CACL: efficient fine-grained protection for objects

CACL is a protection scheme for objects that offers a simple and flexible model of protection and has an efficient, software-only implementation. The model, based on Access Control Lists (ACLs) integrated with the type system, allows owners to control who may invoke which methods on which objects, permits cooperation between mutually suspicious principals, allows ownership of objects to be transferred safely, prevents unwanted propagation of authority between principals, and allows changes to the authorization information to take effect on the next method invocation. The implementation, based on the integration of Capabilities with method dispatch, avoids the overhead of access checking in the majority of invocations, at the cost of space for extra dispatch vectors. CACL offers a viable mechanism for finegrained protection in an object-oriented database system.

[1]  Robbert van Renesse,et al.  Amoeba A Distributed Operating System for the 1990 s Sape , 1990 .

[2]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[3]  James W. Stamos,et al.  The melampus project: toward an omniscient computing system , 1990 .

[4]  James W. Stamos,et al.  A design for fine-grained access control in Melampus , 1991, Proceedings 1991 International Workshop on Object Orientation in Operating Systems.

[5]  Joel E. Richardson,et al.  MDM: An Object-Oriented Data Model , 1991, DBPL.

[6]  Andrew S. Tanenbaum,et al.  The Design of a Capability-Based Distributed Operating System , 1986, Comput. J..

[7]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[8]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  David Maier,et al.  The GemStone Data Management System , 1989, Object-Oriented Concepts, Databases, and Applications.

[10]  Bhavani M. Thuraisingham,et al.  Mandatory security in object-oriented database systems , 1989, OOPSLA '89.