SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 11

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added some unprocessed text to Capabilites section

...

Capabilities

Wiki Markup
A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object \[Wikipedia 2011\].

Wiki Markup
The term capability was introduced by Dennis and Van Horn \[Dennis 1966\]. The basic idea is that for a program to access an object it must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability.

Wiki Markup
In an object-capability language, all program state is contained in objects that cannot be read or written without a reference, which serves as an unforgeable capability. All external resources are also represented as objects. Objects encapsulate their internal state, providing reference holders access only through prescribed interfaces \[Mettler 2010\].

Some rules that involve capabilities include:

...

Content by Label
showLabelsfalse
maxResults99
label+capability,-void
showSpacefalse
sorttitle
space@self
cqllabel = "capability" and label != "void" and space = currentSpace()

Leaking Sensitive Data

A system's security policy determines which information is sensitive. Sensitive data may include user information such as social security or credit card numbers, passwords, or private keys.

...

Wiki Markup
\[Dennis 1966\] Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (March 1966), 143-155. DOI=10.1145/365230.365252 [http://doi.acm.org/10.1145/365230.365252]

Mettler Adrian Mettler, David Wagner, Tyler Close. Joe-E: A Security-Oriented Subset of Java

Wiki Markup
\[Mettler 2010\] Adrian Mettler and David Wagner. 2010. Class properties for security review in an object-capability subset of Java: (short paper). In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, New York, NY, USA, , Article 7 , 7 pages. DOI=10.1145/1814217.1814224 http://doi.acm.org/10.1145/1814217.1814224

Wiki Markup
\[Heffley 2004\] Heffley, J. & Meunier, P. “Can Source Code Auditing Software Identify Common Vulnerabilities and Be Used to Evaluate Software Security?” Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04) - Track 9 - Volume 9. Island of Hawaii, January 2004. IEEE Computer Society, 2004.