Separating access control policy, enforcement, and functionality in extensible systems

Robert Grimm, Brian N. Bershad

Research output: Contribution to journalArticle

Abstract

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

Original languageEnglish (US)
Pages (from-to)36-70
Number of pages35
JournalACM Transactions on Computer Systems
Volume19
Issue number1
DOIs
StatePublished - Feb 2001

Fingerprint

Control Policy
Access Control
Access control
Security Policy
Operating Systems
Managers
Auditing
Quantitative Evaluation
Arbitrary
Integrated System
Java
Latency
Decompose
Unit

Keywords

  • Access check
  • Auditing
  • D.4 [Software]: Operating Systems
  • D.4.6 [Operating Systems]: Security and Protection - Access controls
  • Extensible systems
  • Java
  • Protection domain
  • Protection domain transfer
  • Security
  • Security policy
  • SPIN

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Theoretical Computer Science

Cite this

Separating access control policy, enforcement, and functionality in extensible systems. / Grimm, Robert; Bershad, Brian N.

In: ACM Transactions on Computer Systems, Vol. 19, No. 1, 02.2001, p. 36-70.

Research output: Contribution to journalArticle

@article{8a9bd5116c13441f91e456a19efba533,
title = "Separating access control policy, enforcement, and functionality in extensible systems",
abstract = "Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.",
keywords = "Access check, Auditing, D.4 [Software]: Operating Systems, D.4.6 [Operating Systems]: Security and Protection - Access controls, Extensible systems, Java, Protection domain, Protection domain transfer, Security, Security policy, SPIN",
author = "Robert Grimm and Bershad, {Brian N.}",
year = "2001",
month = "2",
doi = "10.1145/367742.367773",
language = "English (US)",
volume = "19",
pages = "36--70",
journal = "ACM Transactions on Computer Systems",
issn = "0734-2071",
publisher = "Association for Computing Machinery (ACM)",
number = "1",

}

TY - JOUR

T1 - Separating access control policy, enforcement, and functionality in extensible systems

AU - Grimm, Robert

AU - Bershad, Brian N.

PY - 2001/2

Y1 - 2001/2

N2 - Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

AB - Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

KW - Access check

KW - Auditing

KW - D.4 [Software]: Operating Systems

KW - D.4.6 [Operating Systems]: Security and Protection - Access controls

KW - Extensible systems

KW - Java

KW - Protection domain

KW - Protection domain transfer

KW - Security

KW - Security policy

KW - SPIN

UR - http://www.scopus.com/inward/record.url?scp=0041865338&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0041865338&partnerID=8YFLogxK

U2 - 10.1145/367742.367773

DO - 10.1145/367742.367773

M3 - Article

VL - 19

SP - 36

EP - 70

JO - ACM Transactions on Computer Systems

JF - ACM Transactions on Computer Systems

SN - 0734-2071

IS - 1

ER -