Authorizing applications in singularity

We describe a new design for authorization in operating systems in which applications are first-class entities. In this design, principals reflect application identities. Access control lists are patterns that recognize principals. We present a security model that embodies this design in an experimental operating system, and we describe the implementation of our design and its performance in the context of this operating system.

[1]  James R. Larus,et al.  Deconstructing process isolation , 2006, MSPC '06.

[2]  Lujo Bauer,et al.  Distributed proving in access-control systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[4]  Peter H. Golde,et al.  C# Language Specification , 2003 .

[5]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[6]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[7]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[8]  Butler W. Lampson,et al.  Designing a global name service , 1986, PODC '86.

[9]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[10]  Garret Swart,et al.  The Echo Distributed File System , 1996 .

[11]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Keith Brown,et al.  Programming Windows Security , 2000 .

[13]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[14]  Brian Zill,et al.  Sealing OS Processes to Improve Dependability and Security , 2006 .

[15]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[16]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[17]  Michael M. Swift,et al.  Improving the granularity of access control for Windows 2000 , 2002, TSEC.

[18]  Don Box,et al.  Essential .NET: The Common Language Runtime , 2002 .

[19]  James R. Larus,et al.  Sealing OS processes to improve dependability and safety , 2007, EuroSys '07.

[20]  Emin Gün Sirer,et al.  Nexus: a new operating system for trustworthy computing , 2005, SOSP '05.

[21]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[22]  Martín Abadi,et al.  Access Control in a World of Software Diversity , 2005, HotOS.

[23]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[24]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[25]  David Mazières,et al.  Decentralized user authentication in a global file system , 2003, SOSP '03.

[26]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .