Trent Jaeger
Abstract
We present a security architecture that enables system and application a ccess control requirements to be enforced on applications composed from downloaded executable content. Downloaded executable content consists of messages downloaded from remote hosts that contain executables that run, upon receipt, on the downloading principal's machine. Unless restricted, this content can perform malicious actions, including accessing its downloading principal's private data and sending messages on this principal's behalf. Current security architectures for controlling downloaded executable content (e.g., JDK 1.2) enable specification of access control requirements for content based on its provider and identity. Since these access control requirements must cover every legal use of the class, they may include rights that are not necessary for a particular application of content. Therefore, using these systems, an application composed from downloaded executable content cannot enforce its access control requirements without the addition of application-specific security mechanisms. In this paper, we define an access control model with the following properties: (1) system administrators can define system access control requirements on applications and (2) application developers can use the same model to enforce application access control requirements without the need for ad hoc security mechanisms. This access control model uses features of role-based access control models to enable (1) specification of a single role that applies to multiple application instances; (2) selection of a content's access rights based on the content's application and role in the application; (3) consistency maintained between application state and content access rights; and (4) control of role administration. We detail a system architecture that uses this access control model to implement secure collaborative applications. Lastly, we describe an implementation of this architecture, called the Lava security architecture.
- ANDERSON, J. P. 1972. Computer security technology planning study. Tech. Rep. ESD-TR-73-51. James P. Anderson and Co., Fort Washington, PA.Google Scholar
- BELANI, E., VAHDAT, A., ANDERSON, T., AND DAHLIN, M. 1998. The CRISIS wide area security architecture. In Proceedings of the 7th USENIX Security Symposium (Jan.). USENIX Assoc., Berkeley, CA, 15-29. Google Scholar
- BERTINO, E., FERRARI, E., AND ATLURI, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 1, 2 (Feb.), 65-104. Google Scholar
- BISHOP, M. AND DILGER, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2, 131-152.Google Scholar
- BOEBERT, W. E. AND KAIN, R.Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Conference on Computer Security. 18-27.Google Scholar
- BORENSTEIN, N. S. 1992. Computational mail as network infrastructure for computersupported cooperative work. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW '92, Toronto, Canada, Oct. 31-Nov. 4), M. Mantel and R. Baecker, Eds. ACM Press, New York, NY, 67-74. Google Scholar
- BORENSTEIN, N. S. 1994. Email with a mind of its own: The Safe-Tcl language for enabled mail. In ULPAA '94. 389-402. Google Scholar
- BREWER, D. F. C. AND NASH, M.J. 1989. The Chinese Wall security policy. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 206-214.Google Scholar
- CLAUER, R. C. E. AL. 1995. A prototype upper atmospheric collaboratory (UARC). In Applications of Data Handling and Visualization Technique in Atmospheric Space Sciences. 105-112.Google Scholar
- CORP. FOR NATIONAL RESEARCH INITIATIVES, 1998. Grail home page. grail.cnri.reston.va.us/ grail/Google Scholar
- DEAN, D., FELTEN, E., AND WALLACH, D. 1996. Java security: From HotJava to Netscape and beyond. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May). IEEE Press, Piscataway, NJ. Google Scholar
- DENNIS, J. B. AND VAN HORN, E. C. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (Mar.), 143-155. Google Scholar
- DORWARD, S., PIKE, R., AND WINTERBOTTOM, P. 1996. Inferno: la commedia interattiva. inferno.bell-labs.cornGoogle Scholar
- ELECTRIC COMMUNITIES, 1999. Using the EC Ttrust manager to secure Java. www. communities. co m/co m p an y/p ape rs/trust/in d e x.h tmlGoogle Scholar
- FOLEY, S. AND JACOB, J. 1991. Specifying security for CSCW systems. In Proceedings of the Fourth IEEE Workshop on Computer Security Foundations. IEEE Computer Society Press, Los Alamitos, CA, 136-145. Google Scholar
- FREIER, A. O., KARLTON, P., AND KOCHER, P. C. 1996. The SSL Protocol Version 3.0. Internet Draft.Google Scholar
- GALLO, F. S. 1996. Penguin: Java done right. Perl J. 1, 2, 10-12.Google Scholar
- GASSER, M. AND MCDERMOTT, E. 1990. An architecture for practical delegation in a distributed system. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 20-30.Google Scholar
- GIURI, L. AND IGLIO, P. 1997. Role templates for content-based access control. In Proceedings of the Second ACM Workshop on Role-based Access Control (RBAC '97, Fairfax, VA, Nov. 6-7, 1997), C. Youman, E. Coyne, and T. Jaeger, Eds. ACM Press, New York, NY, 153-159. Google Scholar
- GOLDBERG, Y., SAFRAN, M., AND SHAPIRO, E. 1992. Active mail--a framework for implementing groupware. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW '92, Toronto, Canada, Oct. 31-Nov. 4), M. Mantel and R. Baecker, Eds. ACM Press, New York, NY, 75-83. Google Scholar
- GONG, L. 1997. Enclaves: Enabling secure communication over the internet. IEEE J. Sel. Areas Commun. 15, 3 (Apr.). Google Scholar
- GONG, L. 1997. Java security: Present and near future. IEEE Micro 17, 3, 14-19. Google Scholar
- GOSLING, J., JoY, B., AND STEELE, a. 1996. The Java Language Specification. Addison-Wesley, Reading, MA. Google Scholar
- GRIMM, R. AND BERSHAD, B. N. 1998. Providing policy-neutral and transparent access control in extensible systems. Technical Report Number UW-CSE-98-02-02. University of Washington, Seattle, WA.Google Scholar
- HAGIMONT, D. AND ISMAIL, L. 1997. A protection scheme for mobile agents on Java. In Proceedings of the 3rd Annual ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '97, Budapest, Hungary, Sept. 26-30, 1997), L. Pap, K. Sohraby, D. B. Johnson, and C. Rose, Eds. ACM Press, New York, NY, 215-222. Google Scholar
- HALEVI, S. AND KRAWCZYK, H. 1997. MMH: Software message authentication in the Gbit/s rates. In Proceedings of the Fourth Workshop on Fast Encryption. Google Scholar
- HAWBLITZEL, C., CHANG, C.-C., CZAJKOWSKI, G., Hu, D., AND VON EICKEN, T. 1998. Implementing multiple protection domains in Java. In Proceedings of the 1998 USENIX Conference. USENIX Assoc., Berkeley, CA. Google Scholar
- ISLAM, N., ANAND, R., JAEGER, T., AND RAO, J. R. 1997. A flexible security model for using Internet content. IEEE Softw. 14, 5 (Sept.). Google Scholar
- JAEGER, T., ELPHINSTONE, K., LIEDTKE, J., PANTELEENKO, V., AND PARK, Y. 1999. Flexible access control using IPC redirection. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems. Google Scholar
- JAEGER, T., GIRAUD, F., ISLAM, N., AND LIEDTKE, J. 1997. A role-based access control model for protection domain derivation and management. In Proceedings of the Second ACM Workshop on Role-based Access Control (RBAC '97, Fairfax, VA, Nov. 6-7, 1997), C. Youman, E. Coyne, and T. Jaeger, Eds. ACM Press, New York, NY, 95-106. Google Scholar
- JAEGER, T., LIEDTKE, J., AND ISLAM, N. 1998. Operating system protection for fine-grained programs. In Proceedings of the 7th USENIX Security Symposium (Jan.). USENIX Assoc., Berkeley, CA, 143-156. Google Scholar
- JAEGER, T. AND PRAKASH, A. 1994. Support for the file system security requirements of computational E-mail systems. In Proceedings of the 2nd ACM Conference on Computer and Communications Security (Fairfax, VA, Nov. 2-4), D. Denning, R. Pyle, R. Ganesan, and R. Sandhu, Eds. ACM Press, New York, NY, 1-9. Google Scholar
- JAEGER, T. AND PRAKASH, A. 1995. Implementation of a discretionary access control model for script-based systems. In Proceedings of the 8th IEEE Workshop on Computer Security Foundations. IEEE Computer Society Press, Los Alamitos, CA, 70-84. Google Scholar
- JAEGER, T., RUBIN, A., AND PRAKASH, A. 1996. Building systems that flexibly control downloaded executable content. In Proceedings of the 6th USENIX Security Symposium. USENIX Assoc., Berkeley, CA, 131-148. Google Scholar
- KAIN, R. Y. AND LANDWEHR, C. E. 1986. On access checking in capability-based systems. In Proceedings of the 1986 IEEE Symposium on Security and Privacy (Oakland, CA, Apr. 7-9, 1986). IEEE Computer Society Press, Los Alamitos, CA, 95-100.Google Scholar
- KARJOTH, G. 1998. Authorization in CORBA security. In Proceedings of the Conference on ESORICS. Google Scholar
- KNISTER, M. AND PRAKASH, A. 1993. Issues in the design of a toolkit for supporting multiple group editors. Comput. Syst. 6, 2, 135-166.Google Scholar
- LAMPSON, B., ABADI, M., BURROWS, M., AND WOBBER, E. 1992. Authentication in distributed systems: theory and practice. ACM Trans. Comput. Syst. 10, 4 (Nov. 1992), 265-310. Google Scholar
- LEE, J., PRAKASH, A., JAEGER, T., AND WU, G. 1996. Supporting multi-user multi-applet workspaces in CBE. In Proceedings of the 6th ACM Conference on Computer-Supported Coorperative Work (CSCW '96, Boston MA, Nov.). ACM Press, New York, NY, 344-353. Google Scholar
- LEVY, J. Y. AND OUSTERHOUT, J. K. 1995. Safe Tcl: A toolbox for constructing electronic meeting places. In Proceedings of the First USENIX Workshop on Electronic Commerce. USENIX Assoc., Berkeley, CA, 133-135. Google Scholar
- LIEDTKE, J. 1992. Clans & chiefs. In Architektur yon Rechensystemen. Springer-Verlag, Vienna, Austria. Google Scholar
- LIEDTKE, J. 1995. On tL-kernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (SIGOPS '95, Copper Mountain Resort, CO, Dec. 3-6), M. B. Jones, Ed. ACM Press, New York, NY. Google Scholar
- LuPu, E. AND SLOMAN, M. 1997. Reconciling role based management and role based access control. In Proceedings of the Second ACM Workshop on Role-based Access Control (RBAC '97, Fairfax, VA, Nov. 6-7, 1997), C. Youman, E. Coyne, and T. Jaeger, Eds. ACM Press, New York, NY, 135-141. Google Scholar
- MINEAR, S. E. 1995. Providing policy control over object operations in a Mach-based system. In Proceedings of the 5th USENIX Security Symposium. USENIX Assoc., Berkeley, CA. Google Scholar
- MINSKY, N. H. AND UNGUREANU, V. 1998. Unified support for heterogenous security policies in distributed systems. In Proceedings of the 7th USENIX Security Symposium (Jan.). USENIX Assoc., Berkeley, CA, 131-142. Google Scholar
- NIST, 1994. NIST FIPS PUB 186, Digital Signature Standard. U.S. Department of Commerce.Google Scholar
- NIST, 1995. NIST FIPS PUB 180-1, Secure Hash Standard. National Institute of Standards and Technology, Gaithersburg, MD.Google Scholar
- NETSCAPE CORP., 1997. Introduction to the capabilities classes. Netscape Corp. Available from developer.netscape.com/library/Google Scholar
- NETSCAPE CORP., 1999. The Navigator Java environment: current security issues. Netscape Corp. Available at developer.netscape.com/docs/manuals/javasecurity.html.Google Scholar
- OBJECT MANAGEMENT GROUP, 1997. Security service specification. In CORBAservices: Common Object Services Specification, Object Management Group. Available from http:// www.omg.orgGoogle Scholar
- THE OPEN GROUP, 1997. Common security: CDSA and CSSM. Available from http:// www.opengroup.orgGoogle Scholar
- OUSTERHOUT, J. K. 1994. Tcl and the Tk Toolkit. Addison-Wesley Professional Computing Series. Addison-Wesley Longman Publ. Co., Inc., Reading, MA. Google Scholar
- OUSTERHOUT, J. K., LEVY, J. Y., AND WELCH, B. B. 1998. The Safe-Tcl security model. In Proceedings of the 23rd USENIX Annual Conference. USENIX Assoc., Berkeley, CA. Google Scholar
- SALTZER, J. H. AND SCHROEDER, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept.), 1278-1308.Google Scholar
- SANDHU, R. 1998. Role activation hierarchies. In Proceedings of the Third ACM Workshop on Role-Based Access Control (RBAC '98, Fairfax, VA, Oct. 22-23, 1998), C. Youman and T. Jaeger, Eds. ACM Press, New York, NY, 33-40. Google Scholar
- SANDHU, R. S., BHAMIDIPATI, V., AND MUNAWER, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 1, 2 (Feb.). Google Scholar
- SANDHU, R. S., COYNE, E. J., FEINSTEIN, H. L., AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2, 38-47. Google Scholar
- SUN MICROSYSTEMS, 1999. Frequently asked questions: Java security. Sun Microsystems, Inc., Mountain View, CA.Google Scholar
- THOMSEN, D., O'BRIEN, D., AND BOGLE, J. 1998. Role based access control framework for network enterprises. In Proceedings of the 14th Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA. Google Scholar
- TRUSTED INFORMATION SYSTEMS, INC., 1994. Trusted Mach System Architecture (TIS TMACH Edoc-0001-94A ed.). Trusted Information Systems, Inc.Google Scholar
- WALLACH, D. S. AND FELTEN, E.W. 1998. Understanding Java stack introspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA.Google Scholar
- WHITE, J. E. 1995. Telescript Language Reference Manual. Available from www.genmagic- .com.Google Scholar
- WOBBER, E., ABADI, M., BURROWS, M., AND LAMPSON, B. 1994. Authentication in the Taos operating system. ACM Trans. Comput. Syst. 12, 1 (Feb. 1994), 3-32. Google Scholar
Index Terms
- Flexible control of downloaded executable content
Recommendations
Role-based authorization constraints specification
Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of contraints in RBAC has been recogni zed for a long time, they have not recieved ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Practical safety in flexible access control models
Assurance that an access control configuration will not result in the leakage of a right to an unauthorized principal, called safety, is fundamental to ensuring that the most basic of access control policies can be enforced. It has been proven that the ...
Reviews
Stanley A. Kurzban
Effective access control is hardly a simple matter of specifying and enforcing permissions that apply to pairs of subjects and objects. Consideration must also be given to the programs that mediate access; authentication of users, programs, and objects; rules for administration and delegation of authority; and external constraints. Most important of all, however, is providing administrators with all of the tools they need to specify the rules that can lead to effective access control that meets all of an organization's objectives. No one has ever discussed all of these considerations as cogently, completely, and helpfully as the authors of this paper, which describes access control software (implemented only on the Lava operating system) for a distributed application that poses formidable security challenges—the Upper Atmospheric Research Collaboratory system. Data and executables are downloaded to widely distributed systems, where they are used by personnel with diverse needs and authorities. Care must be taken to assure not only that collaborators can gain all the access they need and no more, but also that programs are confined so that they cannot impair the integrity or confidentiality of resources at the remote systems. The authors' lucid and detailed description of their meth od o logy, and the extensive and very useful list of references they include, are widely applicable. Their discussions of devices for generalizing over sets, specifying exceptions to generalities, and controlling delegation are particularly useful and insightful. All in all, their exposition is a valuable contribution to the literature that any designer of access control software would do well to read.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments