Check out the new USENIX Web site. next up previous
Next: Complete Authorization Up: Approach Previous: Step 5: Verifying Assignments

Steps 6 and 7: Determining and Verifying All Inter-procedural Code Paths

CQUAL performs interprocedural inferencing to verify that between an initializing function and the controlling function, there exists a security check. The controlled object variable has an unchecked qualifier when it's defined in the initializing function. When the initializing function calls other functions passing the controlled variable as a parameter, the unchecked qualifier is propagated down the calling chain, until the authorizing function is reached, at which point, a new checked variable is defined and used after the security check (Step 4 in Section 2). When the authorizing function calls other functions passed the new checked variable, the checked qualifier is again propagated along the calling chain, until it reaches the controlling function. If a controlling function is reached without passing through an authorizing function, then an error will be raised, because the variable will have an unchecked type and the controlling function expects a checked type.

Catherine Zhang 2002-05-13