exeute an y o de at User . 18 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y 5. Contr olling rights amplifia tion Example 22. Supp ose that M on tains no diret righ ts ampliation, that is, no subterms of the form ↑ A ( · ) . Then, in let priv = [ λ x . ↑ A ( V x ) ℄; ↓ User ( M ) w e ma y view V as a T ruste d Computing Base ( tb )  a privileged funtion whi h ma y esalate righ ts  and view M as restrited user  o de . The funtion p riv is an en try p oin t to the tb whi h is aessible to user o de; that is, user o de is exeuted at the restrited role User , and righ ts ampliation ma y only o ur through in v o ation of p riv . Non-trivial programs ha v e larger tb s with more en try p oin ts. As the size of the tb gro ws, it b eomes diult to understand the seurit y guaran tees oered b y a system when righ ts ampliation is unonstrained, ev en if only in the tb . T o manage this omplexit y , one ma y enfore a o ding on v en tion that requires righ ts inreases b e justied b y earlier  he ks. As an example, onsider the follo wing, where amplify is a unary role onstrutor. let at < A > = [ λ f . check { amplify ( A ) }[ λ x . ↑ A ( f x )℄℄; let priv = at < A > V ; ↓ User ( M ) In a on text with role amplify ( A ) , this redues (using r-bind , r-app and r-hk ) to let priv = [ λ x . ↑ A ( V x ) ℄; ↓ User ( M ) In a on text without role amplify ( A ) , ev aluation b eomes stu k when attempting to exeute r-hk . The privileged funtion returned b y at < A > (whi h p erforms righ ts ampliation for A ) is justied b y the  he k for amplify ( A ) on an y aller of at < A > . One ma y also wish to expliitly prohibit a term from diret ampliation of some righ t B ; with su h a on v en tion in plae, this an b e a hiev ed using the role mo dier ↓ amplify ( B ) . One ma y formalize the preeding example b y in tro duing the unary role onstrutor amplify , where amplify ( A ) stands for the righ t to pro vide the role A b y storing ↑ A in o de. W e require that amplify distribute o v er ⊔ and ⊓ and ob ey the follo wing absorption la ws: A ⊔ amplify ( A ) . = amplify ( A ) A ⊓ amplify ( A ) . = A Th us amplify ( A ) > A for an y role A . T o distinguish justied use of role mo diers from unjustied use, w e augmen t the syn tax with he ke d r ole mo diers . M , N : : = · · · | ρ A ( M ) Whenev er a  he k is p erformed on role M w e mark role mo diers in the onsequen t to indiate that these mo diers ha v e b een justied b y a  he k. Dene the funtion mark A homomorphially o v er all terms but for role mo diers: mark A ( ρ ( M ) ) = ρ A ( mark A ( M ) ) mark A ( ρ B ( M ) ) = ρ A ⊔ B ( mark A ( M ) ) Mo dify the redution rule for check as follo ws. A ⊲ che ck { B } [ M ℄ → [ mark B ( M ) ℄ A > B λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 19 Th us, the  he k in the example ab o v e will exeute as follo ws. amplify ( A ) ⊲ chec k { amplify ( A ) }[ λx . ↑ A ( f x )℄ → λx . ↑ A amplify ( A ) ( f x ) In the residual, the abstration on tains a  he k ed role mo dier, indiating that the role ampliation has b een pro vided b y o de that had the righ t to do so. W e no w dene r ole mo di ation err ors so that ↑ A B ( M ) pro dues an error if B do es not dominate amplify ( A ) . ↑ B ( M ) mo derr ↑ B C ( M ) mo derr C 6 > amplify ( B ) M moderr M N moderr M moderr let x = M ; N mo derr M mo derr check M moderr M moderr ρ ( M ) mo derr Using this augmen ted language, unjustied righ ts ampliation is noted as an error. T o prev en t su h errors, w e mo dify the t yping system to ha v e judgmen ts of the form Γ; C ⊢ α M : T , where C indiates the aum ulated guards on a term whi h m ust b e dis harged b efore the term ma y b e exeuted; sine M is guarded b y C , it ma y inlude subterms of the form ↑ A ( · ) when C > amplify ( A ) . In addition to adding rules for  he k ed role mo diers, w e also mo dify t-grd and t-mod-up . The rule t-mod-up ensures that an y ampliation is justied b y C . The rule t-grd allo ws guards to b e used in  he king guarded terms; the rule is sound sine guarded terms m ust b e  he k ed b efore they are exeuted. (t-grd ′ ) Γ; C ⊔ A ⊢ α M : T Γ; C ⊢ α { A }[ M ℄ : { A } [ T ] (t-mod-up ′ ) Γ; C ⊢ α M : h B i [ T ] Γ; C ⊢ α ↑ A ( M ) : h B ⊓ A ⋆ i [ T ] C > amplify ( A ) (t-mod-dn-heked) Γ; C ⊢ α M : h B i [ T ] Γ; C ⊢ α ↓ A D ( M ) : h B i [ T ] if α = 1 then A > B (t-mod-up-heked) Γ; C ⊢ α M : h B i [ T ] Γ; C ⊢ α ↑ A D ( M ) : h B ⊓ A ⋆ i [ T ] C ⊔ D > amplify ( A ) One ma y not assume that top lev el terms ha v e b een guarded; therefore, let Γ ⊢ α M : T b e shorthand for Γ; 0 0 0 ⊢ α M : T . Example 23. The funtions domtrans and assign from Example 21 are not t ypable using this more restritiv e system. Reall the denitions: domtrans < A , E , B > △ = λ f . λ x . check { A }[ unit ℄; f { E } [ λ g . λ y . B ( g y )℄ x assign < E > △ = λ f . λ x . λ y . let g = E ( check x ) ; g f y The ampliation of B in domtrans is not justied; neither is the ampliation of E in assign . The required form is: domtrans < A , E , B > △ = { amplify ( B ) }[ λ f . λ x . check { A } [ unit ℄; f { E }[ λ g . λ y . B ( g y )℄ x ℄ assign < E > △ = { amplify ( E ) }[ λ f . λ x . λ y . let g = E ( check x ); g f y ℄ 20 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y The login example m ust no w b e mo died in order to dis harge the guards. Again the mo diations are straigh tforw ard: let dtLogin T oUser = check domtrans < Login , UserEXE , User >; let dtDa e mon T oLogin = check domtrans < Daemon , Log inEXE , Login >; let assi g nXUs er = check as sign < UserEXE >; let assi g nXLogin = check assign < LoginEXE >; let shell = assignXUser ( λ . M ) ; let login = assignXLogin ( λ pwd . if p wd == "seret" then dtLogin T oUser shell unit else . . . ) ; Daemon ( N ) Th us mo died, the program t yp es orretly , but will only exeute in a on text that dominates the four roles amplify ( User ) , amplify ( UserEXE ) , amplify ( Login ) , and amplify ( LoginEXE ) . This ensures that domain transitions and assignmen ts are reated b y authorized o de. Prop osition 25 establishes that the t yping system is suien t to prev en t role mo dia- tion errors. The pro of of Prop osition 25 relies on the follo wing lemma, whi h establishes the relation b et w een t yping and mark . Lemma 24. If Γ; C ⊔ A ⊢ α M : T then Γ; C ⊢ α mark A ( M ) : T . Pr o of. By indution on the deriv ation of the t yping judgmen t, app ealing to the denition of mark . Prop osition 25. If ⊢ α M : T and A ⊲ M ։ N then ¬ ( N mo derr ) Pr o of Sketh. That ¬ ( M moderr ) follo ws immediately from the denition of role mo di- ation error, om bined with t-mod-up ′ and t-mod-up-heked . It remains only to sho w that t yping is preserv ed b y redution. W e pro v e this for the t yp e systems of Setion 3 in the next setion. The pro of extends easily to the t yp e system onsidered here. The only wrinkle is the ev aluation rule for check , whi h is handled using the previous lemma. 6. Pr oof of Type Safety Theorems The pro ofs for the rst and seond systems are similar, b oth relying on w ell-studied te hniques [23 ℄. W e presen t pro ofs for the seond system, whi h is the more  hallenging of the t w o. Denition 26 (Compatibilit y) . T yp es T and S are  omp atible (notation T ≈ S ) if T = S or T = h A i [ R ] and S = h B i [ R ] , for some t yp e R . The follo wing lemmas ha v e straigh tforw ard indutiv e pro ofs. Lemma 27 (Compatibilit y) . If ⊢ α T < : T ′ then T ≈ S i T ′ ≈ S . Lemma 28 (Substitution) . If Γ ⊢ α M : T and Γ , x : T ⊢ α N : S , then Γ ⊢ α N { x : = M } : S . Lemma 29 (Bound W eak ening) . If Γ , x : S ⊢ α M : T and ⊢ α S ′ < : S , then Γ , x : S ′ ⊢ α M : T . λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 21 Lemma 30 (Canonial F orms) . (1) If ⊢ 2 V : T  S then V has form ( λx . M ) wher e x : T ⊢ 2 M : S . (2) If ⊢ 2 V : h A i [ T ] then V has form [ M ℄ wher e ⊢ 2 M : T and A = 0 0 0 . (3) If ⊢ 2 V : { A } [ T ] then V has form { B }[ M ℄ wher e ⊢ 2 M : T and B > A . Pr o of. (1) By indution on deriv ation of ⊢ 2 V : T  S . The only appliable ases are t-sub and t-abs . ( t-sub ) W e kno w ⊢ 2 V : T ′  S ′ , where ⊢ 2 V : T  S and ⊢ 2 T  S < : T ′  S ′ , so ⊢ 2 T ′ < : T and ⊢ 2 S < : S ′ . By the IH, V has form ( λx . M ) where x : T ⊢ 2 M : S . By Lemma 29 and subsumption, x : T ′ ⊢ 2 M : S ′ . ( t-abs ) Immediate. (2) By indution on deriv ation of ⊢ 2 V : h A i [ T ] . The only appliable ases are t-sub and t-unit . ( t-sub ) W e kno w ⊢ 2 V : h A ′ i [ T ′ ] , where ⊢ 2 V : h A i [ T ] and ⊢ 2 h A i [ T ] < : h A ′ i [ T ′ ] , so ⊢ 2 T < : T ′ and A > A ′ . By the IH, V has form [ M ℄ where ⊢ 2 M : T and A = 0 0 0 , so A ′ = 0 0 0 . By subsumption, ⊢ 2 M : T ′ . ( t-unit ) Immediate. (3) By indution on deriv ation of ⊢ 2 V : { A } [ T ] . The only appliable ases are t-sub and t-grd . ( t-sub ) W e kno w ⊢ 2 V : { A ′ } [ T ′ ] , where ⊢ 2 V : { A } [ T ] and ⊢ 2 { A } [ T ] < : { A ′ } [ T ′ ] , so ⊢ 2 T < : T ′ and A > A ′ . By the IH, V has form { B } [ M ℄ where ⊢ 2 M : T and B > A , so B > A ′ . By subsumption, ⊢ 2 M : T ′ . ( t-grd ) Immediate. Prop osition 31 (Preserv ation) . If ⊢ 2 M : T and A ⊲ M → N then ther e exists S suh that S ≈ T and ⊢ 2 N : S and if A ≥ S then A ≥ T . Pr o of. By indution on the deriv ation of ⊢ 2 M : T . The indution h yp othesis inludes the quan tiation o v er A , N . F or v alues, the result is trivial; th us w e onsider only the rules for non-v alues. ( t-sub ) W e kno w ⊢ 2 M : T ′ , where ⊢ 2 M : T and ⊢ 2 T < : T ′ , and A ⊲ M → N . Applying the IH to ⊢ 2 M : T and A ⊲ M → N yields S su h that ⊢ 2 N : S and S ≈ T and if A ≥ S then A ≥ T . By Lemma 10, this extends to if A ≥ S then A ≥ T ′ . In addition, b y Lemma 27, w e ha v e S ≈ T ′ . ( t-app ) W e kno w ⊢ 2 M N : T 2 , where ⊢ 2 M : T 1  T 2 and ⊢ 2 N : T 1 , and A ⊲ M N → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ M N → L . ( M is a v alue) By Lemma 30, M = λx . M ′ and x : T 1 ⊢ 2 M ′ : T 2 . The redution yields L = M ′ { x : = N } . By Lemma 28, ⊢ 2 L : T 2 . The remaining requiremen ts on T 2 are immediate. ( M has a redution) Therefore A ⊲ M → M ′ and L = M ′ N . Applying the IH to ⊢ 2 M : T 1  T 2 and A ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ T 1  T 2 , whi h implies that S = T 1  T 2 . Hene ⊢ 2 L : T 2 . The remaining requiremen ts on T 2 are immediate. ( t-fix ) W e kno w ⊢ 2 fix M : T , where ⊢ 2 M : T  T and A ⊲ fix M → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ fix M → L . 22 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y ( M is a v alue) By Lemma 30, M = λx . M ′ and x : T ⊢ 2 M ′ : T . The redution yields L = M ′ { x : = M } . By Lemma 28, ⊢ 2 L : T . The remaining requiremen ts on T are immediate. ( M has a redution) Therefore A ⊲ M → M ′ and L = fix M ′ . Applying the IH to ⊢ 2 M : T  T and A ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ T  T , whi h implies that S = T  T . Hene ⊢ 2 L : T . The remaining requiremen ts on T are immediate. ( t-hk ) W e kno w ⊢ 2 check M : h A 1 i [ T ] , where ⊢ 2 M : { A 1 } [ T ] , and A ⊲ check M → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ che ck M → L . ( M is a v alue) By Lemma 30, M = { A 2 }[ M ′ ℄ and ⊢ 2 M ′ : T and A 2 > A 1 . The redution yields L = [ M ′ ℄ and from the redution w e dedue A > A 2 , so A > A 1 alw a ys holds. W e assign t yp e ⊢ 2 L : h 0 0 0 i [ T ] , where h 0 0 0 i [ T ] ≈ h A 1 i [ T ] , and w e ha v e already sho wn that A > 0 0 0 implies A > A 1 . ( M has a redution) Therefore A ⊲ M → M ′ and L = check M ′ . Applying the IH to ⊢ 2 M : { A 1 } [ T ] and A ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ { A 1 } [ T ] , so S = { A 1 } [ T ] . Hene ⊢ 2 L : h A 1 i [ T ] . The remaining requiremen ts on h A 1 i [ T ] are immediate. ( t-bind ) W e kno w ⊢ 2 let x = M ; N : h A 1 ⊔ A 2 i [ T 2 ] , where ⊢ 2 M : h A 1 i [ T 1 ] and x : T 1 ⊢ 2 N : h A 2 i [ T 2 ] , and A ⊲ let x = M ; N → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ let x = M ; N → L . ( M is a v alue) By Lemma 30, M = [ M ′ ℄ and ⊢ 2 M ′ : T 1 and A 1 = 0 0 0 , so A 1 ⊔ A 2 = A 2 . The redution yields L = N { x : = M ′ } . By Lemma 28, ⊢ 2 L : h A 2 i [ T 2 ] . The remaining requiremen ts on T 2 are immediate. ( M has a redution) Therefore A ⊲ M → M ′ and L = let x = M ′ ; N . Applying the IH to ⊢ 2 M : h A 1 i [ T 1 ] and A ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ h A 1 i [ T 1 ] and if A ≥ S then A ≥ h A 1 i [ T 1 ] . Hene S = h A 3 i [ T 1 ] , for some A 3 , and A > A 3 implies A > A 1 . W e dedue ⊢ 2 L : h A 3 ⊔ A 2 i [ T 2 ] , where h A 3 ⊔ A 2 i [ T 2 ] ≈ h A 1 ⊔ A 2 i [ T 2 ] . Finally , supp ose A ≥ h A 3 ⊔ A 2 i [ T 2 ] , i.e., A > A 3 ⊔ A 2 , so A > A 3 and A > A 2 . By the ab o v e, this en tails A > A 1 , so A > A 1 ⊔ A 2 . Therefore A ≥ h A 1 ⊔ A 2 i [ T 2 ] , as required. ( t-mod-up ) W e kno w ⊢ 2 ↑ A 1 ( M ) : h A 2 ⊓ A ⋆ 1 i [ T ] , where ⊢ 2 M : h A 2 i [ T ] , and A ⊲ ↑ A 1 ( M ) → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ ↑ A 1 ( M ) → L . ( M is a v alue) Therefore L = M and ⊢ 2 L : h A 2 i [ T ] , where h A 2 i [ T ] ≈ h A 2 ⊓ A ⋆ 1 i [ T ] . By Lemma 30, M = [ M ′ ℄ and ⊢ 2 M ′ : T and A 2 = 0 0 0 , and the remaining requiremen t on h A 2 i [ T ] , that A ≥ h A 2 i [ T ] implies A ≥ h A 2 ⊓ A ⋆ 1 i [ T ] , is immediate. ( M has a redution) Therefore ↑ A 1 L A M ⊲ M → M ′ and L = ↑ A 1 ( M ′ ) . Applying the IH to ⊢ 2 M : h A 2 i [ T ] and ↑ A 1 L A M ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ h A 2 i [ T ] , so S = h A 3 i [ T ] for some A 3 , and if ↑ A 1 L A M ≥ S then ↑ A 1 L A M ≥ h A 2 i [ T ] , i.e., A ⊔ A 1 > A 3 implies A ⊔ A 1 > A 2 . W e ha v e ⊢ 2 ↑ A 1 ( M ′ ) : h A 3 ⊓ A ⋆ 1 i [ T ] and h A 3 ⊓ A ⋆ 1 i [ T ] ≈ h A 2 ⊓ A ⋆ 1 i [ T ] . Finally , if A ≥ h A 3 ⊓ A ⋆ 1 i [ T ] , then A > A 3 ⊓ A ⋆ 1 , so A ⊔ A 1 > ( A 3 ⊓ A ⋆ 1 ) ⊔ A 1 = ( A 3 ⊔ A 1 ) ⊓ 1 1 1 = A 3 ⊔ A 1 . Hene A ⊔ A 1 > A 3 , so A ⊔ A 1 > A 2 , and A ⊓ A ⋆ 1 = ( A ⊓ A ⋆ 1 ) ⊔ 0 0 0 = ( A ⊔ A 1 ) ⊓ A ⋆ 1 > A 2 ⊓ A ⋆ 1 . Therefore A > A 2 ⊓ A ⋆ 1 and A ≥ h A 2 ⊓ A ⋆ 1 i [ T ] , as required. ( t-mod-dn ) W e kno w ⊢ 2 ↓ A 1 ( M ) : h A 2 i [ T ] , where ⊢ 2 M : h A 2 i [ T ] , and A ⊲ ↓ A 1 ( M ) → L . There are t w o sub ases dep ending on the redution rule used in A ⊲ ↓ A 1 ( M ) → L . ( M is a v alue) Therefore L = M and ⊢ 2 L : h A 2 i [ T ] , and w e are done. λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 23 ( M has a redution) Therefore ↓ A 1 L A M ⊲ M → M ′ and L = ↓ A 1 ( M ′ ) . By A > ↓ A 1 L A M and Lemma 4, w e ha v e A ⊲ M → M ′ . Applying the IH to ⊢ 2 M : h A 2 i [ T ] and A ⊲ M → M ′ yields S su h that ⊢ 2 M ′ : S and S ≈ h A 2 i [ T ] , so S = h A 3 i [ T ] for some A 3 , and if A ≥ S then A ≥ h A 2 i [ T ] . Hene ⊢ 2 ↓ A 1 ( M ′ ) : h A 3 i [ T ] , whi h ompletes the sub ase. Corollary 32. If ⊢ 2 M : T and A ⊲ M ։ V , then A ≥ T . Pr o of. By indution on the length of the redution sequene A ⊲ M ։ V . F or the base ase, M = V and Lemma 30 implies that A ≥ T , b eause ev ery non-omputation t yp e is dominated b y an y role, and in a omputation t yp e T = h B i [ S ] Lemma 30 tells us that B = 0 0 0 . F or the indutiv e step, there exists N su h that A ⊲ M → N and A ⊲ N ։ V . By Prop osition 31, there exists S su h that ⊢ 2 N : S and if A ≥ S then A ≥ T . Applying the IH to ⊢ 2 N : S and A ⊲ N ։ V yields A ≥ S , hene A ≥ T as required. Prop osition 33 (Progress) . F or al l A , if ⊢ 2 M : T then either M is a value, A ⊲ M err , or ther e exists N suh that A ⊲ M → N . Pr o of. By indution on the deriv ation of ⊢ 2 M : T . W e need only onsider the ases when M is not a v alue. ( t-sub ) W e kno w ⊢ 2 M : T ′ , where ⊢ 2 M : T and ⊢ 2 T < : T ′ . Immediate b y the IH. ( t-app ) W e kno w ⊢ 2 M N : T 2 , where ⊢ 2 M : T 1  T 2 and ⊢ 2 N : T 1 . Apply the IH to ⊢ 2 M : T 1  T 2 and role A . If M is a v alue, then, b y Lemma 30, M has form ( λx . L ) , so A ⊲ M N → L { x : = N } . If A ⊲ M err , then A ⊲ M N err . Finally , if A ⊲ M → L , then A ⊲ M N → L N . ( t-fix ) W e kno w ⊢ 2 fix M : T , where ⊢ 2 M : T  T . Apply the IH to ⊢ 2 M : T  T and role A . If M is a v alue, then, b y Lemma 30, M has form ( λx . L ) , so A ⊲ fix M → L { x : = ( λx . L ) } . If A ⊲ M err , then A ⊲ fix M err . Finally , if A ⊲ M → L , then A ⊲ fix M → fix L . ( t-hk ) W e kno w ⊢ 2 check M : h A 1 i [ T ] , where ⊢ 2 M : { A 1 } [ T ] . Apply the IH to ⊢ 2 M : { A 1 } [ T ] and role A . If M is a v alue, then, b y Lemma 30, there exists B , L su h that M = { B }[ L ℄ , so either A ⊲ check M → [ L ℄ or A ⊲ che ck M err dep ending on whether A > B holds or not. If A ⊲ M err , then A ⊲ che ck M err . Finally , if A ⊲ M → L , then A ⊲ che ck M → check L . ( t-bind ) W e kno w ⊢ 2 let x = M ; N : h A 1 ⊔ A 2 i [ T 2 ] , where ⊢ 2 M : h A 1 i [ T 1 ] and x : T 1 ⊢ 2 N : h A 2 i [ T 2 ] . Apply the IH to ⊢ 2 M : h A 1 i [ T 1 ] and role A . If M is a v alue, then, b y Lemma 30, M has form [ L ℄ , so A ⊲ let x = M ; N → N { x : = L } . If A ⊲ M err , then A ⊲ let x = M ; N err . Finally , if A ⊲ M → L , then A ⊲ let x = M ; N → let x = L ; N . ( t-mod-up ) W e kno w ⊢ 2 ↑ A 1 ( M ) : h A 2 ⊓ A ⋆ 1 i [ T ] , where ⊢ 2 M : h A 2 i [ T ] . Apply the IH to ⊢ 2 M : h A 2 i [ T ] and role ↑ A 1 L A M . If M is a v alue, then A ⊲ ↑ A 1 ( M ) → M . If ↑ A 1 L A M ⊲ M err , then A ⊲ ↑ A 1 ( M ) err . Finally , if ↑ A 1 L A M ⊲ M → L , then A ⊲ ↑ A 1 ( M ) → ↑ A 1 ( L ) . ( t-mod-dn ) W e kno w ⊢ 2 ↓ A 1 ( M ) : h A 2 i [ T ] , where ⊢ 2 M : h A 2 i [ T ] . Apply the IH to ⊢ 2 M : h A 2 i [ T ] and role ↓ A 1 L A M . If M is a v alue, then A ⊲ ↓ A 1 ( M ) → M . If ↓ A 1 L A M ⊲ M err , then A ⊲ ↓ A 1 ( M ) err . Finally , if ↓ A 1 L A M ⊲ M → L , then A ⊲ ↓ A 1 ( M ) → ↓ A 1 ( L ) . Theorem (12) . If ⊢ 2 M : T and A 6≥ T , then either A ⊲ M → ω or ther e exists N suh that A ⊲ M ։ N and A ⊲ N err . Pr o of. W e use a oindutiv e argumen t to onstrut a redution sequene that is either innite or terminates with a role  he k failure. When ⊢ 2 M : T and A 6≥ T , w e kno w that M is 24 R. JA GADEESAN, A. JEFFREY, C. PITCHER, AND J. RIEL Y not a v alue b y Lemma 30. By Prop osition 33, either A ⊲ M err or there exists N su h that A ⊲ M → N . In the former ase, w e are done. In the latter ase, using Prop osition 31, there exists S su h that ⊢ 2 N : S and if A ≥ S then A ≥ T . Ho w ev er, w e kno w that A 6≥ T , so A 6≥ S , as required. 7. Conlusions The fo us of this pap er is programmati approa hes, su h as jaas / .net , that use rba  . F rom a soft w are engineering approa h to the design of omp onen ts, rba  failitates a sepa- ration of onerns: the design of the system is arried out in terms of a role hierar h y with an asso iated assignmen t of p ermissions to roles, whereas the atual assignmen t of users to roles tak es plae at the time of deplo ymen t. W e ha v e presen ted t w o metho ds to aid the design and use of omp onen ts that inlude su h aess on trol o de. The rst  admittedly standard  te hnique enables users of o de to dedue the role at whi h o de m ust b e run. The main use of this analysis is to optimize o de b y enabling the remo v al of some dynami  he ks. The seond  somewhat more no v el  analysis alulates the role that is v eried on all exeution paths. This analysis is p oten tially useful in v alidating ar hitetural seurit y requiremen ts b y enabling o de designers to dedue the protetion guaran tees of their o de. W e ha v e demonstrated the use of these metho ds b y mo deling Domain T yp e Enfore- men t, as used in SELin ux. As future w ork, w e will explore extensions to role p olymorphism and reursiv e roles follo wing the te hniques of [8 , 4℄. A kno wledgments The presen tation of the pap er has greatly impro v ed thanks to the ommen ts of the referees. Referenes [1℄ M. Abadi. A ess on trol in a ore alulus of dep endeny . SIGPLAN Not. , 41(9):263273, 2006. [2℄ M. Abadi, A. Banerjee, N. Hein tze, and J. G. Rie k e. A ore alulus of dep endeny . In POPL '99 , pages 147160. A CM Press, 1999. [3℄ M. Abadi, G. Morrisett, and A. Sab elfeld. Language-based seurit y . J. F unt. Pr o gr am. , 15(2):129, 2005. [4℄ R. M. Amadio and L. Cardelli. Subt yping reursiv e t yp es. A CM TOPLAS , 15(4):575631, 1993. [5℄ S. Bark er and P . J. Stu k ey . Flexible aess on trol p oliy sp eiation with onstrain t logi program- ming. A CM T r ans. Inf. Syst. Se ur. , 6(4):501546, 2003. [6℄ W. E. Bo eb ert and R. Y. Kain. A pratial alternativ e to hierar hial in tegrit y p oliies. In CSS '85 , 1985. [7℄ C. Braghin, D. Gorla, and V. Sassone. A distributed alulus for role-based aess on trol. In CSFW , pages 4860, 2004. [8℄ M. Brandt and F. Henglein. Coindutiv e axiomatization of reursiv e t yp e equalit y and subt yping. F un- dam. Inf. , 33(4):309338, 1998. [9℄ S. Chong and A. C. My ers. Seurit y p oliies for do wngrading. In CCS '04 , pages 198209, 2004. [10℄ A. Compagnoni, P . Garralda, and E. Gun ter. Role-based aess on trol in a mobile en vironmen t. In Symp osium on T rustworthy Glob al Computing , 2005. [11℄ D. F. F erraiolo, D. R. Kuhn, and R. Chandramouli. R ole-Base d A   ess Contr ol . Computer Seurit y Series. Arte h House, 2003. [12℄ D. F. F erraiolo, R. Sandh u, S. Ga vrila, D. R. Kuhn, and R. Chandramouli. Prop osed NIST standard for role-based aess on trol. A CM T r ans. Inf. Syst. Se ur. , 4(3):224274, 2001. λ - RBAC : PR OGRAMMING WITH R OLE-BASED A CCESS CONTR OL 25 [13℄ J. Homan. Implemen ting RBA C on a t yp e enfored system. In Computer Se urity Appli ations (A C- SA C '97) , pages 158163, 1997. [14℄ R. Jagadeesan, A. Jerey , C. Pit her, and J. Riely . λ -RBA C: Programming with role-based aess on trol. In ICALP '06 , v olume 4052 of L e tur e Notes in Computer Sien e , pages 456467. Springer, 2006. [15℄ S. Ja jo dia, P . Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible supp ort for m ultiple aess on trol p oliies. A CM T r ans. Datab ase Syst. , 26(2):214260, 2001. [16℄ J. Ligatti, L. Bauer, and D. W alk er. Edit automata: enforemen t me hanisms for run-time seurit y p oliies. Int. J. Inf. Se . , 4(1-2):216, 2005. [17℄ P . A. Loso o and S. D. Smalley . Meeting ritial seurit y ob jetiv es with Seurit y-Enhaned Lin ux. In Ottawa Linux Symp osium , 2001. [18℄ S. Malhotra. Mir osoft .NET F r amework Se urity . Premier Press, 2002. [19℄ J. C. Mit hell. Programming language metho ds in omputer seurit y . In POPL '01 , pages 126, 2001. [20℄ A. C. My ers, A. Sab elfeld, and S. Zdanewi. Enforing robust delassiation. In CSFW , pages 172 186, 2004. [21℄ S. Osb orn, R. Sandh u, and Q. Muna w er. Conguring role-based aess on trol to enfore mandatory and disretionary aess on trol p oliies. A CM T r ans. Inf. Syst. Se ur. , 3(2):85106, 2000. [22℄ J. S. P ark, R. S. Sandh u, and G.-J. Ahn. Role-based aess on trol on the w eb. A CM T r ans. Inf. Syst. Se ur. , 4(1):3771, 2001. [23℄ B. Piere. T yp es and Pr o gr amming L anguages . MIT Press, 2002. [24℄ A. Sab elfeld and A. C. My ers. Language-based information-o w seurit y . IEEE J. Sele te d A r e as in Communi ations , 21(1):519, Jan. 2003. [25℄ A. Sab elfeld and A. C. My ers. A mo del for delimited information release. In ISSS , pages 174191, 2003. [26℄ R. Sandh u, E. Co yne, H. F einstein, and C. Y ouman. Role-based aess on trol mo dels. IEEE Computer , 29(2), 1996. [27℄ F. B. S hneider, G. Morrisett, and R. Harp er. A language-based approa h to seurit y . In Informatis 10 Y e ars Bak, 10 Y e ars A he ad , v olume 2000 of LNCS , pages 86101, 2000. [28℄ F. Siew e, A. Cau, and H. Zedan. A omp ositional framew ork for aess on trol p oliies enforemen t. In FMSE '03 , pages 3242, 2003. [29℄ E. G. Sirer and K. W ang. An aess on trol language for w eb servies. In SA CMA T '02 , pages 2330, 2002. [30℄ S. T se and S. Zdanewi. T ranslating dep endeny in to parametriit y . In ICFP , pages 115125, 2004. [31℄ K. M. W alk er, D. F. Sterne, M. L. Badger, M. J. P etk a, D. L. Shermann, and K. A. Oostendorp. Conning ro ot programs with Domain and Typ e Enforemen t (DTE). In USENIX Se urity Symp osium , 1996. This wo rk is licensed under the Cr eative Commons Attribution- NoDerivs Lice nse . T o view a copy of this license, v isit http://reative o mm on s. org /l i en se s/b y- nd /2 .0 / or send a letter to Creative Commons , 559 Natha n Abbo tt Wa y , Stanford, Calif or nia 94 305, USA.