1 / 20

Extending Security for Object-Oriented Models using Security Meta-Objects

Extending Security for Object-Oriented Models using Security Meta-Objects. Fahd Arshad. Based upon the work of Thomas Riechmann & Franz J. Hauck:. Meta Objects for Access Control: Extending Capability-Based Security ACM New Security Paradigms Workshop 97 Proceedings (NSPW97),

Download Presentation

Extending Security for Object-Oriented Models using Security Meta-Objects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Extending Security for Object-Oriented Models using Security Meta-Objects Fahd Arshad Based upon the work of Thomas Riechmann & Franz J. Hauck: Meta Objects for Access Control: Extending Capability-Based Security ACM New Security Paradigms Workshop 97 Proceedings (NSPW97), Great Langdale, UK, 1997.

  2. Basics of Capabilities in Object-oriented Systems • What are objects and how are they related? • What is an object-oriented system (OOS)? • What is Access Control? • What are capabilities and references?

  3. Object A Object C Method P() Method Q() Method R() Object B Object D Data S Data T Illustration: An Object-oriented System

  4. Object A Object C Object B Object D Illustration: An Object-oriented System Objects Subjects

  5. Principles of Capability-based Security • Access based on possession of rights by capability • Allow revocation of rights by issuer • Rights expire after a specified period • Rights are implemented by an attached script

  6. Drawbacks of Capability-based Security • Highly complex exchange maps make proving security • implementation scheme correctness very difficult. • Problems lead to dilution of object-oriented model: larger interfaces and objects and fewer references. • A capability can not prevent method invocations from leaking references to untrusted objects. Propagation restriction is too restrictive a solution. Providing access control explicitly involves amending all existing code, and is not in accord with OOP of encapsulation and reusability.

  7. Object A Object C Object B Object D Domain-based Security • Java and CORBA use domain- and ACL-based security to improve upon capabilities.

  8. Introduction to Security Meta Objects (SMOs) • Assumption: OO programming model that does not allow access except by using object references (e.g. Java and its Byte-code Verifier) • An SMO is an object which can be attached to a reference in order to enforce security. • It can not be detached unless it itself allows

  9. Illustration: SMOs and References Object Variable 1 Variable 2 Variable 3 SMO1 SMO2

  10. Capabilities Implemented As SMOs • Capabilities add three concepts to object references, each ofwhich can be enforced using SMOs: • Restriction of access • Revocation of access • Expiration of access

  11. Implementation: Expiring List SMO List list =.....; // a list reference SecurityMeta smo = new MetaExpire(new Date(12,31,2001)); // create SMO smo.attachTo(list); // connect SMO to object reference // now the reference 'list' is protected list.Get(...); // any call to the list is checked // The implementation of the MetaExpire class: class MetaExpire extends SecurityMeta { final Date d; // expiration date MetaExpire(Date d){// Constructor this.d = d; // store date in “d” } // this method checks calls via protected ref void incomingCall(Object o, Method m, ParameterList p){ // Check if the reference is expired: if (d.isBefore(getCurrentDate())) { // throw exception, if ref. expired throw(new SecException(...)); } } }

  12. Untrusted U list Trusted T smo Illustration: Expiring List SMO

  13. Extending Capability-based Security With SMOs • SMOs cure an important vulnerability in pure systems: lack of access control over references passed to untrusted parts of an application. • Lack of transitive protection: methods can return unprotected objects

  14. Implementation: Transitivity of Access Control • If a method returns an object, it is unprotected. Simple solution: if the original method invocated through a protected reference, SMO is attached implicitly to all outgoing references: // The re-implementation of the MetaExpire class: class MetaExpire extends SecurityMeta { final Date d; MetaExpire(Date d){this.d = d;} void incomingCall(Object o,...){…} void outgoingRef(Object o,...){ // object reference ‘o’ is being returned this.attachto(o); } }

  15. Untrusted U Untrusted V Illustration of a Transitive SMO for List object list Trusted T smo

  16. Untrusted U Untrusted V Illustration: Trojan Horse problem object m list Trusted T smo

  17. Implementation: Trojan Horse solution • If a method returns an object, it is unprotected. Simple solution: if the original method invocated through a protected reference, SMO is attached implicitly to all outgoing references: // The re-implementation of the MetaExpire class: class MetaExpire extends SecurityMeta { final Date d; MetaExpire(Date d){this.d = d; } void incomingCall(Object o,...){…} void incomingRef(Object o,...){ this.reverseAttachto(o); } void outgoingRef(Object o,...){ this.attachto(o); } }

  18. Conclusion SMOs: Capabilities on Steroids • Protected class implementation does not require any support for security. • SMO implementation does not need any special support for protected class and can be used with any class. • General forms of SMO are class-independent and may be reused • Specialized forms may be implemented for method-dependent security.

  19. Questions?

  20. References • Presented by Fahd Arshad for CS428: Operating Systems taught by Dr. Linda Lankewicz at Sewanee in Fall 2000.fahd@acm.org, http://itw.sewanee.edu/Fahd/ • Based on a paper presented to ACM New Security Paradigms Workshop at Great Langdale, UK, 1997 by Thomas Riechmann & Franz J. Hauck • Authors’ web pages:http://www4.informatik.uni-erlangen.de/~fzhauck/http://www4.informatik.uni-erlangen.de/~riechman/

More Related