Flexible control of downloaded executable content

We present a security architecture that enables system and application a ccess control requirements to be enforced on applications composed from downloaded executable content. Downloaded executable content consists of messages downloaded from remote hosts that contain executables that run, upon receipt, on the downloading principal's machine. Unless restricted, this content can perform malicious actions, including accessing its downloading principal's private data and sending messages on this principal's behalf. Current security architectures for controlling downloaded executable content (e.g., JDK 1.2) enable specification of access control requirements for content based on its provider and identity. Since these access control requirements must cover every legal use of the class, they may include rights that are not necessary for a particular application of content. Therefore, using these systems, an application composed from downloaded executable content cannot enforce its access control requirements without the addition of application-specific security mechanisms. In this paper, we define an access control model with the following properties: (1) system administrators can define system access control requirements on applications and (2) application developers can use the same model to enforce application access control requirements without the need for ad hoc security mechanisms. This access control model uses features of role-based access control models to enable (1) specification of a single role that applies to multiple application instances; (2) selection of a content's access rights based on the content's application and role in the application; (3) consistency maintained between application state and content access rights; and (4) control of role administration. We detail a system architecture that uses this access control model to implement secure collaborative applications. Lastly, we describe an implementation of this architecture, called the Lava security architecture.

[1]  Jochen Liedtke,et al.  Clans & Chiefs , 1992, ARCS.

[2]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[3]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[5]  John K. Ousterhout,et al.  Safe Tcl: a toolbox for constructing electronic meeting places , 1995 .

[6]  Nathaniel S. Borenstein,et al.  Computational mail as network infrastructure for computer-supported cooperative work , 1992, CSCW '92.

[7]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[8]  Martín Abadi,et al.  Authentication in the Taos operating system , 1993, SOSP '93.

[9]  Trent Jaeger,et al.  Flexible access control using IPC redirection , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[10]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[11]  Günter Karjoth Authorization in CORBA Security , 2000, J. Comput. Secur..

[12]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[13]  Sean Matthew Dorward,et al.  Inferno: la commedia interattiva , 1997 .

[14]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Atul Prakash,et al.  Supporting multi-user, multi-applet workspaces in CBE , 1996, CSCW '96.

[16]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[17]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[18]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[19]  Robert Grimm,et al.  Providing Policy-Neutral and Transparent Access Control in Extensible Systems , 2001, Secure Internet Programming.

[20]  John K. Ousterhout,et al.  Tcl and the Tk Toolkit , 1994 .

[21]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[22]  Atul Prakash,et al.  Building systems that flexibly control downloaded executable context , 1996 .

[23]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[24]  Trent Jaeger,et al.  A Flexible Security System for Using Internet Content , 1997, IEEE Softw..

[25]  Emil C. Lupu,et al.  Reconciling role based management and role based access control , 1997, RBAC '97.

[26]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[27]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[28]  John K. Ousterhout,et al.  The Safe-Tcl Security Model , 1998, USENIX Annual Technical Conference.

[29]  Atul Prakash,et al.  Support for the file system security requirements of computational E-mail systems , 1994, CCS '94.

[30]  Carl E. Landwehr,et al.  On Access Checking in Capability-Based Systems , 1986, IEEE Transactions on Software Engineering.

[31]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[32]  Li Gong,et al.  Enclaves: Enabling Secure Collaboration Over the Internet , 1996, IEEE J. Sel. Areas Commun..

[33]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[34]  Spencer E. Minear,et al.  Providing Policy Control Over Object Operations in a Mach-Based System , 1995, USENIX Security Symposium.

[35]  Trent Jaeger,et al.  A flexible security model for using Internet content , 1997, Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems.

[36]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[37]  Trent Jaeger,et al.  A role-based access control model for protection domain derivation and management , 1997, RBAC '97.

[38]  Atul Prakash,et al.  Issues in the Design of a Toolkit for Supporting Multiple Group Editors , 1993, Comput. Syst..

[39]  J. Liedtke On -Kernel Construction , 1995 .

[40]  Amin Vahdat,et al.  The CRISIS Wide Area Security Architecture , 1998, USENIX Security Symposium.

[41]  Daniel Hagimont,et al.  A protection scheme for mobile agents on Java , 1997, MobiCom '97.

[42]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[43]  Atul Prakash,et al.  Implementation of a discretionary access control model for script-based systems , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[44]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[45]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[46]  Jeremy L. Jacob,et al.  Specifying security for CSCW systems , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[47]  Trent Jaeger,et al.  Operating System Protection for Fine-Grained Programs , 1998, USENIX Security Symposium.

[48]  Victoria Ungureanu,et al.  Unified Support for Heterogeneous Security Policies in Distributed Systems , 1998, USENIX Security Symposium.

[49]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[50]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[51]  Nathaniel S. Borenstein,et al.  EMail With A Mind of Its Own: The Safe-Tcl Language for Enabled Mail , 1994, ULPAA.

[52]  E. Ferrari,et al.  An Authorization Model for Supporting the Speciication and Enforcement of Authorization Constraints in Workkow Management Systems , 1999 .

[53]  Ehud Shapiro,et al.  Active mail—a framework for implementing groupware , 1992, CSCW '92.

[54]  Li Gong,et al.  Java security: present and near future , 1997, IEEE Micro.