A new approach to mobile code security

This dissertation presents a novel security architecture called security-passing style and motivates its application to security issues that arise in mobile code systems such as Java. Security-passing style, and its predecessor, stack inspection, allow the system to capture the complex security relationships that occur when trusted and untrusted code are run together and interact closely. Where traditional security architectures can answer general questions of the form “can subject X use object Y,” they fail when considering problems where one subject may be acting on behalf of another, or may be acting on its own behalf. These systems generally have neither the mechanisms to capture the full security context of a request nor the policies expressive enough to be able to resolve whether these requests should be allowed or denied. Issues such as these arise in mobile code systems, requiring new security mechanisms to address their security. While a number of traditional security architectures, including capability systems and process-structured systems, can be adapted to the secure execution of mobile code, this dissertation describes an architecture that addresses these issues and does it using an efficient implementation that requires no special hardware or language runtime support. Security-passing style has a well defined semantics describing how it works and allowing for proofs of its soundness. These semantics also allow us to produce an implementation that has extremely low overhead (in principal, just over one instruction per method invocation) based on static analysis of the program to be run and dynamic caching to make common-cases execute faster.

[1]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[2]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[5]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.

[6]  Gary McGraw,et al.  Java security: hostile applets, holes&antidotes , 1997 .

[7]  John K. Ousterhout,et al.  Why Aren't Operating Systems Getting Faster As Fast as Hardware? , 1990, USENIX Summer.

[8]  Dan S. Wallach,et al.  Flexible, extensible Java security using digital signatures , 1996, Network Threats.

[9]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[10]  Emin Gün Sirer,et al.  Distributed virtual machines: a system architecture for network computing , 1998, ACM SIGOPS European Workshop.

[11]  L. Gong,et al.  Experience with secure multi-processing in Java , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[12]  Wei Hu,et al.  DCE Security Programming , 1995 .

[13]  Giuseppe Castagna,et al.  Covariance and contravariance: conflict without a cause , 1995, TOPL.

[14]  Jay Lepreau,et al.  Nested Java processes: OS structure for mobile code , 1998, ACM SIGOPS European Workshop.

[15]  Sophia Drossopoulou,et al.  What is Java binary compatibility? , 1998, OOPSLA '98.

[16]  Brian N. Bershad,et al.  Dynamic binding for an extensible system , 1996, OSDI '96.

[17]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[18]  Dan Farmer,et al.  Improving the Security of Your Site by Breaking Into it , 2000 .

[19]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Mary F. Fernández,et al.  Simple and effective link-time optimization of Modula-3 programs , 1995, PLDI '95.

[21]  Jr. Guy L. Steele,et al.  Rabbit: A Compiler for Scheme , 1978 .

[22]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[23]  Robert H. Deng,et al.  Integrating security in CORBA based object architectures , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[24]  Raghu V. Hudli,et al.  CORBA fundamentals and programming , 1996 .

[25]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[26]  David O'Brien Recognizing and recovering from Rootkit attacks , 1996 .

[27]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[28]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[29]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[30]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[31]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[32]  Mitchell Wand,et al.  VLISP: A verified implementation of Scheme , 1995, LISP Symb. Comput..

[33]  Carl E. Landwehr,et al.  On Access Checking in Capability-Based Systems , 1986, IEEE Transactions on Software Engineering.

[34]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[35]  Larry L. Peterson,et al.  Making paths explicit in the Scout operating system , 1996, OSDI '96.

[36]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[37]  W. Sibert Malicious Data and Computer Security , 1996 .

[38]  David L. Dill,et al.  Verification of FLASH cache coherence protocol by aggregation of distributed transactions , 1996, SPAA '96.

[39]  Aviel D. Rubin,et al.  Blocking Java applets at the firewall , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[40]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[41]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[42]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[43]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[44]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[45]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[46]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[47]  Dan S. Wallach,et al.  Java security: Web browsers and beyond , 1997 .

[48]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[49]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[50]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[51]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[52]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[53]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[54]  Geoff A. Cohen,et al.  Automatic Program Transformation with JOIE , 1998, USENIX Annual Technical Conference.

[55]  David Grove,et al.  Fast interprocedural class analysis , 1998, POPL '98.

[56]  Brian N. Bershad,et al.  The interaction of architecture and operating system design , 1991, ASPLOS IV.

[57]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[58]  Antony Courtney,et al.  Phantom: An Interpreted Language for Distributed Programming , 1995, COOTS.

[59]  Theodore C. Goldstein The Gateway Security Model in the Java Electronic Commerce Framework , 1997, Financial Cryptography.

[60]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[61]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[62]  John L. Hennessy,et al.  Symbolic Debugging of Optimized Code , 1982, TOPL.

[63]  Robin Milner,et al.  Definition of standard ML , 1990 .

[64]  Niklaus Wirth,et al.  Programming in Modula-2 , 1985, Texts and Monographs in Computer Science.

[65]  Susan S. Owicki,et al.  Network objects , 1995 .

[66]  Martín Abadi,et al.  Authentication in the Taos operating system , 1993, SOSP '93.

[67]  John McCarthy,et al.  LISP 1.5 Programmer's Manual , 1962 .

[68]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[69]  河本孝之 Takayuki Kawamoto COPS (Computer Oracle and Password System) の概要 , 1993 .

[70]  Andrew W. Appel,et al.  Debugging standard ML without reverse engineering , 1990, LISP and Functional Programming.

[71]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[72]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[73]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[74]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[75]  Scott Oaks,et al.  Java Security , 1998 .

[76]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[77]  Mark Horowitz,et al.  Architecture validation for processors , 1995, Proceedings 22nd Annual International Symposium on Computer Architecture.

[78]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[79]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[80]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[81]  John K. Ousterhout,et al.  The Safe-Tcl Security Model , 1998, USENIX Annual Technical Conference.

[82]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[83]  Morrie Gasser,et al.  Security Kernel Design and Implementation: An Introduction , 1983, Computer.

[84]  Godmar Back Patrick Tullmann Leigh Stoller Wilson C. Hsie Lepreau Java Operating Systems : Design and Implementation , 1998 .

[85]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[86]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[87]  Nathaniel S. Borenstein,et al.  EMail With A Mind of Its Own: The Safe-Tcl Language for Enabled Mail , 1994, ULPAA.

[88]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[89]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[90]  Jeffrey S. Chase,et al.  Lightweight shared objects in a 64-bit operating system , 1992, OOPSLA 1992.

[91]  Martín Abadi,et al.  Secure network objects , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[92]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[93]  Amer Diwan,et al.  Simple and effective analysis of statically-typed object-oriented programs , 1996, OOPSLA '96.

[94]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[95]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[96]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[97]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[98]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[99]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[100]  Ken Thompson,et al.  Plan 9 from Bell Labs , 1995 .

[101]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.