Extensible Security Architectures for Java
Dan S. Wallach, Dirk Balfanz, Drew Dean, and Edward W. Felten
Proceedings of the 16th ACM Symposium on Operating Systems Principles,
October 1997
Notes by: Steve Zdancewic, 21 April 1999
Overview
This paper discusses options for software-based language security in
Java. (Hardware based security is not considered due to portability
and performance concerns.) There are three techniques discussed:
- Capabilities
- Unforgeable reference (ensured by type-safety)
- Subclass mechanism used to control access to protected resources
- Revocation a problem
- Stack Introspection
- Used in Netscape and Internet Explorer
- Three functions: enablePrivilege,
disablePrivilege, checkPrivilege.
- checkPrivilege searches the stack for enabled privilege to determine whether to
allow a piece of code to use a service.
- Must modify system classes to consult policy manager (via
checkPrivilege)
- Can be extended to handle more expressive security policies.
- Name Space Management
- Modify the ClassLoader to check the principal's
privileges and return a subclass of the requested one.
- All security decisions are made statically.
- Potentially difficult to implement in the presence of reflection and
downcasting.
- Sharing classes between different principals becomes a problem.
Issues
- Notion of principal (implemented via digital signatures). How
many principals can "sign" a piece of code?
- User control of policies.
- When should policy be resolved? Installation time? Load time?
Run time?
Related Work
- Proof-carrying Code (Necula and Lee, CMU)
- Security and Typed Applets (Leroy and Rouaix, INRIA)
- SLam (Heintze and Riecke, Bell Labs)
- Type-based security (Volpano and Smith, SRI Computer Science Labs)
- TAL (Morrisett, et. al., Cornell)
- Security Automata (Erlingson and Schneider, Cornell)
- JFlow (Meyers, Cornell)