Security and Communication in Mobile Object Systems

problem with this is that in general aliasing makes it quite difficult to be sure which objects actually need to be protected. This means that if any serious degree of security is required, all non-trivial objects will have to be protected. This implies a level of inefficiency that makes a system built this way unusable and a burden on programmers that is not acceptable. Finally, security is spread all over the application and can not be easily verified without validating the entire code base. while (parent!=nil) { top = parent; parent = parent.getParent(); } find(top); } private static void find(ThreadGroup g) { if (g != null) { int numThread = g.activeCount(); int numGroups = g.activeGroupCount(); Thread[] threads = new Thread[numThreads]; ThreadGroup[] groups = new ThreadGroup[numGroup]; g.enumerate(threads, false); g.enumerate(groups,false); for (int i = 0; i <numThreads; i++) { Thread t = threads[i]; if (t != null) t.stop(); } for (int i = 0; i <numGroups; i++) { find(groups[i]); } } } Appropriate protection is to forbid access to objects that belong to the object graph of another applet. Example 7: Explicit protection domains The Telescript protection model is more elaborate than that of Java. In short, each object and method has both an owner and a sponsor. The owner is the principal to whom the object belongs and the sponsor is the principal on whose authority the object executes. Telescript provides a way to access the owner and sponsor from outside of their environment. The secure programming style advocated in [40] boils down to the following style (expressed in Java for simplicity). The class Protectee is the class that should be protected , the class Protector implements a security policy. All methods of Protectee are redefined in Protector to check source of the call.

[1]  David Maier,et al.  Development of an object-oriented DBMS , 1986, OOPLSA '86.

[2]  Larry Carter,et al.  Distrbution and Abstract Types in Emerald , 1987, IEEE Transactions on Software Engineering.

[3]  Nicholas Carriero,et al.  Linda in context , 1989, CACM.

[4]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[5]  Geoffrey Smith,et al.  On the systematic design of Web languages , 1996, CSUR.

[6]  Mike Hibler,et al.  The persistent relevance of the local operating system to global applications , 1996, EW 7.

[7]  Atul Prakash,et al.  Building systems that flexibly control downloaded executable context , 1996 .

[8]  Robert S. Gray,et al.  Agent Tcl: a Exible and Secure Mobile-agent System , 1996 .

[9]  Steven H. Low Chrg-http: A Tool for Micropayments on the World Wide Web , 1996, USENIX Security Symposium.

[10]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[11]  Luca Cardelli Mobile Computation , 1996, Mobile Object Systems.

[12]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Alan Dearle,et al.  Octopus: A Reflective Language Mechanism for Object Manipulation , 1993, DBPL.

[14]  Miguel Castro,et al.  Safe and efficient sharing of persistent objects in Thor , 1996, SIGMOD '96.

[15]  Satoshi Matsuoka,et al.  Using tuple space communication in distributed object-oriented languages , 1988, OOPSLA '88.

[16]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[17]  Joel H. Saltz,et al.  Network-aware mobile programs , 1997 .

[18]  Harold Ossher,et al.  Extending Objects to Support Multiple Interfaces and Access Control , 1990, IEEE Trans. Software Eng..

[19]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[20]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[21]  Theodore C. Goldstein The Gateway Security Model in the Java Electronic Commerce Framework , 1997, Financial Cryptography.

[22]  Frann Cois Rouaix A Web Navigator with Applets in Caml , 1996 .

[23]  Roger Riggs,et al.  A Distributed Object Model for the Java System , 1996, Comput. Syst..

[24]  Virgil D. Gligor,et al.  On the Identification of Covert Storage Channels in Secure Systems , 1990, IEEE Trans. Software Eng..

[25]  Jonathan S. Shapiro,et al.  The KeyKOS Nanokernel Architecture , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[26]  Robbert van Renesse,et al.  Cryptographic support for fault-tolerant distributed computing , 1996, EW 7.

[27]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[28]  Sacha Krakowiak,et al.  A Selective Protection Scheme for the Java Environment , 1996 .

[29]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[30]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[31]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[32]  Daniel F. Sterne,et al.  Confining Root Programs with Domain and Type Enforcement , 1996, USENIX Security Symposium.

[33]  Paolo Ciancarini,et al.  Jada - Coordination and Communication for Java Agents , 1996, Mobile Object Systems.

[34]  Miguel Mira da Silva,et al.  Mobility and Persistence , 1996, Mobile Object Systems.

[35]  Dennis M. Volpano,et al.  Provably-secure programming languages for remote evaluation , 1997, SIGP.

[36]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[37]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[38]  Luca Cardelli,et al.  Migratory applications , 1995, UIST '95.

[39]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[40]  Florian Matthes,et al.  Security as an Add-On Quality in Persistent Object Systems , 1994, East/West Database Workshop.

[41]  Cristina V. Lopes,et al.  Adaptive Parameter Passing , 1996, ISOTAS.