• No results found

Security for Extensible Systems

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security for Extensible Systems"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Security for Extensible Systems

Robert Grimm

Brian N. Bershad

f

rgrimm, bershad

g

@cs.washington.edu

Dept. of Computer Science and Engineering

University of Washington

Seattle, WA 98195, U.S.A.

Abstract

The recent trend towards dynamically extensible sys-tems, such as Java, SPIN or VINO, promises more powerful and flexible systems. At the same time, the impact of ex-tensibility on overall system security and, specifically, on access control is still ill understood, and protection mech-anisms in these extensible systems are rudimentary at best. In this position paper, we identify the structure of extensi-ble systems as it relates to system security and postulate an initial model for access control. This model extends the dis-cretionary access control of traditional operating systems to encompass extensions and, by using ideas explored by the security community, introduces a notion of mandatory access control. While a new access control model does not address all aspects of system security, we believe that it can serve as a solid foundation for developing a fully featured and flexible security model for extensible systems.

1

Problem and Motivation

The recent trend towards dynamically extensible systems is probably best exemplified by the Java system [11, 9, 12]. Several other projects are also pursuing extensible systems motivated by the promise of more powerful and flexible sys-tems: SPIN [2] and VINO [21] address extensibility in the context of operating systems. Inferno [13] focuses on ex-tensibility for distributed services. And, Juice [6], which utilizes “slim binary” technology [7, 10] originally devel-oped for the Oberon system, provides a faster and leaner alternative to Java on the world-wide web. At the same time, the impact of extensibility on overall system security and specifically access control is still ill understood. And, the protection mechanisms in these extensible systems are rudimentary at best, as illustrated by the continuous string of security breaches in the Java system [4, 15].

Mainstream operating and file systems use access con-trol mechanisms that are familiar and widely accepted by users. Their use of individuals and groups in combination with fully featured access control lists has the potential to offer a flexible and powerful mechanism to protect files and other system objects. Even so, they do not fully exploit this potential, nor do they address the issue of protecting exten-sible systems: The access control mechanisms in Unix [16] are primitive and, barely, offer adequate security to protect file access. The access control mechanisms in the Andrew File System [19] and Windows NT [23] are more flexible than in Unix, but do not address the specific problems of protection in dynamically extensible systems as well.

In this position paper, we identify the structure of ex-tensible systems as it relates to access control and describe the current state of affairs. We identify the requirements of access control in extensible systems and outline an initial access control model for extensible systems. This model extends existing protection mechanisms (as found in main-stream operating systems) and draws on ideas explored by the security community to provide a flexible, powerful and complete protection model for extensible systems.

The discussion in this position paper focuses on just one aspect of overall system security in extensible systems, namely access control. Other important issues, such as the authentication of extensions (and principals), the auditing of security relevant system events, how to counter denial of service attacks, a formal model of security in extensi-ble systems, or the assertion and certification that a given implementation actually and correctly implements a given security model, are only touched upon or not discussed at all. These issues are clearly important and how they are addressed profoundly influences the security of any given system, be it extensible or not. However, we believe that a complete access control model, as outlined in this position paper, can serve as a solid foundation for future work on the security of extensible systems.

(2)

1.1

Structure of Extensible Systems

The basic innovation of extensible systems for the pur-poses of this position paper is that units of code, which we call “extensions,” can be dynamically loaded and linked into the base system and consequently become an integral part of the base system. Different systems use different terms for the extension mechanism and the extensions themselves, such as “applets” in Java or “grafts” in VINO. But the ba-sic functionality and structure of these extensible systems is sufficiently similar to rely on two basic mechanisms to tightly compose extensions.

First, extensions can call other parts of the system to build on already supported functionality. Second, exten-sions can extend the functionality of the base system by adding new services which are then invoked through al-ready existing interfaces (which is sometimes referred to as specialization). Both mechanisms are usually provided by a central facility, by either building on programming lan-guage support (for example, the use of inheritance in Java or VINO) or a dynamic dispatch model (for example, the event-dispatch model in SPIN, see [17]).

While seemingly similar, the two mechanisms represent different semantics: In the first case, an extension invokes other services, while in the second case, an extension is in-voked by another service. The combination of both mecha-nisms provides extensions with considerable flexibility and power (which is one major argument for using extensible systems). For example, an extension can be used to provide a new file system that is not supported by the original sys-tem. To implement this file system, the extension that im-plements the new file system uses existing services (such as mbufmanagement) and builds on them. At the same time, to access the new file system, a user invokes the existing, general file system interfaces which have been extended (or specialized) by the extension to also handle the new type of file system.

Given that extensions are usually not trusted, the safety and security of the overall system are crucial issues when using an extensible system. To ensure safety, current exten-sible systems rely on programming language support (us-ing type-safe programm(us-ing languages, such as the Java pro-gramming language in the Java system, Modula-3 in SPIN, or Oberon in Juice) and software fault isolation (in VINO). To ensure system security, access to the two mechanisms discussed above, i.e., the decision which services of the sys-tem a given extension can utilize and which interfaces it can extend, must be carefully controlled. However, access con-trol in existing extensible systems is rudimentary at best.

1.2

The State of Affairs

The current Java security model [8, 15] distinguishes between trusted extensions (code stored on the local file

system), which have access to the full functionality of the Java system, and untrusted extensions (all remote code). Untrusted extensions are placed into a so-called “sand-box” which limits extensions from using some system ser-vices (such as accessing the local file system) and ideally would also isolate extensions from each other (see [15] for a counter example: the ThreadMurderapplet kills the threads of all other applets that are running in the same sandbox, including those applets that are loaded and linked after theThreadMurderapplet itself has been linked in). Future versions of Java will provide authenticated exten-sions with a finer granularity of access control (such as al-lowing some extensions to access certain files). However, no clear and flexible access control model, detailing how this finer grain of access control will be provided, has been presented. Furthermore, the security of the Java system, in-stead of relying on one central facility to enforce security (which is good design practice for secure systems [18]), relies on three facilities, or “prongs” (a term introduced by [15]). This design makes it unnecessarily hard to reason about the security properties of Java and a design or imple-mentation error in any one of the three prongs can break the entire security system, as has been repeatedly demon-strated [4, 15].

In SPIN, system services are partitioned into several “do-mains” [22], where each domain is a collection of Modula-3 interfaces. An extension is linked against one or more do-mains and can only access and extend those system services that are in the domains it has been linked against. Other sys-tem services are inaccessible to an extension. Domains pro-vide a useful mechanism to avoid a flat global name-space, to group several interfaces according to, for example, the functionality they provide, and to control the visibility of interfaces. However, an extension can either call on and ex-tend all interfaces in all domains it has been linked against, or access control is ad hoc, with each extension responsible for implementing its own access checks whenever it was being extended.

Little or no information is available on system security for other extensible systems: VINO distinguishes between regular and privileged users, and uses dynamic privilege checks before accessing sensitive data [20]. Inferno uses encryption for the mutual authentication of communicating parties and their messages [14]. No information is available on security in Juice. While these systems ensure the basic safety of the system by relying on either programming lan-guage support or software fault isolation, no security model and specifically no access control model is discussed in the publicly available literature. In the absence of other infor-mation, we thus assume that access control is still an open issue that needs to be addressed in these systems as well.

As illustrated by the above discussion, better access con-trol is needed for extensible systems. The access concon-trol

(3)

mechanisms of mainstream operating and file systems are familiar and widely accepted by users and, by using in-dividuals and groups in combination with fully featured access control lists, have the potential to offer a flexible and powerful mechanism to protect system objects. How-ever, current implementations do not have sufficient power to provide access control for extensible systems: The ac-cess control in Unix, which associates an individual and a group owner with each file [16], is primitive and barely suf-ficient for controlling file access, let alone for controlling an extensible system. The Andrew File System uses full-blown access control lists, but does so only at the granu-larity of entire directories [19], which we believe is at too high a grain (see the discussion in section 2.3). Windows NT uses access control lists at the granularity of individual files and presents a rich, though unnecessarily complicated access control model [23] (objects can be associated with three types of access permissions, called specific, standard and generic types, but several of the individual permissions within the different types do not offer any real semantic dif-ference). But it, too, does not provide a means to control the two ways extensions interact with the rest of the system, nor does it provide for any mandatory access control (see the discussion at the beginning of section 2 and section 2.2).

2

Access Control in Extensible Systems

As already pointed out, the access control mechanisms used to control file access in mainstream operating systems provide a model that is well understood and widely ac-cepted. At the same time, the use of individuals and groups, in addition to fully featured access control lists, provides for a powerful and flexible (discretionary) access control mech-anism. By building on this familiar model, protection in extensible systems can be integrated with the protection of other system objects and, at the same time, can rely on the experience users have with this type of access control.

At the most fundamental level, an access control model for extensible systems must control the two ways extensions interact with the rest of the system (i.e., both which inter-faces an extension can call on and which interinter-faces an ex-tension can extend). At the same time, it should also al-low for different hierarchical levels of access, representing different levels of trust, as well as for different categories within each level of trust. For example, in Java one can eas-ily imagine a scenario where applets originating from the local machine should have full access to all files, applets originating from within the same organization should have access to some files, and applets that originate from outside the organization should have no file access. Thus, an access model that allows for several hierarchical levels of trust is needed. Additionally, applets that originate from within the organization should not be able to access or interfere with

each other (unless some controlled sharing of information is desired). Thus, different categories within one level of trust are needed.

The two fundamental ways extensions interact with the rest of the system is best controlled by discretionary ac-cess control and is discussed in subsection 2.1. However, mandatory access control is better suited to provide differ-ent levels of trust and separated categories within one level of trust. Such an access control mechanism (which builds on ideas explored by the security community) is discussed in subsection 2.2. The structure of the name space, its gran-ularity and how it interacts with other name services pro-vided by a system greatly influences how the protection of extensions integrates with other protection mechanisms and is thus discussed in subsection 2.3.

2.1

Discretionary Access Control

Fully featured access control lists (which allow for sev-eral entries specifying positive—i.e., who is allowed to ac-cess an object—and negative acac-cess—i.e., who is not al-lowed to access an object—for both individuals and groups) can be used to control what services extensions can call on and what interfaces they can extend. In addition toread, write,write-append(to better limit how objects can be modified),administrate(to change the access con-trol lists themselves) access modes (with the possible addi-tion ofdeleteandlistaccess modes) to control access to other system objects, two access modes are needed to protect extensions: These two modes directly correspond to the two ways extensions interact with the rest of the system. The first access mode is theexecuteaccess mode and al-lows extensions to call on a given system service. The sec-ond access mode is the extendaccess mode and allows extensions to extend (or specialize) a given service.

By using access control lists on system services and the executeandextendaccess modes, systems can control which extensions can call on and extend which system ser-vices. It is consequently possible to limit extensions to only use certain services and not others. Discretionary access control thus provides a basic framework for limiting access to specific system services.

2.2

Mandatory Access Control

To provide a notion of levels of trust and separated cat-egories within a level of trust, access control in extensible systems must use some form of mandatory access control. We base mandatory access control in extensible systems on the lattice model of information flow [1, 5, 3]. In this model, each subject and object have a security class associated with them that controls which subject can access which objects and how. To provide adequate protection for extensible sys-tems the security class is represented as the product of a

(4)

linearly ordered set of levels of trust and of a subset out of a set of categories (where all possible subsets are partially ordered by subset inclusion).

In this model, threads of control serve as subjects and function at the same security class as the associated princi-pal. The security class is passed on when another system service is invoked, i.e., the security class of a given unit of code is dynamically determined by the associated principal. However, it may be necessary to statically associate exten-sions with a certain security class to avoid security breaches (for example, applets that originate outside the local organi-zation in above example might always run at the least level of trust to ensure that they can not access local files). Stat-ically assigned security classes can also be used when ex-tending system services: Extensions with different security classes can all be allowed to extend the same system ser-vice. But when the extended service is invoked, the right extension is selected based on the security class of the caller. Subjects can view the contents of an object (i.e., have read access) when their level of trust is higher than or equal to the level of trust of the object and when their categories are a superset of the categories of the object. They can mod-ify the contents of an object (i.e., have any form of write ac-cess) when their level of trust is lower or equal to the level of trust of the object and their categories are a subset of the categories of the object (it may thus be necessary to use the write-appendaccess mode to limit subjects at a lower level of trust to blindly overwrite objects at a higher level of trust).

The linear ordering of levels of trust provides for a hier-archy of authority levels, where a higher level dominates all lower levels. The partial ordering of category subsets allows for any degree of controlled sharing (including the strict separation) of different control compartments. All flow of information in an extensible system can thus be tightly con-trolled, and users can not circumvent the basic security of the system by exercising discretionary access control.

To return to the example from the beginning of section 2, a user could use three linearly ordered labels (saylocal, organizationandothersin descending order) to rep-resent the different levels of trust for file access and a set of labels (saymyself,department-1,department-2 andoutside) representing different categories. Each se-curity class would now consist of one label from the first set and some subset of the second set of labels. The user’s applets would use a security class consisting of thelocal label and the entire second set of labels and thus have access to all files (including those generated by other applets). Ap-plets from within the organization would use a security class consisting of the organization label in combination with either thedepartment-1, thedepartment-2 la-bel or both lala-bels. Two applets from within the organi-zation using the department-1and department-2

labels respectively thus have access to some files (as rep-resented by the organization level of trust) but can not access each other’s files. However, a third applet from within the organization that uses both thedepartment-1 anddepartment-2labels can access the data of both the first two applets. More elaborate label assignments are cer-tainly possible and mandatory access control can thus be used to enforce any degree of separation and sharing at the same time.

2.3

Name Space Structure and Granularity of

Protection

The name space of all system services should form a hierarchy of names, where access to each level of the hi-erarchy is protected. The leaves of the name space rep-resent the individual functions of the system services (i.e., they represent methods in object-oriented systems and pro-cedures in procedural systems). The non-leaf nodes of the name space correspond to objects, interfaces and system-dependent mechanisms to group objects and interfaces. For example, in Java the leaves are individual methods, the out-ermost level of non-leaf nodes are Java objects and the next level of nodes are Java packages. In SPIN the leaves are in-dividual procedures, the outermost level of non-leaf nodes are Modula-3 interfaces and the next level of nodes are do-mains.

This structure compares well with the structure of nam-ing and access control in file systems: The leaves corre-spond to the individual files, and access control determines which methods or procedures can be called on and extended by extensions. The non-leaf nodes correspond to direc-tories, and access control determines which objects, inter-faces, packages or domains are visible to an extension and whether an extension can add new entries. This similarity in structure allows for the use of a single, universal name space that integrates all named objects in a given system, and thus enables a central name server to enforce all protection.

3

Summary

A model for access control in extensible systems—as outlined in this position paper—is at the core of all system security and thus the key to designing and implementing

secure extensible systems. Our model is based on the

ac-cess control list mechanisms found in conventional operat-ing systems and usesexecuteandextendaccess modes to control the two ways extensions interact with the rest of the system. We use use mandatory access control, an idea explored by the security community, to provide extensible systems with a notion of levels of trust and of categories within one level of trust. By using a single hierarchical name space, the protection of extensions can be easily in-tegrated with the protection of other system objects, such

(5)

as files. The result is a central facility to provide naming and protection services for the entire system. This economy of mechanism and the resulting psychological acceptability (the protection of extensible systems, to the user, does not appear to be that different from protection in conventional operating systems) are examples of using design principles that are particularly important for the design of protection mechanisms [18]. It is our hope that this model and its care-ful structuring according to security concerns can provide a good basis for future work on the security of extensible sys-tems.

Further information on our research on the secu-rity of extensible systems can be found on the world-wide web athttp://www.cs.washington.edu/homes/ rgrimm/research/security.html.

References

[1] D. Elliott Bell and Leonard J. La Padula. Secure Com-puter System: Unified Exposition and Multics Interpreta-tion. Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, March 1976. Also ADA023588, National Technical Information Service. [2] Brian N. Bershad, Stefan Savage, Przemysław Pardyak,

Emin G¨un Sirer, Marc Fiuczynski, David Becker, Susan Eg-gers, and Craig Chambers. Extensibility, Safety and Perfor-mance in the SPIN Operating System. In Proceedings of

the 15th Symposium on Operating Systems Principles, pages

267–284, Copper Mountain, Colorado, December 1995. [3] K. J. Biba. Integrity Considerations for Secure Computer

Systems. Technical Report MTR-3153 Rev. 1, The MITRE Corporation, Bedford, Massachusetts, April 1977. Also ADA039324, National Technical Information Service. [4] Drew Dean, Edward W. Felten, and Dan S. Wallach. Java

Se-curity: From HotJava to Netscape and Beyond. In

Proceed-ings of the 1996 IEEE Symposium on Security and Privacy,

pages 190–200, Oakland, California, May 1996.

[5] Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5):236–243, May 1976.

[6] Michael Franz and Thomas Kistler. Introducing Juice.

http://www.ics.uci.edu/~juice/intro.html, Octo-ber 1996.

[7] Michael Franz and Thomas Kistler. Slim Binaries. Techni-cal Report 96-24, Department of Information and Computer Science, University of California, Irvine, June 1996. [8] J. Steven Fritzinger and Marianne Mueller. Java

Secu-rity. Sun Microsystems, Inc., White Paper, http://www. javasoft.com/security/whitepaper.ps, 1996. [9] James Gosling, Bill Joy, and Guy Steele. The Java Language

Specification. Addison-Wesley, Reading, Massachusetts, 1996.

[10] Thomas Kistler and Michael Franz. A Tree-Based Alterna-tive to Java Byte-Codes. Technical Report 96-58, Depart-ment of Information and Computer Science, University of California, Irvine, December 1996.

[11] Douglas Kramer, Bill Joy, and David Spenhoff. The Java Platform—A White Paper. JavaSoft White Paper, ftp: //ftp.javasoft.com/docs/JavaPlatform.ps, May 1996.

[12] Tim Lindholm and Frank Yellin. The Java Virtual Machine

Specification. Addison-Wesley, Reading, Massachusetts, 1996.

[13] Lucent Technologies Inc. Inferno: la Commedia In-terattiva. http://inferno.bell-labs.com/inferno/ infernosum.html, 1996.

[14] Lucent Technologies Inc. Security in Inferno. http://inferno.bell-labs. com/inferno/security.html, 1997.

[15] Gary McGraw and Edward W. Felten. Java Security: Hostile

Applets, Holes and Antidotes. Wiley Computer Publishing,

John Wiley & Sons, Inc., New York, New York, 1997. [16] Marshall Kirk McKusick, Keith Bostic, Michael J. Karels,

and John S. Quarterman. The Design and Implementation of

the 4.4BSD Operating System. Addison-Wesley Publishing

Company, Reading, Massachusetts, 1996.

[17] Przemysław Pardyak and Brian N. Bershad. Dynamic Bind-ing for an Extensible System. In ProceedBind-ings of the Second

Symposium on Operating Systems Design and Implementa-tion, pages 201–212, Seattle, Washington, October 1996.

[18] Jerome H. Saltzer and Michael D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the

IEEE, 63(9):1278–1308, September 1975.

[19] M. Satyanarayanan, John H. Howard, David A. Nichols, Robert N. Sidebotham, Alfred Z. Spector, and Michael J. West. The ITC Distributed File System: Principles and De-sign. In Proceedings of the 10th Symposium on Operating

Systems Principles, pages 35–50, Orcas Island, Washington,

December 1985.

[20] Margo I. Seltzer. Personal Communication, January 1997. [21] Margo I. Seltzer, Yasuhiro Endo, Christopher Small, and

Keith A. Smith. Dealing With Disaster: Surviving Misbe-haved Kernel Extensions. In Proceedings of the Second

Sym-posium on Operating Systems Design and Implementation,

pages 213–227, Seattle, Washington, October 1996. [22] Emin G¨un Sirer, Marc Fiuczynski, Przemysław Pardyak, and

Brian Bershad. Safe Dynamic Linking in an Extensible Op-erating System. Workshop on Compiler Support for System

Software, February 1996.

[23] Karanjit S. Siyan. Windows NT Server Professional

References

Download now ( PDF - 5 Page - 41.45 KB )

Related documents

PORTFOLIOS / José Guerrero.

Each portfolio is presented in a fabric-lined case and dry-printed with the title, artist’s name and the edition number.. * (Some of the photographs included in the portfolios are

Preface. Assembly of Pakistan and transmitted to the Senate of Pakistan as

(a) the sums required to meet expenditure described by the Constitution as expenditure charged upon the Federal Consolidated Fund; and.. (b) the sums required to meet

Cymbis Finance Australia Limited (Receivers and Managers Appointed) ("Cymbis") ACN: ABN:

Total distributions paid to Enhanced Debentureholders to date 42,659 % recovery across all Debentureholders (based on Debentureholder registry as at date of appointment) 66.2%

The Role of State Owned Enterprises: Providing Infrastructure and Supporting Economic Recovery

From an enterprise development perspective it is essential that privatization policy protects and promotes competition in the market (i.e. by not selling monopoly assets or assets to

Painting Beyond the Numbers: The Art of Providing Access in Law School Admissions to Ensure Full Representation in the Profession

L., http://www.law.udmercy.edu/prospective/admission/ssp.php (last visited Nov. The problem is that many applicants may not be able to afford the cost of tuition or to

KAJIAN MENINGKATKAN KEMAHIRAN ASAS MEMBACA TEKS ARAB MELALUI KEMAHIRAN MEMBACA AL-QUR AN DAN KAEDAH LATIH TUBI

Setelah selesai dijalankan bengkel dan latihan latih tubi kemahiran membaca kosa kata nama selepas huruf al-jarr dan al- z arf , borang soal selidik penilaian diedarkan kepada

BYLAAG B LYS VAN BEROEPE GEKOPPEL AAN DIE VELDE VAN DIE LVV B-1. Copy-writer

P3,I1 Computer Engineer P3,I1 Computer Programmer P3,I1 Geotechnologist P3,I1 Industrial Engineer P3,I1 Network Controller P3,I1 Paint Technologist P3,I1 Paper

Wastewater Treatment and Other Research Initiatives with Vetiver Grass

• Four concrete cells of size 150 cm x 30 cm and a depth of 60 cm received wastewater from the Maturation Waste Stabilization Ponds: the four cells were planted with macrophytes