External pointers to “Luring attack”:
SetScopePermission;
What is a luring attack?
External pointers to “Stack introspection”:
Extensible Security Architectures for Java,
The Evolution of Java Security
We define a “luring attack” as an attack where trusted code (with power or information) is unwittingly directed (due to deception or confusion induced by the attacker) to make a call into an attacker’s code fragment.The danger with this scenario seems to stem from the implicit assumption that the called routine acquires the authority of its caller. The authority stemming from values of variables and parameters does not flow to the subroutine. However the ambient authority controlled by the stack introspection described in Extensible Security Architectures for Java indeed defaults to just such acquisition.
When authority instead follows Algol60’s scoping rules there is no Luring attack. The subroutine does not have access to the local variables of its caller. The authority is just the collection of values (object references) that may be named in the code and this does not generally include that of the caller. These local variables can hold procedure values that are inaccessible to the subroutine.
These properties of Algol 60 hold for most block structured languages that use lexical scoping. They hold for Java as well. While it may feel unconventional for authority for “system things” to be accessible via language scope rules, these rules are themselves familiar to anyone who has written substantial code in block structured languages. It is not an alien paradigm! More parameters are passed but fewer calls are made to routines such as enablePrivilege, disablePrivilege, checkPrivilege. Only experience can convince that authority passed this way can be used to build efficient systems. Keykos is such a system.