Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Discussion and Special Cases
Constraint-Based Analysis
Control Flow Analysis
Analysis Results
Explicit Annotations of Classes and Methods
Conclusion
References
All Topics
Computer Science
Information Systems

Encapsulating objects with confined types

Profile image of Jan VitekJan Vitek

2007, ACM Transactions on Programming Languages and Systems

Abstract

Object-oriented languages provide little support for encapsulating objects. Reference semantics allows objects to escape their defining scope, and the pervasive aliasing that ensues remains a major source of software defects. This paper presents Kacheck/J, a tool for inferring object encapsulation properties of large Java programs. Our goal is to develop practical tools to assist software engineers, thus we focus on simple and scalable techniques. Kacheck/J is able to infer confinement -the property that all instances of a given type are encapsulated in their defining package. This simple property can be used to identify accidental leaks of sensitive objects, as well as for compiler optimizations. We report on the analysis of a large body of code and discuss language support and refactoring for confinement.

Related papers

Ownership Confinement Ensures Representation Independence for Object-Oriented Programs
ibeneme stanley

Computing Research Repository, 2002

Representation independence or relational parametricity formally characterizes the encapsulation provided by language constructs for data abstraction and justifies reasoning by simulation. Representation independence has been shown for a variety of languages and constructs but not for shared references to mutable state; indeed it fails in general for such languages. This paper formulates representation independence for classes, in an imperative, object-oriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an abstraction using private fields and so-called representation objects. Encapsulation of representation objects is expressed by a restriction, called confinement, on aliasing. Representation independence is proved for programs satisfying the confinement condition. A static analysis is given for confinement that accepts common designs such as the observer and factory patterns. The formalization takes into account not only the usual interface between a client and a class that provides an abstraction but also the interface (often called ``protected'') between the class and its subclasses.

View PDFchevron_right
Distinctness and Sharing Domains for Static Analysis of Java Programs
Baudouin Le Charlier

Lecture Notes in Computer Science, 2001

The application field of static analysis techniques for objectoriented programming is getting broader, ranging from compiler optimizations to security issues. This leads to the need of methodologies that support reusability not only at the code level but also at higher (semantic) levels, in order to minimize the effort of proving correctness of the analyses. Abstract interpretation may be the most appropriate approach in that respect. This paper is a contribution towards the design of a general framework for abstract interpretation of Java programs. We introduce two generic abstract domains that express type, structural, and sharing information about dynamically created objects. These generic domains can be instantiated to get specific analyses either for optimization or verification issues. The semantics of the domains are precisely defined by means of concretization functions based on mappings between concrete and abstract locations. The main abstract operations, i.e., upper bound and assignment, are discussed. An application of the domains to source-to-source program specialization is sketched to illustrate the effectiveness of the analysis.

View PDFchevron_right
Towards a model of encapsulation
R. Biddle

2003

Encapsulation is a founding principle of object-oriented programming: to this end, there have been a number of recent of proposals to increase programming languages' support for encapsulation. While many of these proposals are similar in concept, it is often difficult to describe their effects in practice, or to evaluate clearly how related proposals differ from each other. We are developing a general topological model of encapsulation for object-oriented languages, based on a program's object graph. Using this model, we can characterise a range of confinement, ownership, and alias protection schemes in terms of their underlying encapsulation function. This analysis should help programmers understand the encapsulation provided by programming languages, assist students to better compare and contrast the features of different languages, and help language designers to craft the encapsulation schemes of forthcoming programming languages.

View PDFchevron_right
JavaCOP: Declarative pluggable types for java
Daniel Marino

ACM Transactions on Programming Languages and Systems, 2010

Pluggable types enable users to enforce multiple type systems in one programming language. We have developed a suite of tools, called the JAVACOP framework, that allows developers to create pluggable type systems for Java. JAVACOP provides a simple declarative language in which program constraints are defined over a program's abstract syntax tree. The JAVACOP compiler automatically enforces these constraints on programs during compilation. The JAVACOP framework also includes a dataflow analysis API in order to support type systems which depend on flow-sensitive information. Finally, JAVACOP includes a novel test framework which helps users gain confidence in the correctness of their pluggable type systems. We demonstrate the framework by discussing a number of pluggable type systems which have been implemented in JAVACOP in order to detect errors and enforce strong invariants in programs. These type systems range from general-purpose checkers, such as a type system for nonnull references, to domain-specific ones, such as a checker for conformance to a library's usage rules.

View PDFchevron_right
Type-based confinement
Jan Vitek

Journal of Functional Programming, 2005

Confinement properties impose a structure on object graphs which can be used to enforce encapsulation properties. From a practical point of view, encapsulation is essential for building secure object-oriented systems as security requires that the interface between trusted and untrusted components of a system be clearly delineated and restricted to the smallest possible set of operations and data structures. This paper investigates the notion of package-level confinement and proposes a type system that enforces this notion for a call-by-value object calculus as well as a generic extension thereof. We give a proof of soundness of this type system, and establish links between this work and related research in language-based security.

View PDFchevron_right
Over-exposed classes in Java: An empirical study
Claudia Marcos

Computer Languages, Systems & Structures, 2016

Java access modifiers regulate interactions among software components. In particular, class modifiers specify which classes from a component are publicly exposed and therefore belong to the component public interface. Restricting the accessibility as specified by a programmer is key to ensure a proper software modularity. It has been said that failing to do so is likely to produce maintenance problems, poor system quality, and architecture decay. However, how developers uses class access modifiers or how inadequate access modifiers affect software systems has not been investigated yet in the literature. In this work, we empirically analyze the use of class access modifiers across a collection of 15 Java libraries and 15 applications, totaling over 3.6M lines of code. We have found that an average of 25% of classes are over-exposed, i.e., classes defined with an accessibility that is broader than necessary. A number of code patterns involving over-exposed classes have been formalized, characterizing programmers' habits. Furthermore, we propose an Eclipse plugin to make component public interfaces match with the programmer's intent.

View PDFchevron_right
Confined types
Boris Bokowski

ACM SIGPLAN Notices, 1999

Sharing and transfer of object references is difficult to control in object-oriented languages. Unconstrained sharing poses serious problems for writing secure components in object-oriented languages. In this paper, we present a set of inexpensive syntactic constraints that strengthen encapsulation in object-oriented programs and facilitate the implementation of secure systems. We introduce two mechanisms: confined types to impose static scoping on dynamic object references and, for technical reasons, anonymous methods which are methods that do not reveal the identity of the current instance (this). Confined types protect objects from use by untrusted code, while anonymous methods allow standard classes to be reused from confined classes. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. We present security related programming examples.

View PDFchevron_right
Type safe dynamic object delegation in class-based languages
Viviana Bono

Proceedings of the 6th international symposium on Principles and practice of programming in Java - PPPJ '08, 2008

Class inheritance and method overriding, as provided by standard class-based languages, are not flexible enough to represent the dynamic behavior of objects; with this respect, object composition and delegation are often advocated as a more flexible alternative to class inheritance since they act at run-time, thus permitting the behavior of objects to be specialized dynamically. In this paper we present Incomplete Featherweight Java (IFJ), an extension of Featherweight Java with incomplete objects, i.e., objects that require some missing methods which can be provided at run-time by composition with another (complete) object. The mechanism for method invocation is based on delegation and it is disciplined by static typing, therefore the language enjoys type safety (which implies no "message-not-understood" run-time errors) and avoids possible accidental overrides due to method clashes.

View PDFchevron_right
A Combined Pointer and Purity Analysis for Java Programs
Alex Salcianu

2004

We present a new method purity analysis for Java programs. A method is pure if it does not mutate any location that exists in the program state right before method invocation. Our analysis is built on top of a combined pointer and escape analysis for Java programs and is capable of determining that methods are pure even when the methods do heap mutation, provided that the mutation affects only objects created after the beginning of the method. Because our analysis extracts a precise representation of the region of the heap that each method may access, it is able to provide useful information even for methods with externally visible side effects. In particular, it can recognize read-only parameters (a parameter is read-only if the method does not mutate any objects transitively reachable from the parameter) and safe parameters (a parameter is safe if it is read-only and the method does not create any new externally visible paths in the heap to objects transitively reachable from the ...

View PDFchevron_right
Encapsulation Enforcement with Dynamic Ownership
Donald Gordon

Unrestricted aliasing is a problem endemic to object oriented programming. It allows notions of encapsulation fundamental to object oriented programming to be violated. This thesis describes ConstrainedJava, an implementation of a language that provides alias control via a much stronger encapsulation guarantees than traditional object-oriented programming languages, integrated with a constraint system. Unlike most existing aliasing control systems, this encapsulation system integrates well with untyped dynamic languages such as ConstrainedJava. This stronger form of encapsulation has been enhanced to make it easier to write practical programs while still providing useful encapsulation guarantees.

View PDFchevron_right

References (42)

  1. Jonathan Aldrich, Valentin Kostadinov, and Craig Chambers. Alias annotations for program un- derstanding. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Appplications (OOPSLA), pages 311-330, November 2002.
  2. Paulo Sérgio Almeida. Balloon types: Controlling sharing of state in data types. In Mehmet Aksit and Satoshi Matsuoka, editors, ECOOP'97-Object-Oriented Programming, 11th European Conference, volume 1241 of LNCS, pages 32-59, Jyväskylä, Finland, 9-13 June 1997. Springer-Verlag.
  3. Paulo Sérgio Almeida. Type-checking balloon types. Electrical Notes in Theoretical Computer Science, 20, 1999.
  4. Anindya Banerjee and David A. Naumann. Representation independence, confinement and access control. In Proceedings of POPL'02, SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 166-177, 2002.
  5. Michael Barnett, Robert DeLine, Manuel Fähndrich, K. Rustan M. Leino, and Wolfram Schulte. Verification of object-oriented programs with invariants. Journal of Object Technology, 3(6):27-56, 2004. Preliminary version in Proceedings of Fifth Workshop on Formal Techniques for Java-like Programs, 2003.
  6. Bruno Blanchet. Escape analysis for object oriented languages. application to Java. In OOPSLA'99 ACM Conference on Object-Oriented Systems, Languages and Applications, volume 34(10) of ACM SIGPLAN Notices, pages 20-34, Denver, CO, October 1999. ACM Press.
  7. Bruno Blanchet. Escape analysis for Java: Theory and practice. ACM Transactions on Programming Languages and Systems, 25(6):713-775, 2003.
  8. Jeff Bogda and Urs Hölzle. Removing unnecessary synchronization in Java. In OOPSLA'99 ACM Conference on Object-Oriented Systems, Languages and Applications, volume 34(10) of ACM SIG- PLAN Notices, pages 35-46, Denver, CO, October 1999. ACM Press.
  9. Boris Bokowski. CoffeeStrainer: Statically-checked constraints on the definition and use of types in Java. In Proceedings of ESEC/FSE'99, pages 355-374, Toulouse, France, September 1999.
  10. Boris Bokowski and Jan Vitek. Confined types. In Proceedings 14th Annual ACM SIGPLAN Confer- ence on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA'99), pages 82-96, Denver, Colorado, USA, November 1999.
  11. Chandrasekhar Boyapati, Robert Lee, and Martin Rinard. Ownership types for safe programming: Preventing data races and deadlocks. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Appplications (OOPSLA), pages 211-230, November 2002.
  12. Chandrasekhar Boyapati, Alexandru Salcianu, William Beebee, and Martin Rinard. Ownership types for safe region-based memory management in real-time Java. In ACM Conference on Programming Language Design and Implementation, pages 324-337, June 2003.
  13. John Boyland. Alias burying: Unique variables without destructive reads. Software-Practice and Experience, 31(6):533-553, 2001.
  14. John Boyland, James Noble, and William Retert. Capabilities for aliasing: A generalisation of uniqueness and read-only. In ECOOP'01 -Object-Oriented Programming, 15th European Confer- ence, number 2072 in Lecture Notes in Computer Science, pages 2-27, Berlin, Heidelberg, New York, 2001. Springer.
  15. Dave Clarke, Michael Richmond, and James Noble. Saving the world from bad Beans: Deployment- time confinement checking. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Appplications (OOPSLA), pages 374-387, Anaheim, CA, November 2003.
  16. David Clarke. Object Ownership and Containment. PhD thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia, 2001.
  17. David Clarke and Tobias Wrigstad. External uniqueness. In 10th Workshop on Foundations of Object-Oriented Languages (FOOL), New Orleans, LA, January 2003.
  18. David G. Clarke, John M. Potter, and James Noble. Ownership types for flexible alias protection. In OOPSLA '98 Conference Proceedings, volume 33(10) of ACM SIGPLAN Notices, pages 48-64. ACM, October 1998.
  19. Ian Clarke, Scott G. Miller, Theodore W. Hong, Oskar Sandberg, and Brandon Wiley. Protecting free expression online with freenet. IEEE Internet Computing, 6(1):40-49, 2002.
  20. Ian Clarke, Oscar Sandberg, Brandon Wiley, and Theodore W. Hong. Freenet: A Distributed Anony- mous Information Storage and Retrieval System. In Workshop on Design Issues in Anonymity and Unobservability, number 2009 in Lecture Notes in Computer Science, pages 46-66. Springer-Verlag, 2000.
  21. David Detlefs, K. Rustan M. Leino, and Greg Nelson. Wrestling with rep exposure. Technical report, Digital Equipment Corporation Systems Research Center, 1996.
  22. Alain Deutsch. Semantic models and abstract interpretation techniques for inductive data struc- tures and pointers. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pages 226-229, La Jolla, California, June 21-23, 1995.
  23. William F. Dowling and Jean H. Gallier. Linear-time algorithms for testing the satisfiability of propositional horn formulae. Journal of Logic Progamming, 1(3):267-84, October 1984.
  24. Martin Fowler, Kent Beck, John Brant, William Opdyke, and Don Roberts. Refactoring: Improving the Design of Existing Code. Addison-Wesley, 1999.
  25. Erich Gamma, Richard Helm, Ralph E. Johnson, and John Vlissides. Design Patterns. Addison- Wesley, 1994.
  26. Daniela Genius, Martin Trapp, and Wolf Zimmermann. An approach to improve locality using Sandwich Types. In Proceedings of the 2nd Types in Compilation workshop, volume LNCS 1473, pages 194-214, Kyoto, Japan, March 1998. Springer Verlag.
  27. Stephan Herrmann. Object Teams: Improving modularity for crosscutting collaborations. In Ob- jects, Components, Architectures, Services, and Applications for a Networked World, number 2591 in Lecture Notes in Computer Science, pages 248-264. Springer-Verlag, 2003.
  28. John Hogg. Islands: Aliasing Protection in Object-Oriented Languages. In Proceedings of the OOP- SLA '91 Conference on Object-Oriented Programming Systems, Languages and Applications, pages 271-285, November 1991. Published as ACM SIGPLAN Notices, volume 26, number 11.
  29. John Hogg, Doug Lea, Alan Wills, Dennis de Champeaux, and Richard Holt. The Geneva convention on the treatment of object aliasing. OOPS Messenger, 3(2):271-285, April 1992.
  30. Atsushi Igarashi, Benjamin C. Pierce, and Philip Wadler. Featherweight Java: a minimal core calculus for Java and GJ. ACM Transactions on Programming Languages and Systems, 23(3):396-450, May 2001.
  31. Stuart Kent and Ian Maung. Encapsulation and Aggregation. In Proceedings of TOOLS PACIFIC 95 (TOOLS 18), pages 227-238. Prentice Hall, 1995.
  32. K. Rustan M. Leino and Peter Müller. Object invariants in dynamic contexts. In Proceedings of ECOOP'04, 16th European Conference on Object-Oriented Programming, pages 491-516, 2004.
  33. Sun Microsystems. Support for extensions and applications in the version 1.2 of the Java platform. http://java.sun.com/products/jdk/1.2/docs/guide/extensions/spec.html, 2000.
  34. Peter Müller. Modular Specification and Verification of Object-Oriented Programs. PhD thesis, FernUniversität Hagen, 2001. Also as LNCS 2262, Springer-Verlag, 2002.
  35. Peter Müller and Arnd Poetzsch-Heffter. Universes: A type system for controlling representation exposure. In A. Poetzsch-Heffter and J. Meyer, editors, Programming Languages and Fundamentals of Programming. Fernuniversität Hagen, 1999.
  36. James Noble, Jan Vitek, and John Potter. Flexible alias protection. In Eric Jul, editor, ECOOP'98- Object-Oriented Programming, volume 1445 of Lecture Notes In Computer Science, pages 158-185, Berlin, Heidelberg, New York, July 1988. Springer-Verlag.
  37. Alex Potanin, James Noble, Dave Clarke, and Robert Biddle. Featherweight generic confinement. In Workshop on Foundations of Object-Oriented Languages, 2004.
  38. Christian Skalka and Scott F. Smith. Static use-based object confinement. International Journal on Information Security, 4(1-2):87-104, 2005. Preliminary version in Proceedings of Foundations of Computer Security, volume 02-12 of DIKU technical reports, pages 117-126.
  39. Jan Vitek and Boris Bokowski. Confined types in Java. Software Practice and Experience, 31(6):507- 532, 2001.
  40. Ayal Zaks, Vitaly Feldman, and Nava Aizikowitz. Sealed calls in Java packages. In OOPSLA '2000 Conference Proceedings, ACM SIGPLAN Notices, pages 83-92. ACM, October 2000.
  41. Tian Zhao, James Noble, and Jan Vitek. Scoped types for real-time Java. In Proceedings of 25th IEEE Real-Time Systems Symposium, pages 241-251, 2004.
  42. Tian Zhao, Jens Palsberg, and Jan Vitek. Type-based confinement. Journal of Functional Program- ming, 16(1):83-128, 2006. Preliminary version, entitled "Lightweight confinement for Featherweight Java", in Proceedings of OOPSLA'03, ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications, pages 135-148, Anaheim, California, October 2003.

Related papers

Confined Types in Java
Jan Vitek

2000

The sharing and transfer of references in object-oriented languages is difficult to control. Without any constraint, practical experience has shown that even carefully engineered object-oriented code can be brittle, and subtle security deficiencies can go unnoticed. In this paper, we present inexpensive syntactic constraints that strengthen encapsulation by imposing static restrictions on the spread of references. In particular, we introduce confined types to impose a static scoping discipline on dynamic references and anonymous methods to loosen confinement somewhat to allow code reuse. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected.

View PDFchevron_right
A Survey of the Usage of Encapsulation in Object-Oriented Programming
Mats Skoglund

In object-oriented programming the concept of encapsulation is used to create abstract datatypes that should be possible to modify only through their external interface. One way to enforce this kind of encapsulation is to declare variables with different access modifiers, such as private or public. However, when using private variables in programming languages with reference semantics, such as e.g. Java, it is only the names of the variables that are protected, not the real objects pointed to by the variables. This problem is sometimes referred to as the representation exposure problem and many proposals addressing this problem have been presented.

View PDFchevron_right
Practical Use of Encapsulation in Object-Oriented Programming
Mats Skoglund

2003

Even though an OO program may have a high degree of encapsulation it is still sometimes possible to modify the inner representation of compound objects. In for example Java there is little to prevent references exported from a compound object to be used by its receivers. Thus it may be possible to change the states of inner objects of a compound object from the outside leading to invariants may be broken. This is often referred to as the representation exposure problem and many solutions to this problem have been proposed. There is, however, a lack of empirical evidence that this is actually a practical problem in the software industry.

View PDFchevron_right
Type qualifier inference for java
Jeff Foster

ACM SIGPLAN Notices, 2007

Java's type system provides programmers with strong guarantees of type and memory safety, but there are many important properties not captured by standard Java types. We describe JQual, a tool that adds user-defined type qualifiers to Java, allowing programmers to quickly and easily incorporateextra lightweight, application-specific type checking into their programs. JQual provides type qualifier inference, so that programmers need only add a few key qualifier annotations to their program, and then JQual infers any remaining qualifiers and checks their consistency. We explore two applications of JQual. First, we introduce opaque and enumqualifiers to track C pointers and enumerations that flow through Java code via the JNI. In our benchmarks we found that these C values are treated correctly, but there are some places where a client could potentially violate safety. Second,we introduce a read only qualifier for annotating references that cannot be used to modify the objects they...

View PDFchevron_right
Introducing safe unknown types in Java-like languages
Elena Zucca

Proceedings of the 2006 ACM symposium on Applied computing - SAC '06, 2006

Most mainstream object-oriented languages, like C++, Java and C#, are statically typed. In recent years, untyped languages, in particular scripting languages for the web, have gained a lot of popularity notwithstanding the fact that the advantages of static typing, such as earlier detection of errors, are widely accepted. We think that one of the main reasons for their widespread adoption is that, in many situations, the ability of ignoring types can be handy to write simpler and more readable code.

View PDFchevron_right

Related topics

  • Information Systems
  • Software Engineering
  • Compiler Optimization
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved