Abstract
The Java security package allows a programmer to add security features to Java applications. Although the package provides a complex application programming interface (API), its informal description, e.g., Javadoc comments, is often ambiguous or imprecise. Nonetheless, the security of an application can be compromised if the package is used without a concrete understanding of the precise behavior of the API classes and interfaces, which can be attained via formal specification. In this paper, we present our experiences in formally specifying the Java security package in JML, a formal behavior interface specification language for Java. We illustrate portions of our JML specifications and discuss the lessons that we learned, from this specification effort, about specification patterns and the effectiveness of JML. Our specifications are not only a precise document for the API but also provide a foundation for formally reasoning and verifying the security aspects of applications. We believe that our specification techniques and patterns can be used to specify other Java packages and frameworks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
L. Burdy, Y. Cheon, D. R. Cok, M. D. Ernst, J. R. Kiniry, G.T. Leavens, K.R.M. Leino, and E. Poll. An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer, 7(3):212–232, June 2005.
N. Catano and M. Huisman. Formal specification of Gemplus’s electronic purse case study. In L. H. Eriksson and P. A. Lindsay, editors, FME 2002, volume LNCS 2391, pages 272–289. Springer-Verlag, 2002.
Y. Cheon, G. T. Leavens, M. Sitaraman, and S. Edwards. Model variables: Cleanly supporting abstraction in design by contract. Software—Practice and Experience, 35(6):583–599, May 2005.
Y. Cheon and A. Perumendla. Specifying and checking method call sequences of Java programs. Software Quality Journal, 2006. To appear.
G. T. Leavens, A. L. Baker, and C. Ruby. JML: A notation for detailed design. In H. Kilov, B. Rumpe, and I. Simmonds, editors, Behavioral Specifications of Businesses and Systems, pages 175–188. Kluwer Academic Publishers, Boston, 1999.
K. R. M. Leino, A. Poetzsch-Heffter, and Y. Zhou. Using data groups to specify and check side effects. In ACM PLDI 2002, volume 37(5) of ACM SIGPLAN Notices, pages 246–257, June 2002.
S. Oaks. Java Security. O’Reilly, second edition, 2001.
E. Poll, J. van den Berg, and B. Jacobs. Formal specification of the Java Card API in JML: the APDU class. Computer Networks, 36(4):407–421, 2001.
Sun Microsystems, Inc. Java 2 platform API specification. Available online from http://java.sun.com (Date retrieved: April 2, 2006).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer
About this paper
Cite this paper
Agarwal, P., Rubio-Medrano, C.E., Cheon, Y., Teller, P.J. (2007). A Formal Specification in JML of Java Security Package. In: Elleithy, K. (eds) Advances and Innovations in Systems, Computing Sciences and Software Engineering. Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-6264-3_63
Download citation
DOI: https://doi.org/10.1007/978-1-4020-6264-3_63
Publisher Name: Springer, Dordrecht
Print ISBN: 978-1-4020-6263-6
Online ISBN: 978-1-4020-6264-3
eBook Packages: EngineeringEngineering (R0)