Abstract
In a configurable system, operating systems and applications are composed dynamically from executable modules. Since dynamically downloaded modules may not be entirely trusted, the system must be able to restrict their access rights. Current systems assign permissions to modules based on their executor, provider, and/or name. Since such modules may serve specific purposes in programs (i.e., services or applications), it should be possible to restrict their access rights based on the program for which they are used and the current state of that program. In this paper, we examine the access control infrastructure required to support the composition of systems and applications from modules. Access control infrastructure consists primarily of two functions: access control policy specification and enforcement of that policy. We survey representations for access control policy specification and mechanisms for access control policy enforcement to show the flexibility they provide and their limits. We then show how the Lava Security Architecture is designed to support flexible policy specification and enforcement.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, James P. Anderson and Co., Fort Washington, PA, USA, 1972.
L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical domain and type enforcement for UNIX. In IEEE Symposium on Security and Privacy, pages 66–77, 1995.
D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report MTR-2997, Mitre Corporation, January 1976.
B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety, and performance in the SPIN operating system. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 267–284, 1995.
E. Bertino, E. Ferrari, and V. Atluri. A flexible model for the specification and enforcement of role-based authorizations in workflow management systems. In Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997.
M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131–152, 1996.
W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, pages 18–27, 1985.
D. F. C. Brewer and M. J. Nash. The Chinese Wall security policy. In Proceedings of IEEE Symposium on Security and Privacy, pages 206–214, 1989.
J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems, 12(4):271–307, November 1994.
J. B. Dennis and E. C. Van Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143–155, March 1966.
S. Dorward, R. Pike, and P. Winterbottom. Inferno: la commedia interattiva, 1996. Available from inferno.bell-labs.com.
D. Engler, F. Kaashoek, and J. O’Toole. Exokernel: An operating system architecture for application level resource management. In Proceedings of the 15th Symposium on Operating Systems Principles, pages 251–266, December 1995.
J. G. Mitchell et al. An overview of the Spring system. In Proceedings of Compcon, February 1994.
B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The Flux OSKit: A substrate for kernel and language research. In Proceedings of the 16th Symposium on Operating Systems Principles, pages 38–51, 1997.
L. Giuri and P. Iglio. Role templates for content-based access control. In Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997.
Y. Goldberg, M. Safran, and E. Shapiro. Active Mail — a framework for implementing groupware. In CSCW 92 Proceedings, pages 75–83, 1992.
L. Gong. Java security: present and near future. IEEE Micro, 17(3):14–19, 1997.
L. Gong, M. Mueller, H. Prefullchandra, and R. Schemers. An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems, pages 103–112, December 1997.
Object Management Group. Security service specification. In CORBAservices: Common Object Services Specification, chapter 15. November 1997. Available from http://www.omg.org.
T. Jaeger, K. Elphinstone, J. Liedtke, V. Panteleenko, and Y. Park. Flexible access control using IPC redirection. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems, 1999. To appear.
T. Jaeger, J. Liedtke, and N. Islam. Operating system protection for fine-grained programs. In Proceedings of the 7th USENIX Security Symposium, pages 143–156, January 1998.
T. Jaeger and A. Prakash. Support for the file system security requirements of computational e-mail systems. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 1–9, 1994.
T. Jaeger, A. Prakash, J. Liedtke, and N. Islam. Flexible control of downloaded executable content. ACM Transactions on Information System Security, May 1999. To appear.
T. Jaeger, A. Rubin, and A. Prakash. Building systems that flexibly control downloaded executable content. In Proceedings of the 6th USENIX Security Symposium, pages 131–148, July 1996.
G. Karjoth. Authorization in CORBA security. In Proceedings of ESORICS’ 98, 1998.
M. Knister and A. Prakash. Issues in the design of a toolkit for supporting multiple group editors. Computing Systems, 6(2):135–166, 1993.
B. Lampson. Protection. ACM Operating Systems Review, 8(1):18–24, January 1974.
J. Liedtke. Clans & chiefs. In Architektur von Rechensystemen. Springer-Verlag, March 1992. In English.
J. Liedtke. Improving IPC by kernel design. In Proceedings of the 14th Symposium on Operating Systems Principles, pages 175–187, 1993.
J. Liedtke, N. Islam, and T. Jaeger. Preventing denial-of-service attacks on a μ-kernel for WebOSes. In Proceedings of the Sixth Workshop on Hot Topics in Operating Systems, pages 73–79, May 1997.
E. C. Lupu and M. Sloman. Reconciling role-based management and role-based access control. In Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997.
S. D. Majewski. Distributed programming: Agentware/ componentware/ distributed objects. Available at http://minsky.med.virginia.edu/sdm7g/Projects/Python/SafePython.html.
S. E. Minear. Providing policy control over object operations in a Mach-based system. In Proceedings of the 5th USENIX Security Symposium, 1995.
N. H. Minsky and V. Ungureanu. Unified support for heterogenous security policies in distributed systems. In Proceedings of the 7th USENIX Security Symposium, pages 131–142, January 1998.
J. K. Ousterhout, J. Y. Levy, and B. B. Welch. The Safe-Tcl security model. In Proceedings of the 23rd USENIX Annual Technical Conference, 1998.
R. Rashid, A. Tevanian Jr., M. Young, D. Golub, D. Baron, D. Black, W. J. Bolosky, and J. Chew. Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures. IEEE Transactions on Computers, 37(8):896–908, August 1988.
J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.
R. Sandhu. Rationale for the RBAC96 family of access control models. In Proceedings of the 1st Workshop on Role-Based Access Control, 1995.
R. Sandhu. Role activation hierarchies. In Proceedings of the Third Workshop on Role-Based Access Control, 1998.
R. S. Sandhu, V. Bhamidipati, E. Coyne, S. Ganta, and C. Youman. The ARBAC97 model for role-based administration of roles: preliminary description and outline. In Proceedings of the Second Workshop on Role-Based Access Control, pages 41–50, 1997.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, February 1996.
M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In Proceedings of the 2nd Conference on Operating Systems Design and Implementation, pages 213–227, 1996.
D. Thomsen, D. O’Brien, and J. Bogle. Role based access control framework for network enterprises. In Proceedings of the Fourteenth Computer Security Applications Conference, 1998.
J. Vochteloo, K. Elphinstone, S. Russell, and G. Heiser. Protection domain extensions in Mungi. In Proceedings of the Fifth International Workshop on Object Orientation in Operating Systems, pages 161–165, October 1996.
D. S. Wallach and E. W. Felten. Understanding Java stack introspection. In Proceedings of IEEE Symposium on Security and Privacy, 1998.
P. Wayner. Agents Unleashed. AP Professional, 1995.
M. V. Wilkes and R. M. Needham. The Cambridge CAP Computer and Its Operating System. North Holland, 1979.
W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. HYDRA: The kernel of a multiprocessor operating system. Communications of the ACM, 17(6):337–345, June 1974.
M. E. Zurko and R. Simon. User-centered security. In Proceedings of the 1996 New Security Paradigms Workshop, 1996.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Jaeger, T. (1999). Access Control in Configurable Systems. In: Vitek, J., Jensen, C.D. (eds) Secure Internet Programming. Lecture Notes in Computer Science, vol 1603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48749-2_14
Download citation
DOI: https://doi.org/10.1007/3-540-48749-2_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66130-6
Online ISBN: 978-3-540-48749-4
eBook Packages: Springer Book Archive