Access Control Based on Execution History

Security is a major, frequent concern in extensible software systems such as Java Virtual Machines and the Common Language Runtime. These systems aim to enable simple, classic applets and also, for example, distributed applications, Web services, and programmable networks, with appropriate security expectations. Accordingly, they feature elaborate constructs and mechanisms for associating rights with code, including a technique for determining the run-time rights of a piece of code as a function of the state of the execution stack. These mechanisms prevent many security holes, but they are inherently partial and they have proved difficult to use reliably. We motivate and describe a new model for assigning rights to code: in short, the run-time rights of a piece of code are determined by examining the attributes of any pieces of code that have run (including their origins) and any explicit requests to augment rights. This historybased model addresses security concerns while avoiding pitfalls. We analyze the model in detail; in particular, we discuss its relation to the stack-based model and to the policies and mechanisms of underlying operating systems, and we consider implementation techniques. In support of the model, we also introduce and implement high-level constructs for security, which should be incorporated in libraries or (even better) in programming languages.

[1]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[3]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[4]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[5]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Mark Russinovich,et al.  Inside Microsoft Windows 2000 , 2000 .

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[8]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[9]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[10]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[11]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[12]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[13]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[14]  H SaltzerJerome Protection and the control of information sharing in multics , 1973 .

[15]  HardyNorm The Confused Deputy , 1988 .

[16]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .