Providing Policy-Neutral and Transparent Access Control in Extensible Systems

  • Robert Grimm
  • Brian N. Bershad
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1603)

Abstract

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization’s security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

Keywords

Access Control Security Policy Access Mode Local Cache Performance Overhead 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    L. Badger, K. A. Oostendorp, W. G. Morrison, K. M. Walker, C. D. Vance, D. L. Sherman, and D. F. Sterne. DTE Firewalls—Initial Measurement and Evaluation Report. Technical Report 0632R, Trusted Information Systems, March 1997.Google Scholar
  2. 2.
    L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. A Domain and Type Enforcement UNIX Prototype. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 127–140, Salt Lake City, Utah, June 1995.Google Scholar
  3. 3.
    L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical Domain and Type Enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 66–77, Oakland, California, May 1995.Google Scholar
  4. 4.
    E. Belani, A. Vahdat, T. Anderson, and M. Dahlin. The CRISIS Wide Area Security Architecture. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998.Google Scholar
  5. 5.
    D. E. Bell and L. J. La Padula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, March 1976. Also ADA023588, National Technical Information Service.Google Scholar
  6. 6.
    B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 267–284, Copper Mountain, Colorado, December 1995.Google Scholar
  7. 7.
    K. J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, April 1977. Also ADA039324, National Technical Information Service.Google Scholar
  8. 8.
    W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In Proceedings of the 17th National Computer Security Conference, pages 18–27, Gaithersburg, Maryland, 1985.Google Scholar
  9. 9.
    D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 206–214, Oakland, California, May 1989.Google Scholar
  10. 10.
    D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184–194, Oakland, California, April 1987.Google Scholar
  11. 11.
    D. Dean, E. W. Felten, and D. S. Wallach. Java Security: Prom HotJava to Netscape and Beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 190–200, Oakland, California, May 1996.Google Scholar
  12. 12.
    D. E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5):236–243, May 1976.MATHCrossRefMathSciNetGoogle Scholar
  13. Department of Defense Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. Department of Defense Standard DoD 5200.28-STD.Google Scholar
  14. 14.
    C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen. SPKI Certificate Theory. Technical Report draft-ietf-spki-cert-theory-04.txt, Internet Engineering Task Force, November 1998.Google Scholar
  15. 15.
    L. Gong. Java Security: Present and Near Future. IEEE Micro, 17(3):14–19, May/June 1997.CrossRefGoogle Scholar
  16. 16.
    L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems, pages 103–112, Monterey, California, December 1997.Google Scholar
  17. 17.
    L. Gong and R. Schemers. Implementing Protection Domains the Java Development Kit 1.2. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.Google Scholar
  18. 18.
    J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison-Wesley, Reading, Massachusetts, 1996.MATHGoogle Scholar
  19. 19.
    S. L. Graham, S. Lucco, and R. Wahbe. Adaptable Binary Programs. In Proceedings of the 1995 USENIX Technical Conference, pages 315–325, New Orleans, Louisiana, January 1995.Google Scholar
  20. 20.
    D. Hagimont and L. Ismail. A Protection Scheme for Mobile Agents on Java. In Proceedings of the Third Annual ACM/IEEE International Conference on Mobile Computing and Networking, Budapest, Hungary, September 1997.Google Scholar
  21. 21.
    W. C. Hsieh, M. E. Fiuczynski, C. Garrett, S. Savage, D. Becker, and B. N. Bershad. Language Support for Extensible Operating Systems. In Proceedings of the Workshop on Compiler Support for System Software, pages 127–133, Tucson, Arizona, February 1996.Google Scholar
  22. 22.
    B. W. Lampson. Protection. In Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems, pages 437–443, Princeton, New Jersey, March 1971. Reprinted in Operating Systems Review, 8(1):18–24, January 1974.Google Scholar
  23. 23.
    B. W. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems, 10(4):265–310, November 1992.CrossRefGoogle Scholar
  24. 24.
    T. M. P. Lee. Using Mandatory Integrity to Enforce “Commercial” Security. In Proceedings of the 1988 IEEE Symposium on Security and Privacy, pages 140–146, Oakland, California, April 1988.Google Scholar
  25. 25.
    T. Lindholm and F. Yellin. The Java Virtual Machine Specification. Addison-Wesley, Reading, Massachusetts, 1996.Google Scholar
  26. 26.
    S. B. Lipner. Non-Discretionary Controls for Commercial Applications. In Proceedings of the 1982 Symposium on Security and Privacy, pages 2–10, Oakland, California, April 1982.Google Scholar
  27. 27.
    C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the Pale of MAC and DAC—Defining New Forms of Access Control. In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 190–200, Oakland, California, May 1990.Google Scholar
  28. 28.
    G. McGraw and E. W. Felten. Java Security: Hostile Applets, Holes and Antidotes. Wiley Computer Publishing, John Wiley & Sons, Inc., New York, New York, 1997.Google Scholar
  29. 29.
    M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4BSD Operating System. Addison-Wesley Publishing Company, Reading, Massachusetts, 1996.Google Scholar
  30. 30.
    S. E. Minear. Providing Policy Control Over Object Operations in a Mach Based System. In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 141–156, Salt Lake City, Utah, June 1995.Google Scholar
  31. 31.
    G. Morrisett, D. Walker, K. Crary, and N. Glew. Prom System F to Typed Assembly Language. In Proceedings of the 25th Symposium on Principles of Programming Languages, San Diego, California, January 1998.Google Scholar
  32. 32.
    A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 129–142, Saint-Malo, France, October 1997.Google Scholar
  33. 33.
    G. C. Necula and P. Lee. Safe Kernel Extensions Without Run-Time Checking. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 229–243, Seattle, Washington, October 1996.Google Scholar
  34. 34.
    D. Olawsky, T. Fine, E. Schneider, and R. Spencer. Developing and Using a “Policy Neutral” Access Control Policy. In Proceedings of the New Security Paradigms Workshop, September 1996.Google Scholar
  35. 35.
    P. Pardyak and B. N. Bershad. Dynamic Binding for an Extensible System. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pages 201–212, Seattle, Washington, October 1996.Google Scholar
  36. 36.
    J. Richardson, P. Schwarz, and L.-F. Cabrera. CACL: Efficient Fine-Grained Protection for Objects. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages, and Applications’ 92, pages 263–275, Vancouver, Canada, October 1992.Google Scholar
  37. 37.
    T. Romer, G. Voelker, D. Lee, A. Woman, W. Wong, H. Levy, B. N. Bershad, and B. Chen. Instrumentation and Optimization of Win32/Intel Executables Using Etch. In Proceedings of the USENIX Windows NT Workshop, pages 1–8, Seattle, Washington, August 1997.Google Scholar
  38. 38.
    J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.CrossRefGoogle Scholar
  39. 39.
    Secure Computing Corporation. DTOS General System Security and Assurability Assessment Report. Technical Report DTOS CDRL A011, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.Google Scholar
  40. Secure Computing Corporation. DTOS Lessons Learned Report. Technical Report DTOS CDRL A008, Secure Computing Corporation, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113–2536, June 1997.Google Scholar
  41. 41.
    E. G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe Dynamic Linking in an Extensible Operating System. In Proceedings of the Workshop on Compiler Support for System Software, pages 134–140, Tucson, Arizona, February 1996.Google Scholar
  42. 42.
    E. G. Sirer, S. Savage, P. Pardyak, G. P. DeFouw, M. A. Alapat, and B. N. Bershad. Writing an Operating System with Modula-3. In Proceedings of the Workshop on Compiler Support for System Software, pages 141–148, Tucson, Arizona, February 1996.Google Scholar
  43. 43.
    A. Srivastava and A. Eustace. ATOM: A System for Building Customized Program Analysis Tools. In Proceedings of the ACM SIGPLAN’ 94 Conference on Programming Language Design and Implementation, pages 196–205, Orlando, Florida, June 1994.Google Scholar
  44. 44.
    D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden. A Survey of Active Network Research. IEEE Communications Magazine, 25(1):80–86, January 1997.CrossRefGoogle Scholar
  45. 45.
    R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. In Proceedings of the 14th Symposium on Operating Systems Principles, pages 203–216, Ashville, North Carolina, December 1993.Google Scholar
  46. 46.
    D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 116–128, Saint-Malo, France, October 1997.Google Scholar
  47. 47.
    D. S. Wallach and E. W. Felten. Understanding Java Stack Inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 52–63, Oakland, California, May 1998.Google Scholar
  48. 48.
    C. Yoshikawa, B. Chun, P. Eastham, A. Vahdat, T. Anderson, and D. Culler. Using Smart Clients to Build Scalable Services. In Proceedings of the 1997 USENIX Technical Conference, pages 105–117, Anaheim, California, January 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Robert Grimm
    • 1
  • Brian N. Bershad
    • 2
  1. 1.Department of Computer Science and EngineeringUniversity of WashingtonSeattleUSA
  2. 2.Department of Computer Science and EngineeringUniversity of WashingtonSeattleUSA

Personalised recommendations