Separating access control policy, enforcement, and functionality in extensible systems

ACM Transactions on Computer Systems

Volumn 19, Issue 1, 2001, Pages 36-70

  Grimm, Robert ^a   Bershad, Brian N ^a  

^a University of Washington   (United States)

Author keywords

Access check; Auditing; D.4 Software : Operating Systems; D.4.6 Operating Systems : Security and Protection Access controls; Extensible systems; Java; Protection domain; Protection domain transfer; Security; Security policy; SPIN

Indexed keywords

EID: 0041865338     PISSN: 07342071     EISSN: None     Source Type: Journal    
DOI: 10.1145/367742.367773     Document Type: Article

References (73)

1. BADGER, L., OOSTENDORP, K. A., MORRISON, W. G., WALKER, K. M., VANCE, C. D., SHERMAN, D. L., AND STERNE, D. F. 1997. DTE firewalls - initial measurement and evaluation report. Tech. Rep. 0632R. Trusted Information Systems, Inc., Glenwood, MD.
2. BADGER, L., STERNE, D. F., SHERMAN, D. L., WALKER, K. M., AND HAGHIGHAT, S. A. 1995a. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 66-77.
3. BADGER, L., STERNE, D. F., SHERMAN, D. L., WALKER, K. M., AND HAGHIGHAT, S. A. 1995b. A domain and type enforcement UNIX prototype. In Proceedings of the 5th USENIX UNIX Security Symposium (Salt Lake City, UT, June). USENIX Assoc., Berkeley, CA, 127-140.
4. BELL, D. E. AND LAPADULA, L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech Rep. MTR-2997 Rev. 1 (Mar.). MITRE Corp., Bedford, MA. Also ADA023588, National Technical Information Service.
5. BERSHAD, B., SAVAGE, S., PARDYAK, P., SIRER, E., FIUCZYNSKI, M., BECKER, D., CHAMBERS, C., AND EGGERS, S. 1995. Extensibility, safety, and performance in the SPIN operating system. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (Copper Mountain Resort, CO, Dec.). ACM Press, New York, NY, 267-284.
6. BIBA, K. J. 1977. Integrity considerations for secure computer systems. Tech. Rep. MTR-3153 Rev. 1 (Apr.). MITRE Corp., Bedford, MA. Also ADA039324, National Information Service.
7. BLAZE, M., FEIGENBAUM, J., IOANNIDIS, J., AND KEROMYTIS, A. D. 1999. The role of trust management in distributed systems security. In Secure Internet Programming: Security Issues for Mobile and Distributed Objects, J. Vitek and C. Jensen, Eds. Lecture Notes in Computer Science, vol. 1603. Springer-Verlag, New York, NY, 185-210.
8. BOEBERT, W. E. AND KAIN, R. Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 17th National Conference on Computer Security (Gaithersburg, MD). 18-27.
9. BREWER, D. F. C. AND NASH, M. J. 1989. The Chinese Wall security policy. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA, May 1-3). IEEE Computer Society Press, Los Alamitos, CA, 206-214.
10. CHASE, J. S., LEVY, H. M., FEELEY, M. J., AND LAZOWSKA, E. D. 1994. Sharing and protection in a single-address-space operating system. ACM Trans. Comput. Syst. 12, 4 (Nov.), 271-307.
11. CLARK, D. AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 184-194.
12. COHEN, E., JEFFERSON, D., AND JEFFERSON, D. 1975. Protection in the Hydra operating system. In Proceedings of the 5th ACM Symposium on Operating Systems Principles (Austin, TX, Nov.). 141-160.
13. COHEN, G., CHASE, J., AND KAMINSKY, D. 1998. Automatic program transformation with JOIE. In Proceedings of the 1998 USENIX Annual Technical Conference (New Orleans, LA, June). USENIX Assoc., Berkeley, CA, 167-178.
14. DAVIDSON, J. D. AND COWARD, D. 1999. Java servlet specification, v2.2. Sun Microsystems, Inc., Mountain View, CA.
15. DEAN, D., FELTEN, E., AND WALLACH, D. 1996. Java security: From HotJava to Netscape and beyond. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May). IEEE Press, Piscataway, NJ, 190-200.
16. DENNING, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 2 (May), 236-243.
17. DEPT. OF DEFENSE COMPUTER SECURITY CTR. 1985. Department of Defense trusted computer system evaluation criteria. Department of Defense Standard DoD 5200.28-STD.
18. ELLISON, C. M., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS, B., AND YLONEN, T. 1999. SPKI certificate theory. RFC 2693. Internet Engineering Task Force.
19. ERLINGSSON, Ú. AND SCHNEIDER, F. B. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the 1999 ACM Workshop on New Security Paradigms (Caledon Hills, Ontario, Canada, Sept.). ACM Press, New York, NY, 87-95.
20. ERLINGSSON, Ú. AND SCHNEIDER, F. B. 2000. IRM enforcement of Java stack inspection. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (Oakland, CA, May). 246-255.
21. EVANS, D. AND TWYMAN, A. 1999. Flexible policy-directed code safety. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, California, May). 32-45.
22. FERRAIOLO, D. AND KUHN, D. R. 1992. Role based access control. In Proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology, Gaithersburg, MD, 554-563.
23. FERRAIOLO, D., CUGINI, J., AND KUHN, D. R. 1995. Role based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications (New Orleans, LA, Dec.). IEEE Computer Society Press, Los Alamitos, CA, 241-248.
24. GHORMLEY, D. P., PETROU, D., ANDERSON, T. E., AND RODRIGUES, S. H. 1998. SLIC: An extensibility system for commodity operating systems. In Proceedings of the 1998 USENIX Annual Technical Conference (New Orleans, LA, June). USENIX Assoc., Berkeley, CA, 39-52.
25. GONG, L. 1997. Java security: Present and near future. IEEE Micro 17, 3 (May/June), 14-19.
26. GONG, L. 1999. Inside Java Platform Security - Architecture, API Design, and Implementation. Addison-Wesley, Reading, MA.
27. GONG, L. AND SCHEMERS, R. 1998. Implementing protection domains in the Java Development Kit 1.2. In Proceedings of the 1998 Internet Society Symposium on Network and Distributed System Security (San Diego, CA, Mar.). 125-134.
28. GONG, L., MUELLER, M., AND PRAFULLCHANDRA, H. 1997. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (Monterey, CA, Dec.). USENIX Assoc., Berkeley, CA, 103-112.
29. GOSLING, J., JOY, B., AND STEELE, G. 1996. The Java Language Specification. Addison-Wesley, Reading, MA.
30. GRAHAM, S. L., LUCCO, S., AND WAHBE, R. 1995. Adaptable binary programs. In Proceedings of the 1995 USENIX Annual Technical Conference (New Orleans, LA, Jan.). USENIX Assoc., Berkeley, CA, 315-325.
31. HAGIMONT, D. AND ISMAIL, L. 1997. A protection scheme for mobile agents on Java. In Proceedings of the 3rd Annual ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '97, Budapest, Hungary, Sept. 26-30), L. Pap, K. Sohraby, D. B. Johnson, and C. Rose, Chairs. ACM Press, New York, NY, 215-222.
32. HARDY, N. 1988. The confused deputy. ACM SIGOPS Oper. Syst. Rev. 22, 4 (Oct.), 36-38. http://www.cis.upenn.edu/ KeyKOS/ConfusedDeputy.html
33. HSIEH, W. C., FIUCZYNSKI, M. E., GARRETT, C., SAVAGE, S., BECKER, D., AND BERSHAD, B. N. 1996. Language support for extensible operating systems. In Proceedings of the ACM Workshop on Compiler Support for System Software (Tucson, AZ, Feb.). 127-133.
34. HUNT, G. AND BRUBACHER, D. 1999. Detours: Binary interception of Win32 functions. In Proceedings of the 3rd USENIX Windows NT Symposium (Seattle, WA, July). USENIX Assoc., Berkeley, CA, 135-143.
35. JONES, M. B. 1993. Interposition agents: Transparently interposing user code at the system interface. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (Asheville, NC, Dec. 5-8), A. P. Black and B. Liskov, Chairs. ACM Press, New York, NY, 80-83.
36. KRELL, E. AND KRISHNAMURTHY, B. 1992. COLA: Customized overlaying. In Proceedings of the 1992 Winter USENIX Conference (San Francisco, CA, Jan.). USENIX Assoc., Berkeley, CA, 3-7.
37. LAMPSON, B. 1971. Protection. In Proceedings of the 5th Princeton Symposium on Information Sciences and Systems (Princeton, NJ, Mar.). 437-443.
38. LEE, H. B. AND ZORN, B. G. 1997. BIT: A tool for instrumenting Java bytecodes. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (Monterey, CA, Dec.). 73-82.
39. LEE, T. 1988. Using mandatory integrity to enforce "commercial" security. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, Apr.). 140-146.
40. LINDHOLM, T. AND YELLIN, F. 1996. The Java Virtual Machine Specification. Addison-Wesley, Reading, MA.
41. LIPNER, S. B. 1982. Non-discretionary controls for commercial applications. In Proceedings of the 1982 IEEE Computer Society Symposium on Research in Security and Privacy (Oakland, CA, Apr.). IEEE Computer Society Press, Los Alamitos, CA, 2-10.
42. MCCOLLUM, C. J., MESSING, J. R., AND NOTARGIACOMO, L. 1990. Beyond the pale of MAC and DAC - Defining new forms of access control. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 190-200.
43. MCGRAW, G. AND FELTEN, E. W. 1996. Java Security: Hostile Applets, Holes, and Antidotes. John Wiley and Sons, Inc., New York, NY.
44. MCKUSICK, M. K., BOSTIC, K., KARELS, M. J., AND QUARTERMAN, J. S. 1996. The Design and Implementation of the 4.4BSD Operating System. Addison-Wesley UNIX and open systems series. Addison-Wesley Publishing Co., Inc., Redwood City, CA.
45. MINEAR, S. E. 1995. Providing policy control over object operations in a Mach-based system. In Proceedings of the 5th USENIX UNIX Security Symposium (Salt Lake City, UT, June). USENIX Assoc., Berkeley, CA, 141-156.
46. MORRISETT, G., WALKER, D., CRARY, K., AND GLEW, N. 1998. From System F to typed assembly language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '98, San Diego, CA, Jan. 19-21), D. B. MacQueen and L. Cardelli, Chairs. ACM Press, New York, NY, 85-97.
47. MYERS, A. C. AND LISKOV, B. 1997. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP '97, Saint-Malo, France, Oct. 5-8), W. M. Waite, Ed. ACM Press, New York, NY, 129-142.
48. NECULA, G. C. AND LEE, P. 1996. Safe kernel extensions without run-time checking. In Proceedings of the 2nd USENIX Symposium on Operating Systems Design and Implementation (Seattle, WA, Oct.). 229-243.
49. NELSON, G., ED. 1991. Systems Programming With Modula-3. Prentice-Hall series in innovative technology. Prentice-Hall, Inc., Upper Saddle River, NJ.
50. OLAWSKY, D., FINE, T., SCHNEIDER, E., AND SPENCER, R. 1996. Developing and using a "policy neutral" access control policy. In Proceedings of the 1996 ACM Workshop on New Security Paradigms (Lake Arrowhead, CA, Sept.). ACM, New York, NY, 60-67.
51. PANDEY, R. AND HASHII, B. 1999. Providing fine-grained access control for Java programs. In Proceedings of the 13th European Conference on Object-Oriented Programming (Lisbon, Portugal, June). Springer-Verlag, New York, NY, 449-494.
52. PARDYAK, P. AND BERSHAD, B. N. 1996. Dynamic binding for an extensible system. In Proceedings of the 2nd USENIX Symposium on Operating Systems Design and Implementation (OSDI '96, Seattle, WA, Oct. 28-31), K. Petersen and W. Zwaenepoel, Chairs. ACM Press, New York, NY, 201-212.
53. RICHARDSON, J., SCHWARZ, P., AND CABRERA, L. -F. 1992. CACL: Efficient fine-grained protection for objects. In Proceedings of the ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA '92, Vancouver, British Columbia, Canada, Oct. 18-22), J. Pugh, Chair. ACM Press, New York, NY, 263-275.
54. RICHTER, J. 2000. Microsoft .NET framework delivers the platform for an integrated, service-oriented web. MSDN Mag. 15, 10 (Oct.), 56-65.
55. ROMER, T., VOELKER, G., LEE, D., WOMAN, A., WONG, W., LEVY, H., BERSHAD, B. N., AND CHEN, B. 1997. Instrumentation and optimization of Win32/Intel executables using Etch. In Proceedings of the USENIX Windows NT Workshop (Seattle, WA, Aug.). USENIX Assoc., Berkeley, CA, 1-8.
56. SALTZER, J. H. AND SCHROEDER, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept.), 1278-1308.
57. SANDHU, R. S., COYNE, E. J., FEINSTEIN, H. L., AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Computer 29, 2 (Feb.), 38-47.
58. SCHNEIDER, F. B. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1 (Feb.), 30-50.
59. SECURE COMPUTING CORPORATION. 1997a. DTOS lessons learned report. Tech. Rep. DTOS CDRL A008. Secure Computing Corporation, Roseville, MN.
60. SECURE COMPUTING CORPORATION. 1997b. DTOS general system security and assurability assessment report. Tech. Rep. DTOS CDRL A011. Secure Computing Corporation, Roseville, MN.
61. SIRER, E. G., FIUCZYNSKI, M., PARDYAK, P., AND BERSHAD, B. N. 1996a. Safe dynamic linking in an extensible operating system. In Proceedings of the ACM Workshop on Compiler Support for System Software (Tucson, AZ, Feb.). 134-140.
62. SIRER, E. G., GRIMM, R., GREGORY, A. J., AND BERSHAD, B. N. 1999. Design and implementation of a distributed virtual machine for networked computers. In Proceedings of the 17th ACM Symposium on Operating System Principles (Kiawah Island Resort, SC, Dec.). ACM Press, New York, NY, 202-216.
63. SIRER, E. G., SAVAGE, S., PARDYAK, P., DEFOUW, G. P., ALAPAT, M. A., AND BERSHAD, B. N. 1996b. Writing an operating system with Modula-3. In Proceedings of the ACM Workshop on Compiler Support for System Software (Tucson, AZ, Feb.). 141-148.
64. SMITH, J. M., CALVERT, K. L., MURPHY, S. L., ORMAN, H. K., AND PETERSON, L. L. 1999. Activating networks: A progress report. IEEE Computer 32, 4 (Apr.), 32-41.
65. SRIVASTAVA, A. AND EUSTACE, A. 1994. ATOM: A system for building customized program analysis tools. In Proceedings of the ACM SIGPLAN '94 Conference on Programming Language, Design and Implementation (PLDI '94, Orlando, FL, June 20-24), V. Sarkar, B. Ryder, and M. L. Soffa, Chairs. ACM Press, New York, NY, 196-205.
66. TAMCHES, A. AND MILLER, B. P. 1999. Fine-grained dynamic instrumentation of commodity operating system kernels. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation (OSDI '99, New Orleans, LA., Feb.). USENIX Assoc., Berkeley, CA, 117-130.
67. VON EICKEN, T., CHANG, C.-C., CZAJKOWSKI, G., HAWBLITZEL, C., HU, D., AND SPOONHOWER, D. 1999. J-Kernel: A capability-based operating system for Java. In Secure Internet Programming: Security Issues for Mobile and Distributed Objects, J. Vitek and C. Jensen, Eds. Lecture Notes in Computer Science, vol. 1603. Springer-Verlag, New York, NY, 369-393.
68. WAHBE, R., LUCCO, S., ANDERSON, T. E., AND GRAHAM, S. L. 1993. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (Asheville, NC, Dec. 5-8), A. P. Black and B. Liskov, Chairs. ACM Press, New York, NY, 203-216.
69. WALLACH, D. S. 1999. A new approach to mobile code security. Ph.D. Dissertation. Department of Computer Science, Princeton Univ., Princeton, NJ.
70. WALLACH, D. S. AND FELTEN, E. W. 1998. Understanding Java stack introspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy (Oakland, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 52-63.
71. WALLACH, D. S., BALFANZ, D., DEAN, D., AND FELTEN, E. W. 1997. Extensible security architectures for Java. In Proceedings of the 16th ACM Symposium on Operating System Principles (Saint-Malo, France, Oct.). ACM, New York, NY, 116-128.
72. WETHERALL, D. 1999. Active network vision and reality. In Proceedings of the 17th ACM Symposium on Operating Systems Principles (Kiawah Island Resort, SC, Dec.). 64-79.
73. YOSHIKAWA, C., CHUN, B., EASTHAM, P., VAHDAT, A., ANDERSON, T., AND CULLER, D. 1997. Using smart clients to build scalable services. In Proceedings of the 1997 USENIX Annual Technical Conference (Anaheim, CA, Jan.). USENIX Assoc., Berkeley, CA, 105-117.