Abstract
Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization’s security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
L. Badger, K. A. Oostendorp, W. G. Morrison, K. M. Walker, C. D. Vance, D. L. Sherman, and D. F. Sterne. DTE Firewalls—Initial Measurement and Evaluation Report. Technical Report 0632R, Trusted Information Systems, March 1997.
L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. A Domain and Type Enforcement UNIX Prototype. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 127–140, Salt Lake City, Utah, June 1995.
L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical Domain and Type Enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66–77, Oakland, California, May 1995.
E. Belani, A. Vahdat, T. Anderson, and M. Dahlin. The CRISIS Wide Area Security Architecture. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998.
D. E. Bell and L. J. La Padula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, March 1976. Also ADA023588, National Technical Information Service.
B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 267–284, Copper Mountain, Colorado, December 1995.
K. J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, April 1977. Also ADA039324, National Technical Information Service.
W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In Proceedings of the 17th National Computer Security Conference, pages 18–27, Gaithersburg, Maryland, 1985.
D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 206–214, Oakland, California, May 1989.
D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184–194, Oakland, California, April 1987.
D. Dean, E. W. Felten, and D. S. Wallach. Java Security: Prom HotJava to Netscape and Beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 190–200, Oakland, California, May 1996.
D. E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5):236–243, May 1976.
Department of Defense Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. Department of Defense Standard DoD 5200.28-STD.
C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen. SPKI Certificate Theory. Technical Report draft-ietf-spki-cert-theory-04.txt, Internet Engineering Task Force, November 1998.
L. Gong. Java Security: Present and Near Future. IEEE Micro, 17(3):14–19, May/June 1997.
L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems, pages 103–112, Monterey, California, December 1997.
L. Gong and R. Schemers. Implementing Protection Domains the Java Development Kit 1.2. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.
J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison-Wesley, Reading, Massachusetts, 1996.
S. L. Graham, S. Lucco, and R. Wahbe. Adaptable Binary Programs. In Proceedings of the 1995 USENIX Technical Conference, pages 315–325, New Orleans, Louisiana, January 1995.
D. Hagimont and L. Ismail. A Protection Scheme for Mobile Agents on Java. In Proceedings of the Third Annual ACM/IEEE International Conference on Mobile Computing and Networking, Budapest, Hungary, September 1997.
W. C. Hsieh, M. E. Fiuczynski, C. Garrett, S. Savage, D. Becker, and B. N. Bershad. Language Support for Extensible Operating Systems. In Proceedings of the Workshop on Compiler Support for System Software, pages 127–133, Tucson, Arizona, February 1996.
B. W. Lampson. Protection. In Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems, pages 437–443, Princeton, New Jersey, March 1971. Reprinted in Operating Systems Review, 8(1):18–24, January 1974.
B. W. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems, 10(4):265–310, November 1992.
T. M. P. Lee. Using Mandatory Integrity to Enforce “Commercial” Security. In Proceedings of the 1988 IEEE Symposium on Security and Privacy, pages 140–146, Oakland, California, April 1988.
T. Lindholm and F. Yellin. The Java Virtual Machine Specification. Addison-Wesley, Reading, Massachusetts, 1996.
S. B. Lipner. Non-Discretionary Controls for Commercial Applications. In Proceedings of the 1982 Symposium on Security and Privacy, pages 2–10, Oakland, California, April 1982.
C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the Pale of MAC and DAC—Defining New Forms of Access Control. In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 190–200, Oakland, California, May 1990.
G. McGraw and E. W. Felten. Java Security: Hostile Applets, Holes and Antidotes. Wiley Computer Publishing, John Wiley & Sons, Inc., New York, New York, 1997.
M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4BSD Operating System. Addison-Wesley Publishing Company, Reading, Massachusetts, 1996.
S. E. Minear. Providing Policy Control Over Object Operations in a Mach Based System. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 141–156, Salt Lake City, Utah, June 1995.
G. Morrisett, D. Walker, K. Crary, and N. Glew. Prom System F to Typed Assembly Language. In Proceedings of the 25th Symposium on Principles of Programming Languages, San Diego, California, January 1998.
A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 129–142, Saint-Malo, France, October 1997.
G. C. Necula and P. Lee. Safe Kernel Extensions Without Run-Time Checking. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 229–243, Seattle, Washington, October 1996.
D. Olawsky, T. Fine, E. Schneider, and R. Spencer. Developing and Using a “Policy Neutral” Access Control Policy. In Proceedings of the New Security Paradigms Workshop, September 1996.
P. Pardyak and B. N. Bershad. Dynamic Binding for an Extensible System. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 201–212, Seattle, Washington, October 1996.
J. Richardson, P. Schwarz, and L.-F. Cabrera. CACL: Efficient Fine-Grained Protection for Objects. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages, and Applications’ 92, pages 263–275, Vancouver, Canada, October 1992.
T. Romer, G. Voelker, D. Lee, A. Woman, W. Wong, H. Levy, B. N. Bershad, and B. Chen. Instrumentation and Optimization of Win32/Intel Executables Using Etch. In Proceedings of the USENIX Windows NT Workshop, pages 1–8, Seattle, Washington, August 1997.
J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.
Secure Computing Corporation. DTOS General System Security and Assurability Assessment Report. Technical Report DTOS CDRL A011, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.
Secure Computing Corporation. DTOS Lessons Learned Report. Technical Report DTOS CDRL A008, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.
E. G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe Dynamic Linking in an Extensible Operating System. In Proceedings of the Workshop on Compiler Support for System Software, pages 134–140, Tucson, Arizona, February 1996.
E. G. Sirer, S. Savage, P. Pardyak, G. P. DeFouw, M. A. Alapat, and B. N. Bershad. Writing an Operating System with Modula-3. In Proceedings of the Workshop on Compiler Support for System Software, pages 141–148, Tucson, Arizona, February 1996.
A. Srivastava and A. Eustace. ATOM: A System for Building Customized Program Analysis Tools. In Proceedings of the ACM SIGPLAN’ 94 Conference on Programming Language Design and Implementation, pages 196–205, Orlando, Florida, June 1994.
D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden. A Survey of Active Network Research. IEEE Communications Magazine, 25(1):80–86, January 1997.
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. In Proceedings of the 14th Symposium on Operating Systems Principles, pages 203–216, Ashville, North Carolina, December 1993.
D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 116–128, Saint-Malo, France, October 1997.
D. S. Wallach and E. W. Felten. Understanding Java Stack Inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 52–63, Oakland, California, May 1998.
C. Yoshikawa, B. Chun, P. Eastham, A. Vahdat, T. Anderson, and D. Culler. Using Smart Clients to Build Scalable Services. In Proceedings of the 1997 USENIX Technical Conference, pages 105–117, Anaheim, California, January 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Grimm, R., Bershad, B.N. (1999). Providing Policy-Neutral and Transparent Access Control in Extensible Systems. In: Vitek, J., Jensen, C.D. (eds) Secure Internet Programming. Lecture Notes in Computer Science, vol 1603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48749-2_15
Download citation
DOI: https://doi.org/10.1007/3-540-48749-2_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66130-6
Online ISBN: 978-3-540-48749-4
eBook Packages: Springer Book Archive