Abstract
Most current object-based distributed systems support access control lists for access control. However, it is difficult to determine which principal information to use for authentication of method calls. Domain-based and thread-based principals suffer from the problem of privileges being leaked. Malicious objects can trick privileged objects or threads to accidently use their privileges (UNIX s-bit problem). We introduce role-based principals to solve this problem. Each object reference may be associated with a role, which determines trust, authentication and permissible data flow via the reference. An object may act in different roles when interacting with different other parties. Exchanged references automatically inherit the role. By initially defining such roles, we can establish a security policy on a very high abstraction level. Our security model is based on meta objects: principal meta objects provide principal information for method invocation, access control meta objects implement access checks.
This work is supported by the Deutsche Forschungsgemeinschaft DFG Grant Sonderforschungsbereich SFB 182, Project B2.
Preview
Unable to display preview. Download preview PDF.
References
Benantar, M.; Blakley, B.; Nadalin, A.: Approach to object security in Distributed SOM. IBM Systems Journal, Vol. 35 No. 2, 1996, New York
Dennis, J.B.; Van Horn, E.C.: Programming Semantics for Multiprogrammed Computations. Comm. of the ACM, March 1966
Ferraiolo, D.; Kuhn, R.: Role-based access control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563, Baltimore, Oct. 1992
Kleinöder, J.; Golm, M.: MetaJava: An Efficient Run-Time Meta Architecture for Java, Proc. of the Int. Workshop on Object Orientation in Operating Systems — IWOOOS'96, Seattle, IEEE, 1996
Lampson, B.: A Note on the Confinement Problem, In: Communications of the ACM 1973, October, 1973
Levy, H.: Capability-Based Computer Systems. Bedford, Mass.: Digital Press, 1984
Maes, P.: Computational Reflection, Ph.D. Thesis, Technical Report 87-2, Artificial Intelligence Laboratory, Vrije Universiteit Brüssel, 1987
Mitchell, J.; Gibbons, J.; Hamilton, G. et.al.: An Overview of the Spring System. Proc. of the Compcon Spring 1994 (San Francisco), Los Alamitos: IEEE, 1994
OMG: CORBA Security, OMG Document Number 95-12-1, 1995
Riechmann, T.; Hauck, F. J.: Meta objects for access control: extending capability-based security. In: Proc. of the ACM New Security Paradigms Paradigms Workshop 1997, Great Langdale, UK, Sept. 1997 (to appear)
Sun Microsystems Comp. Corp.: HotJava: The Security Story, White Paper, 1995
Sun Microsystems Comp. Corp.: Java Security Architecture. JDK 1.2 Draft, 1997
Tanenbaum, A. S.; Mullender, S. J.; van Renesse, R.: Using sparse capabilities in a distributed operating system. Proc. of the 6th Int. Conf. on Distr. Comp. Sys., pp. 558–563, Amsterdam, 1986
Wallach, D. S.; Balfanz, D.; Dean, D.; Feiten, E. W.: Extensible Security Architecture for Java. Proc. of the SOSP 1997: pp. 116–128, Oct. 1997, Saint-Malo, France
Wulf, W.; Cohen, E.; Corwin, W.; Jones, A.; Levin, R.; Pierson, C.; Pollack, F.: HYDRA: The Kernel of a Multiprocessor Operating System. Comm. of the ACM, 1974
Wang, C.; Wulf, W.; Kienzle, D.: A New Model of Security for Distributed Systems. In: Proceedings of the 1996 ACM New Security Paradigms Workshop, 1996
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Riechmann, T., Kleinöder, J. (1998). Meta objects for access control: Role-based principals. In: Boyd, C., Dawson, E. (eds) Information Security and Privacy. ACISP 1998. Lecture Notes in Computer Science, vol 1438. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0053742
Download citation
DOI: https://doi.org/10.1007/BFb0053742
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64732-4
Online ISBN: 978-3-540-69101-3
eBook Packages: Springer Book Archive