Secure Execution of Distributed Session Programs

The development of the SJ Framework for session-based distributed programming is part of recent and ongoing research into integrating session types and practical, real-world programming languages. SJ programs featuring session types (protocols) are statically checked by the SJ compiler to verify the key property of communication safety, meaning that parties engaged in a session only communicate messages, including higher-order communications via session delegation, that are compatible with the message types expected by the recipient. This paper presents current work on security aspects of the SJ Framework. Firstly, we discuss our implementation experience from improving the SJ Runtime platform with security measures to protect and augment communication safety at runtime. We implement a transport component for secure session execution that uses a modified TLS connection with authentication based on the Secure Remote Password (SRP) protocol. The key technical point is the delicate treatment of secure session delegation to counter a previous vulnerability. We find that the modular design of the SJ Runtime, based on the notion of an Abstract Transport for session communication, supports rapid extension to utilise additional transports whilst separating this concern from the application-level session programming task. In the second part of this abstract, we formally prove the target security properties by modelling the extended SJ delegation protocols in the pi-calculus.

💡 Research Summary

The paper addresses the security shortcomings of the SJ (Session Java) framework, a Java‑based language that integrates session types to guarantee communication safety through static type checking. While SJ’s compiler ensures that two parties adhering to compatible session protocols will not encounter type mismatches at runtime, the original runtime lacked robust mechanisms for confidentiality, integrity, and especially mutual authentication during session delegation. Delegation is a higher‑order operation where an ongoing session is transferred from one participant to another (e.g., a vendor handing a purchase session to a payment handler). The authors demonstrate that the existing “Resending” and “Bounded Forwarding” delegation protocols are vulnerable to a “reconnection attack”: because the third party (the new participant) cannot verify that the reconnecting peer is the original one, an attacker can impersonate the client and intercept sensitive data such as credit‑card information.

To remediate this, the authors introduce two complementary contributions. First, they extend the SJ Runtime’s abstract transport layer with a new Transport Module that combines TLS with the Secure Remote Password (SRP) protocol. SRP provides password‑authenticated key exchange without requiring a public‑key infrastructure, allowing mutual authentication even when certificates are unavailable. The module implements SRP as a pre‑handshake phase before the standard TLS negotiation; on the server side the Java SSLServerSocket accept method is overridden to perform SRP verification, while the client initiates a modified transport negotiation that triggers the SRP exchange. This design preserves TLS’s confidentiality and integrity guarantees while adding strong peer authentication.

Second, the delegation protocols themselves are hardened. In the secure version of the Resending protocol, the delegating party (the vendor) generates a fresh, one‑time credential (CRED) and sends it to both the new participant (the payment handler) and the reconnecting client. After establishing a new TLS connection, the client forwards the credential to the handler, which validates it before accepting the delegated session. If validation fails, the session is aborted. This additional credential exchange eliminates the opportunity for an attacker to masquerade as the client during reconnection, and the use of a fresh credential per delegation prevents replay attacks.

The authors formalise the extended protocols in the π‑calculus, modeling the creation, transmission, and verification of credentials. They prove a key security property: only a peer that possesses the correct credential—i.e., the authentic client—can successfully complete the reconnection and continue the session. The proof aligns with the session‑theoretic notion of scope restriction, ensuring that a session’s logical participants remain exactly the two authenticated parties.

Implementation details reveal that existing Java TLS libraries did not support SRP, prompting a custom SRP implementation integrated with the standard TLS stack. The abstract transport interface allowed the new module to be plugged in without altering the higher‑level SJ language semantics, preserving portability across JVMs. Performance measurements indicate only modest overhead compared with the baseline SJ runtime, and the modular architecture suggests that other transport mechanisms (e.g., UDP, shared memory) could be secured similarly by attaching the SRP‑TLS layer.

In conclusion, the paper delivers a comprehensive solution that augments SJ’s static communication safety with runtime security guarantees, specifically addressing the previously unprotected delegation phase. Future work includes extending the approach to multi‑hop delegation chains, combining SRP with certificate‑based authentication for environments that require PKI, and evaluating the system in large‑scale, real‑world service deployments.