Providing Policy-Neutral and Transparent Access Control in Extensible Systems

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism

[1]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[2]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[3]  Alec Wolman,et al.  Instrumentation and optimization of Win32/intel executables using Etch , 1997 .

[4]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[5]  Gary McGraw,et al.  Java security: hostile applets, holes&antidotes , 1997 .

[6]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[7]  Spencer E. Minear,et al.  Providing Policy Control Over Object Operations in a Mach-Based System , 1995, USENIX Security Symposium.

[8]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[9]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[10]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[11]  Li Gong,et al.  Java security: present and near future , 1997, IEEE Micro.

[12]  Theodore M. P. Lee,et al.  Using mandatory integrity to enforce 'commercial' security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[13]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  G.J. Minden,et al.  A survey of active network research , 1997, IEEE Communications Magazine.

[15]  Frank Yellin,et al.  The java virtual machine , 1996 .

[16]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[17]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[18]  Robert Wahbe,et al.  Adaptable Binary Programs , 1995, USENIX.

[19]  S. Savage,et al.  Writing an Operating System with Modula-3 , 1995 .

[20]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[21]  Daniel Hagimont,et al.  A protection scheme for mobile agents on Java , 1997, MobiCom '97.

[22]  Amin Vahdat,et al.  The CRISIS Wide Area Security Architecture , 1998, USENIX Security Symposium.

[23]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[24]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[25]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[26]  Steven B. Lipner,et al.  Non-Discretionery Controls for Commercial Applications , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[28]  Brian N. Bershad,et al.  Safe Dynamic Linking in an Extensible Operating System , 1999 .

[29]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[30]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[31]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[32]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA 1992.

[33]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[34]  Edward A. Schneider,et al.  Developing and using a “policy neutral” access control policy , 1996, NSPW '96.

[35]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[36]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA.

[37]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[38]  B. Stuck,et al.  Imaging technologies: The next decade , 1987, IEEE Communications Magazine.

[39]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[40]  Gary McGraw,et al.  Java Security , 1996 .

[41]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[42]  Brian N. Bershad,et al.  Dynamic binding for an extensible system , 1996, OSDI '96.

[43]  David E. Culler,et al.  Using smart clients to build scalable services , 1997 .

[44]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[45]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .