ACM SIGPLAN Workshop on
Programming Languages and Analysis for Security

Ottawa, Canada, June 10, 2006

Sponsored by ACM SIGPLAN and Supported by IBM

Co-located with PLDI'06.

Important Information

  • Early Registration: Wednesday, May 17, 2006
  • Student registration waiver: Student participants may be elligible to have their registration fee waived. Please contact the organizers for details.

Preliminary Program

  8:30 -   9:00 Registration
  9:00 - 10:00 Invited Talk: Object Capabilities for Security
David Wagner University of California, Berkeley
10:00 - 11:00 Session I: Authorization and Monitoring

Applying Flow-Sensitive CQUAL to Verify MINIX Authorization Check Placement
Timothy Fraser, Nick L. Petroni Jr., William A. Arbaugh

Certified In-lined Reference Monitoring on .NET
Kevin W. Hamlen, Greg Morrisett, Fred B. Schneider

11:00 - 11:30 Break
11:30 - 12:30 Session II: Finding Security Flaws

Combining Type-Based Analysis and Model Checking for Finding Counterexamples against Non-Interference
Hiroshi Unno, Naoki Kobayashi, Akinori Yonezawa

Precise Alias Analysis for Static Detection of Web Application Vulnerabilities
Nenad Jovanovic, Christopher Kruegel, Engin Kirda

12:30 -   1:30 Lunch
  1:30 -   3:00 Session III: Structuring Secure Systems

Specifying Distributed Trust Management in LolliMon
Jeff Polakow, Christian Skalka

A Microkernel Virtual Machine: Building Security with Clear Interfaces
Xiaoqi Lu, Scott F. Smith

Empirical Relation between Coupling and Attackability in Software Systems: A Case Study on DOS
Michael Yanguo Liu, Issa Traore

  3:00 -   3:30 Break
  3:30 -   5:00 Session IV: Secure Information Flow

Trusted Declassification
Boniface Hicks, Dave King, Patrick McDaniel, Michael Hicks

Refactoring Programs to Secure Information Flows
Scott F. Smith, Mark Thober

Efficient Type Inference for Secure Information Flow
Katia Hristova, Tom Rothamel, Yanhong A. Liu, Scott D. Stoller

  5:00 -   5:15 Break
  5:15 -   6:00 Madness Session

Call For Papers

The goal of PLAS 2006 is to provide a forum for researchers and practitioners to exchange ideas and to seed new collaborations on the use of programming language and program analysis techniques to improve the security of software systems.

The scope of PLAS includes, but is not limited to:

  • Language-based technqiues for security
  • Program analysis and verification (including type systems and model checking) for security properties
  • Compiler-based and program rewriting security enforcement mechanisms
  • Security policies for information flow and access control
  • High-level specification languages for security properties
  • Model-driven approaches to security
  • Applications, examples, and implementations of these security techniques


Submission Guidelines

We invite papers of two kinds: (1) Technical papers for "long" presentations during the workshop, and (2) papers for "short" presentations (10 minutes). Papers submitted for the long format should contain relatively mature content; short format papers can present more preliminary work, position statements, or work that is more exploratory in nature.

The deadline for submissions of technical papers (for both the short and long presentations) is March 03, 2006. Papers must be formatted according the ACM proceedings format: "long" submissions should not exceed 10 pages in this format; "short" submissions should not exceed 4 pages. These page limits include everything (i.e., they are the total length of the paper). Papers submitted for the "long" category may be accepted as short presentations at the program committee's discretion.

Email the submissions to stevez AT Submissions should be in PDF (preferably) or Postscript that is interpretable by Ghostscript and printable on US Letter and A4 sized paper. Templates for SIGPLAN-approved LaTeX format can be found at We recommend using this format, which improves greatly on the ACM LaTeX format.

Publication Options

Authors of accepted papers may choose whether they would like their work published in a planned special issue of SIGPLAN Notices. Those papers that are not published in SIGPLAN Notices will only be considered part of the informal workshop proceedings and are therefor suitable for future publication in journal or other conference venues.

Submitted papers must describe work unpublished in refereed venues, and not submitted for publication elsewhere (including journals and formal proceedings of conferences and workshops). See the SIGPLAN republication policy for more details

Conference Organization

Program Chairs

Program Committee

Object Capabilities for Security
David Wagner, University of California, Berkeley

Existing systems often do a poor job of meeting the principle of least privilege. I will discuss how object capability systems and language-based methods can help address this shortcoming. In language-based object capability systems, an object reference is treated as a capability; unforgeability of references ensures unforgeability of capabilities; and all privileges are expressed as capabilities in this way. This makes it possible to decompose the system into distrusting "privilege-separated" components, providing each component with the least privilege it needs to do its job; to reason about the privileges and powers available to various program elements, often in a local (modular) way; and to avoid common pitfalls, such as confused deputy and TOCTTOU vulnerabilities. I will attempt to introduce the audience to some work in this area that is perhaps not so widely known, and I will describe some work in progress to construct a subset of Java, called Joe-E, that is intended to enable capability-style programming using a programming syntax that is familiar to Java programmers.

Sponsored by 
ACM Logo
Association for 
Computing Machinery (ACM)
Sponsored by


ACM Special Interest Group on
Programming Languages (SIGPLAN)