TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture

1 Design Overview 12 Technical Approach 42.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42.2 Overview of The TIARA Architecture . . . . . . . . . . . . . . . . . . . . . . . . .42.3 TIARA System Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.4 TIARA Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82.4.1 Ensuring Secure Information Flow . . . . . . . . . . . . . . . . . . . . . . . .82.4.2 The HEX Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92.4.3 Hardware Support for Garbage Collection . . . . . . . . . . . . . . . . . . .102.5 The Object Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112.6 The System Software Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112.7 The Wrapper and Meta Control Layer . . . . . . . . . . . . . . . . . . . . . . . . .112.8 The Access Control Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122.9 The Plan Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132.10 The Data Provenance Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132.11 The Application Substrate Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Application Context 144 Design Summary 142

[1]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[2]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[3]  Alexander Egyed,et al.  AWDRAT: A Cognitive Middleware System for Information Survivability , 2007, AI Mag..

[4]  David A. Moon,et al.  Architecture of the Symbolics 3600 , 1985, ISCA '85.

[5]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[6]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[7]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[8]  Sonya E. Keene,et al.  Object-oriented programming in COMMON LISP - a programmer's guide to CLOS , 1989 .

[9]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[10]  Henry Minsky,et al.  Symbolics ivory processor: a 40 bit tagged architecture lisp microprocessor. , 1987 .

[11]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[12]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[13]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[14]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[16]  Thomas F. Knight,et al.  A capability representation with embedded address and nearly-exact object bounds , 2000 .

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[19]  Alan H. Karp,et al.  Using Split Capabilities for Access Control , 2003, IEEE Softw..

[20]  John F. Barkley,et al.  Implementing role-based access control using object technology , 1996, RBAC '95.

[21]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[22]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[23]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[24]  LiskovBarbara,et al.  Protecting privacy using the decentralized label model , 2000 .

[25]  David A. Moon,et al.  Garbage collection in a large LISP system , 1984, LFP '84.

[26]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.