Extensible security architectures for Java

Mobile code technologies such as Java, JavaScript, and ActiveX generally limit all programs to a single restrictive security policy. However, software-based protection can allow for more extensible security models, with potentially significant performance improvements over traditional hardware-based solutions. An extensible security system should be able to protect subsystems and implement policies that are created after the initial system is shipped. We describe and analyze three implementation strategies for interposing such security policies in software-based security systems. Implementations exist for all three strategies: several vendors have adapted capabilities to Java, Netscape and Microsoft have extensions to Java's stack introspection, and we built a name space management system as an add-on to Microsoft Internet Explorer. Theoretically, all these systems are equivalently secure, but many practical issues and implementation details favor some aspects of each system.

[1]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[2]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[3]  Brian N. Bershad,et al.  The interaction of architecture and operating system design , 1991, ASPLOS IV.

[4]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[5]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[6]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[7]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[8]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[9]  David Flanagan,et al.  JavaScript (2nd ed.): the definitive guide , 1997 .

[10]  Atul Prakash,et al.  Building systems that flexibly control downloaded executable context , 1996 .

[11]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[12]  Nathaniel S. Borenstein,et al.  EMail With A Mind of Its Own: The Safe-Tcl Language for Enabled Mail , 1994, ULPAA.

[13]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[14]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[15]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[16]  Michael D. Schroeder,et al.  A Hardware Architecture for Implementing Protection Rings (Abstract). , 1971, Symposium on Operating Systems Principles.

[17]  Robin Milner,et al.  Commentary on standard ML , 1990 .

[18]  Raghu V. Hudli,et al.  CORBA fundamentals and programming , 1996 .

[19]  Theodore C. Goldstein The Gateway Security Model in the Java Electronic Commerce Framework , 1997, Financial Cryptography.

[20]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[21]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[22]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[23]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[24]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[25]  Nathaniel S. Borenstein,et al.  Enabled Mail , 1994, Upper Layer Protocols, Architectures and Applications.

[26]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[27]  Martín Abadi,et al.  Secure network objects , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[28]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[29]  Gary McGraw,et al.  Java Security , 1996 .

[30]  Carl E. Landwehr,et al.  On Access Checking in Capability-Based Systems , 1986, IEEE Transactions on Software Engineering.

[31]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[32]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[33]  Barbara Liskov,et al.  A Language Extension for Controlling Access to Shared Data , 1976, IEEE Transactions on Software Engineering.

[34]  Gary McGraw,et al.  Java security - hostile applets, holes and antidotes: what every netscape and internet explorer user needs to know , 1997 .

[35]  E AndersonThomas,et al.  Efficient software-based fault isolation , 1993 .

[36]  Gary McGraw,et al.  Java security: hostile applets, holes&antidotes , 1997 .

[37]  Li Gong,et al.  New security architectural directions for Java , 1997, COMPCON.

[38]  Wei Hu,et al.  DCE Security Programming , 1995 .

[39]  Bob Schmitt Shockwave studio - designing multimedia for the web , 1997, Web review studio series.

[40]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[41]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[42]  John K. Ousterhout,et al.  Why Aren't Operating Systems Getting Faster As Fast as Hardware? , 1990, USENIX Summer.

[43]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[44]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[45]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[46]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[47]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[48]  Edward Wobber,et al.  Network objects , 1994, SOSP '93.

[49]  Ken Thompson,et al.  Plan 9 from Bell Labs , 1995 .