Extending Security for
Download
1 / 20

Extending Security for Object-Oriented Models using Security Meta-Objects - PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on

Extending Security for Object-Oriented Models using Security Meta-Objects. Fahd Arshad. Based upon the work of Thomas Riechmann & Franz J. Hauck:. Meta Objects for Access Control: Extending Capability-Based Security ACM New Security Paradigms Workshop 97 Proceedings (NSPW97),

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Extending Security for Object-Oriented Models using Security Meta-Objects' - nerea-walters


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Extending Security for

Object-Oriented Models

using Security Meta-Objects

Fahd Arshad

Based upon the work of Thomas Riechmann & Franz J. Hauck:

Meta Objects for Access Control:

Extending Capability-Based Security

ACM New Security Paradigms Workshop 97 Proceedings (NSPW97),

Great Langdale, UK, 1997.


Basics of capabilities in object oriented systems
Basics of Capabilities in Object-oriented Systems

  • What are objects and how are they related?

  • What is an object-oriented system (OOS)?

  • What is Access Control?

  • What are capabilities and references?


Illustration an object oriented system

Object

A

Object

C

Method P()

Method Q()

Method R()

Object

B

Object

D

Data S

Data T

Illustration: An Object-oriented System


Illustration an object oriented system1

Object

A

Object

C

Object

B

Object

D

Illustration: An Object-oriented System

Objects

Subjects


Principles of capability based security
Principles of Capability-based Security

  • Access based on possession of rights by capability

  • Allow revocation of rights by issuer

  • Rights expire after a specified period

  • Rights are implemented by an attached script


Drawbacks of capability based security
Drawbacks of Capability-based Security

  • Highly complex exchange maps make proving security

  • implementation scheme correctness very difficult.

  • Problems lead to dilution of object-oriented model: larger interfaces and objects and fewer references.

  • A capability can not prevent method invocations from leaking references to untrusted objects. Propagation restriction is too restrictive a solution. Providing access control explicitly involves amending all existing code, and is not in accord with OOP of encapsulation and reusability.


Domain based security

Object

A

Object

C

Object

B

Object

D

Domain-based Security

  • Java and CORBA use domain- and ACL-based security to improve upon capabilities.


Introduction to security meta objects smos
Introduction to Security Meta Objects (SMOs)

  • Assumption: OO programming model that does not allow access except by using object references (e.g. Java and its Byte-code Verifier)

  • An SMO is an object which can be attached to a reference in order to enforce security.

  • It can not be detached unless it itself allows


Illustration smos and references
Illustration: SMOs and References

Object

Variable 1

Variable 2

Variable 3

SMO1

SMO2


Capabilities implemented as smos
Capabilities Implemented As SMOs

  • Capabilities add three concepts to object references, each ofwhich can be enforced using SMOs:

  • Restriction of access

  • Revocation of access

  • Expiration of access


Implementation expiring list smo
Implementation: Expiring List SMO

List list =.....; // a list reference

SecurityMeta smo = new MetaExpire(new Date(12,31,2001));

// create SMO

smo.attachTo(list); // connect SMO to object reference

// now the reference 'list' is protected

list.Get(...); // any call to the list is checked

// The implementation of the MetaExpire class:

class MetaExpire extends SecurityMeta {

final Date d; // expiration date

MetaExpire(Date d){// Constructor

this.d = d; // store date in “d”

}

// this method checks calls via protected ref

void incomingCall(Object o, Method m, ParameterList p){

// Check if the reference is expired:

if (d.isBefore(getCurrentDate())) {

// throw exception, if ref. expired

throw(new SecException(...));

} } }


Illustration expiring list smo

Untrusted U

list

Trusted T

smo

Illustration: Expiring List SMO


Extending capability based security with smos
Extending Capability-based Security With SMOs

  • SMOs cure an important vulnerability in pure systems: lack of access control over references passed to untrusted parts of an application.

  • Lack of transitive protection: methods can return unprotected objects


Implementation transitivity of access control
Implementation: Transitivity of Access Control

  • If a method returns an object, it is unprotected. Simple solution: if the original method invocated through a protected reference, SMO is attached implicitly to all outgoing references:

// The re-implementation of the MetaExpire class:

class MetaExpire extends SecurityMeta {

final Date d; MetaExpire(Date d){this.d = d;}

void incomingCall(Object o,...){…}

void outgoingRef(Object o,...){

// object reference ‘o’ is being returned

this.attachto(o);

}

}


Illustration of a transitive smo for list

Untrusted U

Untrusted V

Illustration of a Transitive SMO for List

object

list

Trusted T

smo


Illustration trojan horse problem

Untrusted U

Untrusted V

Illustration: Trojan Horse problem

object

m

list

Trusted T

smo


Implementation trojan horse solution
Implementation: Trojan Horse solution

  • If a method returns an object, it is unprotected. Simple solution: if the original method invocated through a protected reference, SMO is attached implicitly to all outgoing references:

// The re-implementation of the MetaExpire class:

class MetaExpire extends SecurityMeta {

final Date d; MetaExpire(Date d){this.d = d;

}

void incomingCall(Object o,...){…}

void incomingRef(Object o,...){

this.reverseAttachto(o);

}

void outgoingRef(Object o,...){

this.attachto(o);

}

}


Conclusion smos capabilities on steroids
Conclusion SMOs: Capabilities on Steroids

  • Protected class implementation does not require any support for security.

  • SMO implementation does not need any special support for protected class and can be used with any class.

  • General forms of SMO are class-independent and may be reused

  • Specialized forms may be implemented for method-dependent security.



References
References

  • Presented by Fahd Arshad for CS428: Operating Systems taught by Dr. Linda Lankewicz at Sewanee in Fall [email protected], http://itw.sewanee.edu/Fahd/

  • Based on a paper presented to ACM New Security Paradigms Workshop at Great Langdale, UK, 1997 by Thomas Riechmann & Franz J. Hauck

  • Authors’ web pages:http://www4.informatik.uni-erlangen.de/~fzhauck/http://www4.informatik.uni-erlangen.de/~riechman/


ad