Advertisement

Discretionary Capability Confinement

  • Philip W. L. Fong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)

Abstract

Motivated by the need of application-level access control in dynamically extensible systems, this work proposes a static annotation system for modeling capabilities in a Java-like programming language. Unlike previous language-based capability systems, the proposed annotation system can provably enforce capability confinement. This confinement guarantee is leveraged to model a strong form of separation of duty known as hereditary mutual suspicion. The annotation system has been fully implemented in a standard Java Virtual Machine.

Keywords

Access Control Object Reference Code Unit Access Control Model Reference Type 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Carzaniga, A., Picco, G.P., Vigna, G.: Designing distributed applications with mobile code paradigms. In: Proceedings of the 19th International Conference on Software Engineering, Boston, Massachusetts, USA, pp. 22–32 (1997)Google Scholar
  2. 2.
    Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Edjlali, G., Acharya, A., Chaudhary, V.: History-based access control for mobile code. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, San Francisco, California, USA, pp. 38–48 (1998)Google Scholar
  4. 4.
    Gong, L., Schemers, R.: Implementing protection domains in the Java development kit 1.2. In: Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, USA, pp. 125–134 (1998)Google Scholar
  5. 5.
    Wallach, D.S., Appel, A.W., Felten, E.W.: SAFKASI: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology 9(4), 341–378 (2000)CrossRefGoogle Scholar
  6. 6.
    Erlingsson, Ú., Schneider, F.B.: IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, Berkeley, California, pp. 246–255 (2000)Google Scholar
  7. 7.
    Fournet, C., Gordon, A.D.: Stack inspection: Theory and variants. ACM Transactions on Programming Languages and Systems 25(3), 360–399 (2003)CrossRefGoogle Scholar
  8. 8.
    Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium, San Diego, California, USA (2003)Google Scholar
  9. 9.
    Pottier, F., Skalka, C., Smith, S.: A systematic approach to static access control. ACM Transactions on Programming Languages and Systems 27(2), 344–382 (2005)CrossRefGoogle Scholar
  10. 10.
    Dennis, J.B., van Horn, E.C.: Programming semantics for multiprogrammed computations. Communications of the ACM 9(3), 143–155 (1966)CrossRefMATHGoogle Scholar
  11. 11.
    Miller, M.S., Yee, K.P., Shapiro, J.: Capability myths demolished. Technical Report SRL2003-02, System Research Lab, Department of Computer Science, The John Hopkins University (2003)Google Scholar
  12. 12.
    Rees, J.A.: A security kernel based on the lambda-calculus. A.I. Memo 1564. MIT (1996)Google Scholar
  13. 13.
    Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible security architectures for Java. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP 1997), Saint Malo, France, pp. 116–128 (1997)Google Scholar
  14. 14.
    Hawblitzel, C., Chang, C.C., Czajkowski, G., Hu, D., von Eicken, T.: Implementing multiple protection domains in Java. In: Proceedings of the USENIX Annual Technical Conference, New Orleans, Louisiana, USA (1998)Google Scholar
  15. 15.
    Chander, A., Dean, D., Mitchell, J.C.: A state-transition model of trust management and access control. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, pp. 27–43 (2001)Google Scholar
  16. 16.
    Jones, A.K., Liskov, B.H.: A language extension for expressing constraints on data access. Communications of the ACM 21(5), 358–367 (1978)CrossRefMATHGoogle Scholar
  17. 17.
    Boyland, J., Noble, J., Retert, W.: Capabilities for sharing: A generalization of uniqueness and read-only. In: Proceedings of the 2001 European Conference on Object-Oriented Programming, Budapest, Hungary, pp. 2–27 (2001)Google Scholar
  18. 18.
    Crary, K., Walker, D., Morrisett, G.: Typed memory management in a calculus of capabilities. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, Texas, USA, pp. 262–275 (1999)Google Scholar
  19. 19.
    Arnold, K., Gosling, J., Holmes, D.: The Java Programming Language, 3rd edn. Addison-Wesley, Reading (2000)Google Scholar
  20. 20.
    ECMA: Standard ECMA-335: Common Language Infrastructure (CLI). 2nd edn. (2002)Google Scholar
  21. 21.
    Vitek, J., Bokowski, B.: Confined types in Java. Software - Practice & Experience 31(6), 507–532 (2001)CrossRefMATHGoogle Scholar
  22. 22.
    Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. In: Proceedings of the 16th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Tampa Bay, FL, USA, pp. 241–253 (2001)Google Scholar
  23. 23.
    Zhao, T., Palsberg, J., Vitek, J.: Lightweight confinement for Featherweight Java. In: Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Anaheim, California, USA, pp. 135–148 (2003)Google Scholar
  24. 24.
    Zhao, T., Palsberg, J., Vitek, J.: Type-based confinement. Journal of Functional Programming 16(1), 83–128 (2006)CrossRefMathSciNetMATHGoogle Scholar
  25. 25.
    Gong, L.: A secure identity-based capability system. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, California, USA, pp. 56–63 (1989)Google Scholar
  26. 26.
    Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194 (1987)Google Scholar
  27. 27.
    Li, N., Bizri, Z., Tripunitara, M.V.: On mutually-exclusive roles and separation of duty. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 42–51 (2004)Google Scholar
  28. 28.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)CrossRefGoogle Scholar
  29. 29.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1994)Google Scholar
  30. 30.
    Hardy, N.: The confused deputy: Or why capabilities might have been invented. Operating Systems Review 22(4), 36–38 (1988)CrossRefGoogle Scholar
  31. 31.
    Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. Journal of the ACM 24(3), 455–464 (1977)CrossRefMathSciNetMATHGoogle Scholar
  32. 32.
    Sandhu, R.S.: The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM 35(2), 404–432 (1988)CrossRefGoogle Scholar
  33. 33.
    Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, pp. 122–136 (1992)Google Scholar
  34. 34.
    Fong, P.W.L.: Discretionary capability confinement. Technical Report CS-2006-03, Department of Computer Science, University of Regina, Regina, Saskatchewan, Canada (2006)Google Scholar
  35. 35.
    Fong, P.W.L.: Reasoning about safety properties in a JVM-like environment. Technical Report CS-2006-02, Department of Computer Science, University of Regina, Regina, Saskatchewan, Canada (2006)Google Scholar
  36. 36.
    Skalka, C., Smith, S.: Static use-based object confinement. International Journal of Information Security 4(1–2), 87–104 (2005)CrossRefGoogle Scholar
  37. 37.
    Sabelfeld, A., Meyers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  38. 38.
    Bandmann, O., Dam, M., Firozabadi, B.S.: Constrained delegation. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 131–140 (2002)Google Scholar
  39. 39.
    Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security 6(1), 128–171 (2003)CrossRefGoogle Scholar
  40. 40.
    Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, pp. 59–66 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Philip W. L. Fong
    • 1
  1. 1.Department of Computer ScienceUniversity of ReginaReginaCanada

Personalised recommendations