Skip to main content
SpringerLink
Log in

Providing Policy-Neutral and Transparent Access Control in Extensible Systems

  • Chapter
Secure Internet Programming

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1603))

Abstract

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization’s security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. L. Badger, K. A. Oostendorp, W. G. Morrison, K. M. Walker, C. D. Vance, D. L. Sherman, and D. F. Sterne. DTE Firewalls—Initial Measurement and Evaluation Report. Technical Report 0632R, Trusted Information Systems, March 1997.

    Google Scholar 

  2. L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. A Domain and Type Enforcement UNIX Prototype. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 127–140, Salt Lake City, Utah, June 1995.

    Google Scholar 

  3. L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical Domain and Type Enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66–77, Oakland, California, May 1995.

    Google Scholar 

  4. E. Belani, A. Vahdat, T. Anderson, and M. Dahlin. The CRISIS Wide Area Security Architecture. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998.

    Google Scholar 

  5. D. E. Bell and L. J. La Padula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, March 1976. Also ADA023588, National Technical Information Service.

    Google Scholar 

  6. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 267–284, Copper Mountain, Colorado, December 1995.

    Google Scholar 

  7. K. J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, April 1977. Also ADA039324, National Technical Information Service.

    Google Scholar 

  8. W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In Proceedings of the 17th National Computer Security Conference, pages 18–27, Gaithersburg, Maryland, 1985.

    Google Scholar 

  9. D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 206–214, Oakland, California, May 1989.

    Google Scholar 

  10. D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184–194, Oakland, California, April 1987.

    Google Scholar 

  11. D. Dean, E. W. Felten, and D. S. Wallach. Java Security: Prom HotJava to Netscape and Beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 190–200, Oakland, California, May 1996.

    Google Scholar 

  12. D. E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5):236–243, May 1976.

    Article  MATH  MathSciNet  Google Scholar 

  13. Department of Defense Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. Department of Defense Standard DoD 5200.28-STD.

    Google Scholar 

  14. C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen. SPKI Certificate Theory. Technical Report draft-ietf-spki-cert-theory-04.txt, Internet Engineering Task Force, November 1998.

    Google Scholar 

  15. L. Gong. Java Security: Present and Near Future. IEEE Micro, 17(3):14–19, May/June 1997.

    Article  Google Scholar 

  16. L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems, pages 103–112, Monterey, California, December 1997.

    Google Scholar 

  17. L. Gong and R. Schemers. Implementing Protection Domains the Java Development Kit 1.2. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.

    Google Scholar 

  18. J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison-Wesley, Reading, Massachusetts, 1996.

    MATH  Google Scholar 

  19. S. L. Graham, S. Lucco, and R. Wahbe. Adaptable Binary Programs. In Proceedings of the 1995 USENIX Technical Conference, pages 315–325, New Orleans, Louisiana, January 1995.

    Google Scholar 

  20. D. Hagimont and L. Ismail. A Protection Scheme for Mobile Agents on Java. In Proceedings of the Third Annual ACM/IEEE International Conference on Mobile Computing and Networking, Budapest, Hungary, September 1997.

    Google Scholar 

  21. W. C. Hsieh, M. E. Fiuczynski, C. Garrett, S. Savage, D. Becker, and B. N. Bershad. Language Support for Extensible Operating Systems. In Proceedings of the Workshop on Compiler Support for System Software, pages 127–133, Tucson, Arizona, February 1996.

    Google Scholar 

  22. B. W. Lampson. Protection. In Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems, pages 437–443, Princeton, New Jersey, March 1971. Reprinted in Operating Systems Review, 8(1):18–24, January 1974.

    Google Scholar 

  23. B. W. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems, 10(4):265–310, November 1992.

    Article  Google Scholar 

  24. T. M. P. Lee. Using Mandatory Integrity to Enforce “Commercial” Security. In Proceedings of the 1988 IEEE Symposium on Security and Privacy, pages 140–146, Oakland, California, April 1988.

    Google Scholar 

  25. T. Lindholm and F. Yellin. The Java Virtual Machine Specification. Addison-Wesley, Reading, Massachusetts, 1996.

    Google Scholar 

  26. S. B. Lipner. Non-Discretionary Controls for Commercial Applications. In Proceedings of the 1982 Symposium on Security and Privacy, pages 2–10, Oakland, California, April 1982.

    Google Scholar 

  27. C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the Pale of MAC and DAC—Defining New Forms of Access Control. In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 190–200, Oakland, California, May 1990.

    Google Scholar 

  28. G. McGraw and E. W. Felten. Java Security: Hostile Applets, Holes and Antidotes. Wiley Computer Publishing, John Wiley & Sons, Inc., New York, New York, 1997.

    Google Scholar 

  29. M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4BSD Operating System. Addison-Wesley Publishing Company, Reading, Massachusetts, 1996.

    Google Scholar 

  30. S. E. Minear. Providing Policy Control Over Object Operations in a Mach Based System. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 141–156, Salt Lake City, Utah, June 1995.

    Google Scholar 

  31. G. Morrisett, D. Walker, K. Crary, and N. Glew. Prom System F to Typed Assembly Language. In Proceedings of the 25th Symposium on Principles of Programming Languages, San Diego, California, January 1998.

    Google Scholar 

  32. A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 129–142, Saint-Malo, France, October 1997.

    Google Scholar 

  33. G. C. Necula and P. Lee. Safe Kernel Extensions Without Run-Time Checking. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 229–243, Seattle, Washington, October 1996.

    Google Scholar 

  34. D. Olawsky, T. Fine, E. Schneider, and R. Spencer. Developing and Using a “Policy Neutral” Access Control Policy. In Proceedings of the New Security Paradigms Workshop, September 1996.

    Google Scholar 

  35. P. Pardyak and B. N. Bershad. Dynamic Binding for an Extensible System. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 201–212, Seattle, Washington, October 1996.

    Google Scholar 

  36. J. Richardson, P. Schwarz, and L.-F. Cabrera. CACL: Efficient Fine-Grained Protection for Objects. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages, and Applications’ 92, pages 263–275, Vancouver, Canada, October 1992.

    Google Scholar 

  37. T. Romer, G. Voelker, D. Lee, A. Woman, W. Wong, H. Levy, B. N. Bershad, and B. Chen. Instrumentation and Optimization of Win32/Intel Executables Using Etch. In Proceedings of the USENIX Windows NT Workshop, pages 1–8, Seattle, Washington, August 1997.

    Google Scholar 

  38. J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.

    Article  Google Scholar 

  39. Secure Computing Corporation. DTOS General System Security and Assurability Assessment Report. Technical Report DTOS CDRL A011, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.

    Google Scholar 

  40. Secure Computing Corporation. DTOS Lessons Learned Report. Technical Report DTOS CDRL A008, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.

    Google Scholar 

  41. E. G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe Dynamic Linking in an Extensible Operating System. In Proceedings of the Workshop on Compiler Support for System Software, pages 134–140, Tucson, Arizona, February 1996.

    Google Scholar 

  42. E. G. Sirer, S. Savage, P. Pardyak, G. P. DeFouw, M. A. Alapat, and B. N. Bershad. Writing an Operating System with Modula-3. In Proceedings of the Workshop on Compiler Support for System Software, pages 141–148, Tucson, Arizona, February 1996.

    Google Scholar 

  43. A. Srivastava and A. Eustace. ATOM: A System for Building Customized Program Analysis Tools. In Proceedings of the ACM SIGPLAN’ 94 Conference on Programming Language Design and Implementation, pages 196–205, Orlando, Florida, June 1994.

    Google Scholar 

  44. D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden. A Survey of Active Network Research. IEEE Communications Magazine, 25(1):80–86, January 1997.

    Article  Google Scholar 

  45. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. In Proceedings of the 14th Symposium on Operating Systems Principles, pages 203–216, Ashville, North Carolina, December 1993.

    Google Scholar 

  46. D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 116–128, Saint-Malo, France, October 1997.

    Google Scholar 

  47. D. S. Wallach and E. W. Felten. Understanding Java Stack Inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 52–63, Oakland, California, May 1998.

    Google Scholar 

  48. C. Yoshikawa, B. Chun, P. Eastham, A. Vahdat, T. Anderson, and D. Culler. Using Smart Clients to Build Scalable Services. In Proceedings of the 1997 USENIX Technical Conference, pages 105–117, Anaheim, California, January 1997.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, University of Washington, Box 98195, Seattle, WA, 98195, USA

    Robert Grimm

  2. Department of Computer Science and Engineering, University of Washington, Box 352350, Seattle, WA, 98195, USA

    Brian N. Bershad

Authors
  1. Robert Grimm
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Brian N. Bershad
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Object Systems Group, University of Geneva, CH-1211, Geneva 4, Switzerland

    Jan Vitek

  2. Department of Computer Science, O’Reilly Institute, Trinity College Dublin, Dublin 2, Ireland

    Christian D. Jensen

Rights and permissions

Reprints and permissions

Copyright information

© 1999 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Grimm, R., Bershad, B.N. (1999). Providing Policy-Neutral and Transparent Access Control in Extensible Systems. In: Vitek, J., Jensen, C.D. (eds) Secure Internet Programming. Lecture Notes in Computer Science, vol 1603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48749-2_15

Download citation

  • DOI: https://doi.org/10.1007/3-540-48749-2_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-66130-6

  • Online ISBN: 978-3-540-48749-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation