sign in sign up
<<
Home , E (programming language)

The following paper was originally published in the Proceedings of the 7th USENIX Security Symposium San Antonio, Texas, January 26-29, 1998

Operating System Protection for Fine-Grained Programs

Trent Jaeger, Jochen Liedtke, and Nayeem Islam IBM T.J. Watson Research Center

For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL:http://www.usenix.org/

Op erating System Protection for Fine-Grained Programs

Trent Jaeger Jo chen Liedtke Nayeem Islam

IBM T. J. Watson Research Center

Hawthorne, NY 10532

Emails:fjaegertjjo [email protected] m.comg

Abstract numb er of protection domain crossings must b e han-

dled securely i.e., correctly with resp ect to the secu-

We present an op erating system-level security mo del

rity requirements to prevent attacks and eciently

for controlling ne-grained programs, suchasdown-

to minimize p erformance degradation. In this pap er,

loaded executable content, and compare this security

we show that a security mo del implemented on a fast

mo del's implementation to that of language-based

and exible IPC mechanism can enforce security re-

security mo dels. Language-based security has well-

quirements that language-based systems cannot with

known limitations, such as the lack of complete me-

little p erformance impact.

diation e.g., for compiled programs or race condi-

Several op erating systems use hardware-based

tion attacks and faulty self-protection e ective secu-

protection to prevent pro cesses from inadvertently

rity is unproven. Op erating system-level mo dels are

and/or maliciously mo difying one another. Each

capable of complete mediation and self-protection,

pro cess has an address space that de nes a set of

but some researchers argue that op erating system-

memory segments and the pro cess's access rights to

level security mo dels are unlikely to supplant such

those segments. A pro cess can only access memory

language-based mo dels b ecause they lack p ortability

in its own address space. In addition, the op erating

and p erformance. In this pap er, we detail an op er-

system has a security mo del that asso ciates pro cesses

ating system-level security mo del built on the Lava

with their access rights to system resources. Using

Nucleus, a minimal, fast -kernel op erating system.

address spaces of suitable granularity and pro cess ac-

We showhow it can enforce security requirements

cess rights to controlled resources, an op erating sys-

for ne-grained programs and show that its p erfor-

tem can control a pro cess's op erations as desired.

mance overhead with the additional security can

However, op erating system security mo dels have

b e virtually negligible when compared to language-

b een deemed to lack the p erformance and exibility

based mo dels. Given the sucient p erformance and

necessary to control ne-grained programs. While

security, the p ortability issue should b ecome mo ot

some systems have b een built that eciently con-

b ecause other vendors will have to meet the higher

trol pro cesses in dynamically-de ned protection do-

security and p erformance exp ectations of their cus-

mains [3,8, 14], these systems have b een applied

tomers.

only to more traditional applications e.g., PostScript

interpreters. In an application comp osed of ne-

grained programs, programs with di erent protection

1 Intro duction

domains interact often p erhaps as much as on each

metho d invo cation. In a recent pap er, Wallach et

We demonstrate how op erating system protection can

al. [25] discard address space-based protection from

b e used to control ne-grained programs exibly and

consideration for applications with ne-grained pro-

eciently. Op erating systems use hardware-based

grams by noting that IPC b etween two COM ob jects

protection to isolate pro cesses from one another.

on Windows NT takes 1000 times longer than a pro-

However, the way that current op erating systems

cedure call 230 sto0.2s. We claim that this

implement this protection has caused researchers to

discrepancy can b e virtually eliminated while gaining

deem them to o slow and in exible for controlling ne-

security and maintaining exibility.

grained programs. Fine-grained programs have dif-

ferent protection domains and mayinteract often in Wehave develop ed a prototyp e implementation of

the course of a computation. The e ect of a large a exible security mo del for controlling downloaded

content. This mo del is implemented on the Lava Nu- individual content. The securitykernel must b e able

cleus. The Lava Nucleus provides address spaces, to mediate all controlled op erations. To enforce least

threads, fast IPC, exible paging, and IPC inter- privilege on content p ermissions may b e based on ap-

ception that enable ecient and exible control of plication state and evolve as application state evolves.

pro cesses. In this pap er, we primarily concentrate on The securitykernel must b e able to control this evolu-

the e ectiveness of the Lavanucleus for implement- tion within reasonable limits. Lastly, the kernel must

ing a exible security mo del and its resultant p er- b e able to protect itself from mo di cations that may

formance. We show that fast IPC and IPC intercep- result in tamp ering with its b ehavior.

tion enable the implementationof dynamical ly autho-

A question that has re-app eared recently is whether

rized IPC that can b e p erformed in as little as 9.5 s.

language-based or op erating system-based protection

We b elieve further ro om for optimziation is p ossible,

is b etter suited for e ectively and eciently control-

given an ideal estimate for dynamically authorized

ling such ne-grained programs. Or otherwise stated:

IPC is ab out 4 s. Also, exible page mapping in the

to what extent can op erating system protection e-

Lava Nucleus enables ob jects of size greater than the

ciently provide e ective security and to what extent

hardware page size to b e shared among pro cesses, so

can language protection e ectively provide ecient

coarse-grained sharing of memory b etween pro cesses

security? As describ ed b elow, op erating system pro-

is p ossible.

tection has several advantages over language protec-

The structure of this pap er is as follows. In Sec-

tion from a security p ersp ective, but the cost of do-

tion 2, we compare language-based and op erating

main crossings make it questionable whether ecient

system-based security mo dels. In Section 3, we de-

op erating system protection for ne-grained pro cesses

scrib e an op erating system security mo del for down-

is p ossible. On the other hand, language protection

loaded executable content. In Section 4, we describ e

can b e implemented eciently, but some key security

the implementation of this mo del on the Lava Nu-

safeguards are weakened such that e ective security

cleus. In Section 5, we examine the p erformance of

may b e lost.

the prototyp e implementation and compare its p er-

Traditionally, op erating systems have enforced sys-

formance to language-based mo dels for ne-grained

tem security requirements b ecause hardware-based

programs of the sort discussed byWallach et al. In

protection provides signi cant advantages in the key

Section 6, we conclude and present future work.

areas of economy of mechanism, fail-safe defaults,

and complete mediation [23]. The op erating system's

TCB can protect pro cesses by restricting them to

2 Language vs. O/S Protection

their own address spaces which can b e enforced by

a simple mechanism at least compared to a com-

The basic problem is to implement a securitykernel

piler. Since only the program requested is placed in

that e ectively and eciently enforces the security

the address space, other, indep endent programs are

requirements of downloaded executable content. The

not a ected by its failure assuming the op erating

basic requirements of any security infrastructure are

1 system adequately protects itself from such failures.

that it can adapted from [2]:

Also, since the op erating system can intercept any in-

terpro cess communication IPC b etween pro cesses,

 assign p ermissions dynamically to individual

controlled op erations by a program including com-

content,

piled ones can b e completely mediated by the op er-

 mediate all controlled op erations using such p er-

ating system.

missions i.e., an op eration that a pro cess is not

Language-based protection has gained favor in re-

unconditionally trusted to invoke,

centyears, however. We attribute this p opularity

to three factors: 1 improvements in the develop-

 manage the evolution of p ermissions as content

ment of \safe" languages; 2 the p erception that

is executed,

programs will b ecome increasingly ne-grained, and

 protect itself from tamp ering

ne-grained domains are prohibitively exp ensiveto

enforce; and 3 lack of exibility in op erating system

For a system that uses dynamically downloaded ex-

security mo dels. \Typ e-safe" languages are strongly-

ecutable content, p ermissions must b e assignable to

typ ed i.e., all data is typ ed and casting is restricted

1

There is an additional requirement that any \securityker-

or prohibited and do not p ermit direct addressing

nel" b e simple enough that indep endentevaluators can assess

of the system's memory i.e., no p ointers. There-

whether it will op erate prop erly. While we will not prove such

fore, all data is accessed according to its interface, so

a feature ab out our system here we do attempt to keep the

security mo del as simple as is feasible. complete mediation of controlled op erations in pro-

grams written in such languages is p ossible. Other the current call stackmay not represent the actual

\safe" languages, such as Safe-Tcl [4,21], Penguin [7], context since classes that are no longer on the stack

and Grail [24] dep end on removal of op erations that may in uence the execution. In addition, security

would enable the language security infrastructure to dep ends on the prop er placement of calls to the au-

b e circumvented. Also, with the increased p opular- thorization ob ject. For applications, this means that

ity of comp onent-based system infrastructure, such co de must b e changed to control a previously uncon-

as Java Beans, and the abilitytodownloaded co de trolled ob ject.

dynamically, are leading p eople to predict that pro-

The question is whether op erating system protec-

grams with b ecome more ne-grained. Mediation of

tion can b e made exible enough and ecient enough

IPC b etween pro cesses has signi cant p erformance

for ne-grained programs. We b elieve that the ex-

implications for op erating systems b ecause they may

ibility question has b een answered for a long time,

need to p erform exp ensive op erations, such as han-

but the systems for whichitwas answered are no

dling TLB misses, up on domain changes. Also, the

longer in wide use. Several research op erating sys-

security mo dels of current commercial op erating sys-

tems were develop ed that used capabilities to attach

tems, such as UNIX and DOS/Windows, lack the

exible protection domains to pro cesses in a secure

exibility to dynamically assign p ermissions to user

manner [16,20,28]. For example, [28] ob-

pro cesses or p ermit controlled sharing of memory

tained exibilityby attaching capabilities to pro ce-

among pro cesses.

dures. SCAP [16] and PSOS [20] demonstrated that

anumb er of security prop erties could b e enforced by

Language-based protection has some signi cant

these systems. However, the applications of the time

weaknesses, however. First, the TCB of a system

had much simpler security requirements, so much less

dep ending on language protection is larger b ecause

secure systems were adopted as de facto standards.

nowwemust trust the compilers and co de veri ers

We, therefore, b elieve that the key problem to us-

as well as the \system" TCB ob jects provided by

ing op erating system protection for ne-grained pro-

the system. While compilers are much b etter un-

grams is p erformance. At IBM, we are developing

dersto o d than they once were, a minimal TCB is still

the Lava Nucleus which is a minimal, fast, and exi-

preferred. Second, since all programs run within a

single address space, fail-safety is not what it is in ble -kernel. It provides the basic system constructs,

op erating systems. This means that a security aw such as pro cesses, address spaces, and threads, and

provides general mechanisms for using these primi-

will result in the attacker gaining all privileges that

tives, such as exible memory mapping primitives,

the virtual machine has. Given that single domain

fast IPC, and IPC redirection. In this pap er, we show

op erating systems based on language protection are

b eing built e.g., Java OS, this means that compro- that a exible op erating system protection mo del for

mise of the virtual machine can result in signi cant downloaded executable content can b e designed and

that it can b e implemented eciently using the Lava

losses. Third, it is not clear what the actual size and

Nucleus. From this, we measure the currently achiev-

numb er of comp onents that can share a protection

able p erformance of op erating system protection and

domains will b e. In Wallach et al., they measured

30,000 domain crossings p er second. It is not explicit evaluate how this a ects the overall system p erfor-

in their pap er, but we assume that many of these mance. In the future, we exp ect that language-based

and op erating system protection to b e jointly used

domain crossings involved trusted classes whose use

dep ending on the security requirements with op-

have few security implications. Therefore, we b elieve

erating system protection providing a simple, fail-

that many of these claimed domain crossings can b e

safe security mechanism that may completely mediate

avoided. Lastly, and most obviously, language-based

protection is language-sp eci c and do es not apply to controlled domains.

compiled co de. Therefore, complete mediation de-

p ends on a homogeneous system whichwe b elieveis

unlikely.

3 Security Mo del

Also, language-based protection has its own p er-

formance problems and the optimizations to improve An e ective security mo del for downloaded exe-

p erformance intro duce subtle security aws. For ex- cutable content requires signi cant exibility in the

ample, in the JDK 1.2 sp eci cation [10], excess au- creation of principals, assignment of their p ermis-

thorizations on every metho d invo cation since there sions, and management of their p ermissions through-

may b e many real domains within a single protection out the content's execution. We use Lampson's pro-

domain are prevented by using the call stack to de- tection matrix [17] to help describ e these require-

termine the current authorization context. However, ments. It shows the relationships among sub jects,

ob jects, and the op erations that sub jects can p erform

w consider the security on ob jects p ermissions. No Secure System

Process

requirements for controlling downloaded executable

content describ ed b elow. IPC

Process

Sub jects: There may b e one sub ject p er down-

 Monitor

loaded content, although some sub jects maybe

reused within a session. Load

Create Authorized IPC

 Ob jects: The ob jects may refer to logical ob- ust b e mapp ed to the individual jects that m Process Authentication Object

Load

wnloading principals system at runtime. do Server Server

Server

 Permissions: The set of p ermissions that a sub-

Micro-kernel

ject has at any time to ob jects mayevolveas

tent sub jects executes.

system's con Secure Boot Mechanism

In traditional systems, the set of sub jects is gen-

erally mapp ed to the set of users and a set of well-

Figure 1: Security Mo del Architecture

known services. This granularity is to o coarse for

downloaded content. Each contentmay b e asso ci-

ated with a di erent principal that is an aggregate of

server derives the p ermissions for this content prin-

basic principals e.g., downloading principal execut-

cipal. The pro cess load server assigns a monitor to

ing content from a provider within a sp eci c instance

enforce a pro cess's p ermissions. Monitors intercept

of an application. Also, in traditional systems, the

and authorize all IPCs emanating from or directed

set of ob jects is well-known. This may not b e the case

to the controlled pro cess. Monitors maintain a rep-

in downloaded content systems b ecause the content

resentation of the controlled pro cesses access rights

providers mayhave limited knowledge ab out the sys-

and can b oth add to and revoke access rights from

tems up on which their content is run. In addition, the

the controlled pro cess.

amount of p olicy sp eci cation can b e reduced if the

In the design of our security mo del, we make the

logical ob jects that are mapp ed to a sp eci c princi-

following assumptions. System administrators are

pal's domain at runtime can b e used. Lastly, enforce-

completely trusted to set system p olicy. A set of

ment of least privilege on content is more imp ortant

certi cation authorities are trusted to vouch for the

than for traditional programs b ecause these programs

public keys of principals. A secure b o oting mech-

are transient and from only partially trusted sources

anism is trusted to initialize the op erating system

i.e., mayhave bugs. In traditional systems, p ermis-

prop erly.We assume the existence of such a mecha-

sions are assigned to principals and must cover every

nism as prop osed for the Taos op erating system [27].

execution of that principal, or else some application

The kernel itself is trusted to create pro cesses and

executions would fail. For content, the state of an

threads prop erly, separate pro cess address spaces,

application may also b e used to limit the p ermissions

identify the source of IPC, and redirect the IPC of

to those necessary for the task at hand.

controlled pro cesses to monitors. The authentication

To solve these problems, we prop ose an security

server is trusted to p erform cryptographic op erations

mo del that provides basic security mechanisms and

correctly. The pro cess load server is trusted to setup

p olicy representations to enable the control of down-

the pro cesses and monitors prop erly, so the security

loaded executable content. The mo del is shown in

requirements as sp eci ed can b e enforced. Monitors

Figure 1. In this security mo del, a securebooting

are trusted within a domain limited by the rights that

mechanism loads a nucleus of an op erating system.

they can delegate to pro cesses. Monitors may also

The nucleus provides the basic functionality to cre-

b e trusted to read and not leak server data to other

ate and execute pro cesses and enables them to in-

pro cesses. The system has limited trust in users, ap-

tercommunicate via IPC. The nucleus initiates a

plications, and downloaded content.

process load server that creates subsequent pro cesses

and can dynamically load libraries and co de comp o- The following three subsections describ e how the

nents into existing pro cesses. The pro cess load server rst three of the security requirements of the system

uses an authentication server to authenticate content are enforced. The fourth security requirement's must

and determine the content principal. A derivation b e enforced throughout each of these op erations.

3.1 Pro cess Loading other. In addition, the content and pro cess must also

b e able to e ectively p erform their jobs with the re-

The pro cess load server receives load requests for

sultant rights for the co-lo cation to b e feasible.

ob jects and retrieves, validates, and loads the ob-

While these restrictions limit the content that can

ject. Some ob jects may b e executable and some may

b e loaded into the requesting pro cess, a variety of use-

not, but our discussion fo cuses on the loading of ex-

ful content can still b e downloaded and co-lo cated.

ecutable ob jects.

Trusted libraries can b e co-lo cated with the request-

The pro cess load server solves the following prob-

ing pro cess in many instances. For example, many

lems:

Java classes in java.lang package although not the

Java ClassLoader whose functionalitywe are sup er-

 retrieve requested executable content,

seding can b e loaded into a requesting pro cess. For

example, the String class do es not provide the user's

 uses the authentication server to verify the au-

pro cess any additional rights although it maybe

thenticity of content and derive the content prin-

used to circumvent language-based security, so it can

cipal,

b e loaded into the requestor's address space. Also, we

 uses the derivation server to derive the content's

think that all the classes in the java.io can b e loaded

p ermissions,

into a requesting pro cess, b ecause restricted access

to the le server can b e enforced by the monitor. Of

 nd the pro cess in which to load the content,

the 30,000 domain crossings p er second measured by

Wallach et al.,we exp ect that many of those do not

 load the contentinto that pro cess

really require a change in domain for the requesting

pro cess. Our exp erience with the FlexxGuard proto-

Our e ort here is concentrated on a mechanism

typ e system a controlled Javainterpreter was that

for loading executable content. We prop ose mech-

restricting the p ermissions of the Java system classes

anisms and p olicy representations for authentication

to that of the current applet b eing run still p ermitted

and p ermission derivation elsewhere [12,13]. These

many useful applications to b e implemented [1].

mechanism enable p ermissions to b e derived dynami-

cally for downloaded content given limited input from

multiple principals.

3.2 Permission Management

While IPC can b e faster than 230 s, it is still well

understo o d that pro cedure calls are faster. IPC in the A pro cess's monitor also manages the evolution of

Lava Nucleus takes 4 times longer on a Pentium than its p ermissions throughout its execution. In general,

p ermission changes o ccur for two reasons: 1 an ap-

a pro cedure call than Wallach et al. [26] measure for

plication state change maywarrantachange in the

a PC. In addition, there are indirect costs that are a

result of the context switch, such as the handling TLB controlled pro cess's p ermissions and 2 one content

and cache misses. While the Lava Nucleus is designed using another may result in a restriction of p ermis-

to enable these costs to b e reduced, the fewer context sions to prevent information leakage. In the rst case,

switches the b etter. a user may p erform an op eration that results in the

delegation of rights to downloaded content. For ex-

To reduce these overheads, wewant the ability

ample, the loading of a le into an application may

to link supp orting content in the requesting pro cess.

result in the delegation of the p ermissions to read

However, only links that ensure that b oth the request-

and write the le to content used in the application.

ing pro cess and the downloaded content do not ob-

These p ermission changes must b e limited to prevent

tain any unauthorized access rights can b e p ermitted.

a pro cess from obtaining an unauthorized right. Also,

This is only p ossible if: 1 neither the downloaded

the interaction of twountrusted content pro cesses

content nor the requesting pro cess gain any p ermis-

may require that their p ermissions b e intersected to

sions as a result of the co-lo cation; 2 the downloaded

prevent the callee from p erforming unauthorized op-

content is p ermitted access to the requesting pro cess's

erations on b ehalf of the caller.

data and vice versa; and 3 the downloaded content

can run prop erly with the rights of the requesting

Permission management requires:

pro cess. For the rst condition to hold, the p ermis-

sions of the joint pro cess must b e the intersection of

 the ability to add rights to the current p ermis-

the p ermissions of the content loaded into it. Thus,

sions,

neither pro cess can use a p ermission unless b oth had

it previously. Also, neither contentmayhave data in  the ability to revoke rights from the current p er-

its address space that it must keep secret from the missions,

 a mapping of events to p ermission transforma- authorized by the monitor, and if successful, the re-

tions, quested is forwarded to the destination.

Pro cess mediation requires that the following tasks

 a limit to the rights that can b e delegated to

b e accomplished:

content,

 con gure the system such that monitors can au-

thorize all controlled op erations,

In this security mo del, a monitor can add a rightto

a pro cess's p ermissions if: 1 the delegating pro cess

 describ e the authorization semantics of op era-

has the p ermission; 2 the delegating pro cess is p er-

tions well enough to enable their authorization,

mitted to delegate that p ermission to the delegatee;

and 3 the p ermission is within the maximal per-

 provide monitors with the pro cess's current p er-

missions for the pro cess. Each monitor maintains

missions to authorization

a mapping of its pro cesses to its delegating princi-

pals and p ermissions called assignment limits that

Each IPC must b e intercepted for complete media-

that principal can delegate to this pro cess. Any del-

tion. Therefore, it is necessary to place a monitor on

egated rightmust b e within the pro cess's maximal

each IPC path. Typically, monitoring is asso ciated

p ermissions b oth the initial current p ermissions and

either with the server which enforces access control

maximal p ermissions for a pro cess are derived by the

on its clients or on the client limits access of the

derivation service. This limits the rights available to

client. There are limitations to b oth approaches. In

a pro cess in general.

client monitoring, monitors can, in theory, enforce

Revo cation of rights is more dicult b ecause ca-

arbitrary security p olicy, but in practice they have

pabilities can b e copied. To prevent a pro cess from

limited knowledge ab out the servers to which they

using a revoked capability, the monitor do es not pass

are controlling access. On the other hand, servers

capabilities to its controlled pro cesses. Instead, a de-

are typically trusted to enforce security requirements

scriptor is returned to the pro cess which enables it

on clients, but they may not understand the security

to refer to the capability. Revo cation of the capa-

requirements that the monitor is trying to enforce.

bilityinvalidates the descriptor, so capabilities can

Wecho ose a security mo del that enables b oth kinds

b e immediately revoked. Unlike Redell's capability

of control, but erlies more heavily on client-side mon-

indirection [22], no sp ecial capabilities are seen by

itoring. Each pro cess mayhave a monitor that can

the servers and the Java and UNIX APIs can b e

enforce b oth its incoming and outgoing IPCs. There-

supp orted transparently.To revoke capabilities for-

fore, a pro cess that is b oth a client and a server in dif-

warded to other pro cesses actually their monitors,

ferentinteractions can have its op erations to servers

the monitors must maintain a mapping of capabilities

authorized and can restrict the op erations that it p er-

to the pro cesses/monitors that they were forwarded

form for its clients. We do emphasize the client-

to. Servers must maintain a similar mapping.

side control of the monitor by enabling it to place

Mapping events to p ermission mo di cations is done

tighter restrictions on the op erations it can p erform

by transforms [13,15]. Transforms map op erations

that server monitors may. An additional b ene t that

to p ermission transformations. Three typ es of trans-

results from this mo del is that monitors themselves

forms are de ned that implement di erent metho ds of

can b e restricted to di erent domains b ecause they

transformation transformation by p ermission, trans-

are di erent pro cesses. Weovercome the problem

formation by memb ership to an ob ject group, and

of server security requirements for pro cesses, by en-

transformation by combining p ermission sets. See

abling the servers to delegate p ermissions to content

Jaeger et al. for more details [13].

and providing authorization semantics of server op-

erations to the monitors see b elow and Section 4.3.

A result of this decision is that an IPC from one

3.3 Pro cess Mediation

controlled task to another requires an additional IPC

between the two monitors. However, Lava Nucleus

Complete pro cess mediation requires that each IPC

IPC and op eration authorization should b e fast <

b e authorized by a monitor. We prefer that monitor-

1.5 s for small IPCs, so the b ene t can b e gained ing b e triggered automatically. Otherwise, it maybe

at low cost. It is unclear yet whether the cost is worth

p ossible to a programmer to forget to call the monitor

the added security,however.

and lose complete mediation. Therefore, there must

The authorization semantics of a server's interface b e a mechanism for redirecting IPCs to the monitor.

is de ned by operation authorization ob jects see Sec- Then, the monitor must b e able determine what p er-

tion 4.3. These ob jects are used to transform op er- missions are to b e authorized. These p ermissions are

Implementation

Secure System 4

y mo del is implemented up on the Lava Controlled The securit

Process

va Nucleus provides minimal, gen- Controlled Nucleus. The La

Process

eral, and ecient functionality for building op er-

ating systems. It enables the creation of tasks

i.e., pro cesses with p otentially-overlapping address

Process-Specific Monitor

spaces that may contain multiple threads of execu-

Process-Specific Monitor

tion. An optimized IPC mechanism is provided for

tertask communication. The Lava Nucleus also pro- Security Policy in

Security Policy

vides a mechanism for IPC redirection whichwe use

to redirect controlled op erations to our monitors.

yp e implementation of this security

Server The protot

mo del is as follows. The Grub b o ot loader loads

va Nucleus and the ro ot Lava task. This task Object Security the La

Space Policy

b o otstraps the memory system and provides some ba-

sic system functionality e.g., page-fault handling and

task-id creation. This task initiates the pro cess load

server and the core system services e.g., a network

Figure 2: Monitor Architecture

server to download comp onents and the download-

ing principal's task. In general, these tasks may

also have a monitor assigned to them, but do not

at present. The downloading principal's task may re-

ations into the set of p ermissions that must b e au-

quest that a new executable task b e downloaded by

thorized b efore the op eration can b e run. These are

asking the pro cess load server to retrieve the task's

useful for enforcing least privilege with go o d p erfor-

content. The pro cess load server has the co de authen-

mance wehave found the cost of pro cessing these is

ticated and derives its p ermissions and transforms.

low.

Dep ending on the load option, the pro cess load server

assigns a monitor task to control the new executable.

The monitor obtains authorization op eration from

The monitor starts the new executable or restarts

the server de nition e.g., via an IDL extension.

the requestor if loaded into the same address space.

When a server is loaded, its op eration authorization

Monitors p erform b oth the p ermission management

ob jects are stored in a place accessible to all mon-

and authorization services for their tasks using trans-

itors. The semantics of these op erations must b e

forms and p ermissions, resp ectively.

well-understo o d. Therefore, monitors control client

In this pap er, we fo cus primarily on the implemen-

op erations based on the current and maximal p er-

tation of the architecture's monitors. The monitors

missions to any server that they are p ermitted to

store the current and maximal p ermissions of its con-

access.

tent, implement its content's p ermission transforma-

tions, intercepts IPCs that are sentby or destined for Our architecture for using monitors and servers to

the its content, determines the authorization require- control pro cesses is shown in Figure 2. In this mo del,

ments of the op eration encapsulated in the IPC, and a monitor is assigned to each controlled pro cess.

authorizes the op eration using the content's p ermis- When a pro cess makes an IPC, its monitor intercepts

sions. We rst describ e the monitor's p ermission rep- the IPC automatically via a kernel-provided mech-

resentation and how it enables exible and ecient anism. After the op eration authorization semantics

authorization. Next, we detail the Lava Nucleus's have determined the op erations that need to b e au-

IPC redirection mechanism. Then, we outline how thorized, the monitor uses its pro cess's p ermissions

an IPC is converted to the set of op erations to b e to authorize the op eration. The op eration must b e

authorized. Lastly,we detail the authorization mech- within the content's current p ermissions and maximal

anisms used by the monitor. The monitor uses two p ermissions to b e authorized. Since the content's cur-

mechanisms: a slow one for \binding" to an actual rent p ermissions may expand and the content's max-

ob ject and a fast one for subsequent calls to the same imal p ermissions may b e restricted, an op eration at

ob ject. a certain time may need to b e checked against b oth.

Capability Structure (96 bits)

4.1 Principals and Permissions

Server and Object Access

h pro cess in our implementation is asso ciated with

Eac Object Type Identifier Rights

a principal data structure. A principal contains ref-

32 bits 32 bits 32 bits

erences to its complex identity, current and maximal

p ermissions, comp osition mo de, and transforms. The

complex identity is the comp osition of principals used

Symbolic wnloading princi-

to form this principal e.g., the do Name

pal, content provider, application, application role,

Null Terminated String

and session. Current and maximal p ermissions are

as describ ed ab ove. A composition mode de nes how

the p ermissions of the caller transforms the p ermis-

tent. For example, a trusted principal

sions of this con Count Entries R L C ...

may union the current p ermissions of the caller with

32 bits 32 bits their own. However, content not trusted to leak p er-

missions may maintain its current p ermissions and

Figure 3: Capability format

intersect its maximal p ermissions. The comp osition

mo de is designed to implement p ermission set trans-

forms intersection or union of the p ermissions of two

thorization.

or more principals eciently, but other transforms

are implemented in a traditional manner b ecause they

Both typ es of capabilities use the same represen-

are not highly p erformance critical.

tation shown in Figure 3: a server, a typ e, an ob-

ject identi er, and the capability's rights. The server

To implement b oth p ermanent and transient p er-

and typ e are captured in one 32-bit eld. The server

mission set transforms, b oth the current and maxi-

refers to the Lava task identi er for the server 12

mal p ermissions consist of static and lexical p ermis-

bits is the Lava-sp eci c limit. The remaining 20 bits

sions. Static p ermissions are the content p ermissions

are used to indicate the ob ject typ e. An object iden-

that apply each time the content is called. Lexical

ti er sp eci es the name of the ob ject reference to a

p ermissions mo dify the content's p ermissions based

string or an ob ject reference. References to names

on its current call context. Both enable p ermissions

are word aligned, so the least signi cant bit is used

of other principals to b e unioned or intersected with

to di erentiate b etween the name p ointers and OIDs.

those of this principal either p ermanently using the

static p ermissions or temp orarily using the lexical

The capability's rights indicates the op erations that

p ermissions. Given that a comp osition may result

the capability grants. Again, a 32-bit eld is used.

in a union, intersection, or no change to the maximal

There are 3 status bits, so 29 op erations can b e

and current p ermissions either statically or lexically,

granted by default. One status bit signi es that an

24 comp osition mo des are used. Comp ositions are

extended capability rights eld is used. Using this

always p erformed using the calling principal's static

eld, access to an arbitrary numb er of rights entries

p ermissions to preventhuge concurrency control over-

sp eci ed by count and entries reference is p ossible.

heads that would b e likely if lexical p ermissions were

Each rights entry sp eci es the op erations it applies

used.

to the R eld and any limits on the use of these

op erations the L eld with the current countinthe

The current p ermissions are divided into two cat-

C eld. Another status bit indicates whether the ca-

egories: authorize and active capabilities maximal

pability indicates a p ositive or negative access right.

p ermissions are only authorize p ermissions. Capa-

The third status bit indicates whether the capabil-

bilities are software-managed ob jects stored by the

ityisveri ed or not. For example, a change in the

monitors that are unforgeable, revo cable, strongly-

pro cess's access rights may require a re-authorization

typ ed mappings from ob ject identi ers to op erations.

of a capability.

As we will discuss b elow, bind op erations establish a

capability for the content to p erform a set of op era- Authorize capabilities are unforgeable b ecause

tions on an ob ject. These op erations are authorized monitors will only accept them from pro cess load

using authorize capabilities that may grant access to servers or other monitors i.e., pro cesses trusted to

more rights than are required for the op eration. The provide them. They are revo cable b ecause the con-

result of a bind op eration is the generation of an ac- trolled pro cesses never have access to them. Active

tive capability that sp eci es exactly the rights autho- capabilities derived from them can b e revoked, as de-

rized by the bind. Active capabilities enable fast au- scrib ed b elow. They are clearly strongly-typ ed since

they have a dedicated typ e eld. However, the servers

i i

must enforce this

Active capabilities are formed from the results of

i i -

' ' $ $



the bind op erations. For example, the OID is ob-



BM i

B tained from the ob ject server for fast direct access.

 

i

The capability's rights are set to those authorized

P

P

i ?

P i

Pq

in the bind op eration. In addition, active capabili-

i

& 

 

ties mayhave an additional eld that stores a unique

& 

identi er for the controlled pro cess called principal

identity. This eld could include a cryptographically

Figure 4: IPC Redirection \Original" IPC is denoted

secure numb er that the server can use to identify the

by thick lines, redirected IPC by thin lines

calling pro cess in a distributed environment[9].

Active capabilities are unforgeable on a single ma-

chine b ecause the monitor is trusted to send them

the security p olicy. All server requests from the en-

only to the prop er server and the kernel is trusted

to implement this delivery. In a distributed envi-

i

ronment, the capabilities are unforgeable if a cryp-

Pi

P

P

tographically secure principal identity is sent via a

P

P

i y

secure channel i.e., that authenticates the sender.

' $

Active capabilities are revo cable b ecause they are



J]

i

J

never given to the controlled pro cess. Instead, they

i

J

are stored in the monitor, and the only index of the

i

i i

capability e.g., a descriptor in the active capabil-

ity table of the principal is returned to the controlled

& 

pro cess. We will see that fast IPC makes this indi-

rection tolerable. Revo cation of active capabilities as

Figure 5: Security-Policy Monitor

the result of a revo cation of an authorize capability

is also p ossible. Basically, all active capabilities can

capsulated tasks are insp ected by the monitor  lled

b e marked unveri ed, so they must b e re-authorized

circle. The monitor drops any request whichwould

b efore they can b e used. Therefore, the monitor must

violate the security p olicy. In particular, it uses ac-

b e able to retrieve the original ob ject name e.g., by

counting mechanisms to restrict denial-of-service at-

caching it.

tacks. Note that all page-faults and mappings are also

handled by IPC. Therefore, the according resources

are also under the monitor's control.

4.2 IPC Redirection

Instead of enwalling suspicious sub jects, monitors

The Lavanucleus provides a general mechanism that

can also b e used to protect a system from suspicious

can b e used for implementing security p olicies based

sub jects outside the own clan. In gure 6 the monitor

on IPC redirection. A monitor can b e assigned to

multiple pro cesses. Any IPC to a pro cess that is ad-

i i

ministered by another monitor is automatically redi-

rected to this pro cess's monitor which can insp ect and



y  i

$ '

handle the message. This can b e used as a basis for

i

the implementation of mandatory access control p oli-

i



Hj

i

cies or isolation of suspicious pro cesses. For security

*

i i

reasons, redirection must b e enforced by the kernel.

& 

A clan is a set of pro cesses denoted as circles

headed by a monitor. q Inside the clan all messages

are transferred freely and the kernel guarantees mes-

sage integrity. But whenever a message tries to cross

Figure 6: Attack-Blo cking Monitor

a clan's b orderline, regardless of whether it is outgo-

ing or incoming, it is redirected to the clan's monitor.

 lled circle insp ects all messages coming from the

The monitor may insp ect and/or mo dify the message.

outside and drops messages that cannot b e authenti-

Clans may b e nested.

cated or do not come from trusted partners. Further-

Figure 5 shows a monitor which is used to enforce more, the monitor could encipher sensitive messages

automatically i.e., implement secure channels for its a le open, the second argument determines whether

clan memb ers. the op en is for read, write, and/or app end. The ops

operand may identify that either: 1 the op eration

requested is to b e authorized; 2 a new set of op-

4.3 Op erations

erations are to b e authorized; or 3 the op erations

Monitors need to b e able to determine how to autho-

to b e authorized are determined by the value of an

rize an op eration intercepted in an IPC. Given that

op erand. For the third case, the op vector maps the

new pro cesses may b e loaded with new interfaces, the

ops operand's value to the op erations to b e autho-

monitors need a standard mechanism for deriving au-

rized.

thorization requirements from interface information.

This mechanism should suce for many UNIX sys-

This mechanism must b e able to determine whether

tem calls and metho d invo cations. For example, in

the op eration is a bind or active op eration, the typ e

le open and so cket connect system calls only one

of ob ject to which the op eration applies, and which

op erand needs to b e authorized. In an ob ject-oriented

op erands need to b e authorized and the op erations for

system, the rst op erand refers to the only ob ject b e-

each. The latter is particularly complex for bind op-

ing op erated up on, so only the op erations on that

erations b ecause the real authorization requirements

ob ject need to b e checked. Other ob jects are passed

for the op eration are placed in an op erand.

as OIDs and cannot b e accessed unless one of their

We de ne a ob ject for representing the authoriza-

metho ds is invoked and authorized, if necessary.

tion semantics of an op eration b elow.

4.4 Monitors

 De nition 1:Anoperation authorization de-

nes the authorization information for an op er-

All IPCs e.g., page faults, system calls, and RPCs

ation using the following elds:

from the controlled pro cess are automatically redi-

rected to its monitor. The monitor uses its op er-

{ATyp e: Flag that determines the mecha-

ation authorizations to determine the actual op era-

nism used to authorize the op eration

tions to b e authorized on the op erands. Op erations

{ Numb er of Op erands: The number of

authorizations and principals are stored in two tables

op erands in the op eration

shared by all monitors, so they can access any op-

{ Op erand requirementsvector:Avec-

eration's authorization semantics and authorize op-

tor of authorization requirements for each

erations against any principal which is necessary if

op erand consisting of the following elds:

a principal's p ermissions can b e lexically mo di ed.

 OTyp e: Ob ject typ e for the op eration

Authorization is done using authorize capabilities for

bind op erations and active capabilities for op erations

 Ops op erand: Index of the op erand

subsequent to a bind.

that de nes the op erations to b e au-

When a monitor intercepts an IPC, the monitor re-

thorized

trieves the op eration authorization to determine the

 Op vector: Avector of op erations

op eration's authorization typ e. Bind op erations, such

to b e authorized indexed by the ops

as le system open, require that the op eration b e au-

operand value ab ove or the default

thorized using authorize capabilities. Any one of the

value

authorize capabilities for that ob ject typ e may apply,

so multiple capabilities may need to b e checked. On

The actual op eration authorization entry used is

the other hand, active op erations, such as le sys-

retrieved from an op erations table accessible to all

tem read, are authorized using the active capability

monitors. This table is up dated by the pro cess load

whose index is sp eci ed in the op eration. Up on a

server via add only, so no concurrency problems ex-

resp onse to a bind op eration, an active capabilityis

ist. The server and op eration numb er are used to

created which is stored in the principal's active ca-

retrieve the entry. The a type eld indicates the op-

pabilities table. An index to this entry is returned

eration typ e bind or active and whether the zero

to the controlled pro cess for subsequent use i.e., a

op erands, the rst op erand only, or another autho-

descriptor/OID.

rization is required. This enables fastest path co de

to b e used for authorization. The operands require- In either case, the op erands must b e copied into

ments vector lists the authorization requirements for the monitor's address space. Lava supp orts fast and

each op erand. The o type sp eci es the typ e of the secure copying of data in IPCs, so such copying can b e

op erand. The ops operand sp eci es the op erand that done automatically [18]. On a 166Mhz Pentium with

determines the op erations that are to b e authorize. In a 256K L2 cache, up to 8 bytes can b e sent in 0.95

s. 128 and 512 byte messages can b e transmitted in p er second to b e 30-40 9.5 s p er IPC. These num-

as fast as 1.79 s and 2.60 s, resp ectively. b ers are well b elow the 600 to 800 p erformance

cost for IPC alone for COM ob jects on Windows NT.

The redirected IPC is then forwarded to the desti-

Since compiled co de may b e executed in the remain-

nation where it maybeintercepted by that pro cess's

ing 60-70 of the time, the p erformance impact of

monitor. Currently, monitors only authorize out-

IPC interception relative to language-based mo dels

b ound op erations, but this monitor could restrict the

may b e negligible. In addition, we b elieve that the

IPCs that can b e forwarded from sp eci c sources. For

numb er of IPCs can b e reduced signi cantly by ju-

example, if a pro cess's IPCs result in an excessive

dicious co de placement taking security requirements

numb er of errors sp eci ed by a limit, then the mon-

into account and precreation of active capabilities.

itor may retract the principal's p ermissions e.g., via

For our p erformance analysis, wehave measured

a transform executed up on an authorization failure.

the costs of monitoring op erations on a 166 MHz Pen-

Once an op eration is executed, its results are re-

tium PC with 256K L2 cache. In our measured sce-

turned to the controlled pro cess via an IPC through

nario, wehavetwo controlled tasks, and each has a

the monitors. The monitor also intercepts this IPC

monitor that authorizes its IPC. The controlled tasks

and may authorize its return. For example, limits

ping-p ong requests back and forth, and we measure

on resp onse \op erations" can b e sp eci ed. As yet,

the time it takes for the authorized IPCs.

wehave not exploited this functionality. Currently,

When a controlled pro cess calls an op eration the

the monitor creates active capabilities from the re-

following actions are taken to authorize and forward

turn values of bind op erations and returns the active

the op eration to its destination task.

capability descriptor to the caller. For active op er-

ations, the return value is simply set in the return

1. Prepare the IPC to the destination with the op-

value register.

eration data.

To further improve p erformance monitors are im-

plemented using sp ecial Lavanucleus tasks, called

2. Send an IPC to the destination that is redirected

small-address-space tasks. These tasks do not require

to its monitor.

a TLB ush up on a context switch, so TLB miss costs

3. Determine the authorization requirements for

on a context switchbetween two small-address-space

the requested op eration.

tasks are reduced only one TLB miss for the IPC

path. We exp ect that all monitors will b e imple-

4. Authorize these requirements for op eration and

mented as small-address-space tasks. However, the

op erands.

current implementation of Lavawould not supp ort

using small-address-space tasks for many small con-

5. Source's monitor forwards IPC with the op era-

tent pro cesses as well, b ecause the numberofsuch

tion to the destination that is redirected to the

tasks is limited to a cumulative address space size of

destination's monitor.

512 MB in this Lavaversion.

6. The destination monitor forwards the IPC to the

destination no control on op eration requests is

enforced yet.

5 Performance Results

7. Create active capability descriptor optional, for

In this section, we measure the p erformance of the

resp onses.

security mechanism as implemented by the monitors.

We rst make micro-b enchmarks of the individual

8. The destination receives the IPC.

steps in the monitoring mechanism. We then estimate

the ideal p erformance ignoring e ects of TLB and ca- Op erations 1 and 8 are trivial and simply prepare

che misses of authorized IPC from these b enchmarks. to send an IPC or receive the IPC. Op erations 2, 5,

We estimate that an authorized IPC one-way using and 6 are all basically IPC op erations p erhaps with

active capabilities could b e as fast as 4 s and typi- data copying. Op erations 3, 4, and 7 implement our

cally less than 9 s ideally. In our current implemen- authorization mechanism. The costs of all op erations

tation, our fastest one-way IPC is 9.5 s authorized except 3 and 4 are xed for messages of the same

using active capabilities. If wehave 30,000 average size. Therefore, we rst list the p erformance costs

authorized IPCs p er second and 10 of these are bind of the xed op erations. These values are shown in

op erations whichisavery conservative estimate, Table 5. As shown, the xed costs for monitoring in

then the ideal p erformance cost is ab out 20. We this con guration vary from 3.03 to 7.98 s dep ending

have measured the cost of 30,000 actual active IPCs on the amount of data to b e copied.

Op eration 8-byte IPC 12-byte IPC 128-byte IPC 512-byte IPC

1. Prepare IPC 0.12 0.12 0.12 0.12

2. source-monitor IPC 0.95 1.37 1.80 2.60

5. monitor-monitor IPC 0.95 1.37 1.80 2.60

6. monitor-dest IPC 0.95 1.37 1.80 2.60

8. Receive data 0.06 0.06 0.06 0.06

Fixed intercept cost 3.03 4.29 6.58 7.98

Table 1: Performance of xed interception actions all times in s

Scenario bind s access s

A resp onse to an op eration go es through the same

1 cap-2 byte name 1.70 0.44

path, except that a new active capability descriptor

10 caps-2 byte name 12.84 0.44

may b e created for a bind op eration e.g., le open.

50 caps-2 byte name 56.22 0.44

We measured the cost of active capability descrip-

1 cap-21 byte name 3.50 0.44

tor creation for a UNIX le descriptor to b e 0.69 s.

10 caps-21 byte name 30.62 0.44

Cost is kept lowby pre-allo cating and reusing the

50 caps-21 byte name 138.84 0.44

memory for these descriptors. Of course, active capa-

bilities may b e created at content load time to avoid

Table 2: Performance of authorization

bind op erations.

The cost of deriving the authorization requirements

is based on the costs of retrieving the op eration au-

authorization capabilityveri cation do es not include

thorization, determining the op erands to authorize,

additional actions, suchaschecking ino de informa-

and determining the op erations to authorize up on the

tion. Wewould exp ect similar p erformance for au-

op erands. We compare the costs for evaluating the

thorization in language-based system given that b oth

op eration authorizations for two op erations: UNIX-

systems are optimized.

style le open and le write. The write op eration is

Authorization using active capabilities also in-

an active op eration in which only the rst op erand is

cludes the time for retrieving the active capability

authorized for write p ermission. Therefore, an op er-

from the descriptor approximately 0.20 s.

ation authorization's ops operand indicates that the

Table 5 summarizes the p erformance of the Lava

write op eration is to b e authorized and the a type in-

security mo del using address space protection. For

dicates that active capabilities are used to authorize

access op erations, IPC costs range from ab out 4 to

only the rst op erand 0.41 s. The open op era-

9 s dep ending on the amount of data to b e copied.

tion is a bind op eration in which the third op erand

Given 30,000 4 s IPCs p er second, a 12 overhead

indicates the actual op erations that need to b e autho-

on pro cessing is incurred. This p ercentage can b e

rized up on the rst op erand. Therefore, the op eration

reduced by the p ercentage of IPCs that can b e elim-

authorization's ops operand indicates that the third

inated by linking content in the same address space.

op erand's value determines the op erations to autho-

Bind op erations can incur a much greater cost 6 to

rize using the op vector and the a type indicates

150+ s. However, language-based implementations

a bind op eration in which only the rst op erand is

also need to p erform the same bind op erations ei-

authorized 0.48 s.

ther at load time for a new class or access time for

system ob jects, so the op erating system implemen-

Both the Lava Nucleus and language-based secu-

tation should b e faster. In general, since active capa-

rity systems must authorize bind op erations e.g., le

bility creation is a reasonable cost op eration, where

open and so cket connect. Language-based systems

p ossible, it should b e used to eliminate unnecessary

do not authorize further use of the resultant descrip-

bind op erations.

tors i.e., access op erations, so they cannot revoke

them. In Table 5, we show the costs of authorizing The actual p erformance of the entire IPC path

using b oth authorization for a bind op eration and for an active op eration using 8-byte IPCs is 9.5 s

access capabilities for an access op eration. As will if the monitors and controlled pro cesses are small-

b e the case in language-based systems, the cost of address-space tasks and 14 s if only the monitors

verifying op erations using authorization capabilities are small-address-space tasks. In the small-address-

varies based on the size of the ob ject name string space case, the additional costs are incurred by the 22

e.g., le path and the numb er of authorization ca- cache misses on data and an slightly higher IPC cost

pabilities that are examined. In this example, the for redirected IPC than the basic IPC b enchmarked

Operation data size Fixed Costs Auth Reqs Auth Cap Create Total

Active8bytes 3.03 0.41 0.44 0 3.88

Active 128 bytes 6.58 0.41 0.44 0 7.43

Active 512 bytes 7.98 0.41 0.44 0 8.83

Short Bind 8 bytes 3.03 0.48 1.70 0.69 5.90

Medium Bind 128 bytes 6.58 0.48 30.62 0.69 38.37

Long Bind 512 bytes 7.98 0.48 138.84 0.69 147.99

Table 3: Performance for di erenttyp es of authorizations and data sizes all times in s

ab ove. In the large-address-space case, TLB misses 6 Conclusions

b ecome a factor. Despite the p erformance degrada-

We presented an op erating system security mo del and

tion from ideal, the overall p erformance for 30,000

an analysis of its p erformance that shows that greater

IPCs p er second is ab out 30 for small-address-space

security than that of language-based securitymod-

content pro cesses and 40 for large-address-space

els can b e achieved with minimal additional overhead

content pro cesses.

for ne-grained programs. This security mo del en-

ables complete mediation of all content using mon-

itors that automatically intercept IPCs from con-

Unfortunately,we do not yet have p erformance

trolled pro cesses and can enforce security p olicy up on

numb ers for handling large data transfers. However,

them. The cost of this interception is p erceived to b e

the use of shared memory b etween monitors and a

high, but wehave shown that using fast IPC and

monitor and its controlled pro cess can reduce the p er-

an ecient authorization mechanism we can p erform

formance impact if security requirements allow its

authorized interception with a reasonable overhead.

use. For example, on a write op eration, only the ref-

With little application data available at present, it

erence to the data and the data size need to b e copied

is hard to estimate the exact overheads, but using

to the monitor for integrity reasons. If the controlled

micro-b enchmarks, we predict an ideal overhead of

task mo di es the data, it has no e ect on the secu-

12 for 30,000 IPC/s and measure an overhead of

rity of the op eration as long as the op eration do es not

30-40.

complete b efore the data is copied to the destination.

We are not the only researchers working in the area

Therefore, only a single copy of the write data from

of op erating system-level security mo dels for extensi-

the destination's monitor to destination is really re-

ble systems. Researchers in the area of extensible

quired. Therefore, 8-byte IPCs can b e used on twoof

kernel architectures haveembarked on the develop-

the three IPCs in the authorized path. Also, Lava en-

ment of exible security services [19,11]. These sys-

ables exible memory mapping, so a bind op eration

tems currently fo cus on extending server functionality

that enables a large amount of data transfer may pre-

to gain more exibility in control of client pro cesses.

pare shared memory for implementing such transfers

Also, other researchers are fo cusing on op erating sys-

eciently.

tem extensions to control downloaded executable con-

tent[5,6]. These system describ e how the op erating

system can enable principals to restrict the rights of

Therefore, we b elieve that the p erformance of their pro cesses. We exp ect that these researchers will

all have to deal with the issues regarding control of

an op erating system-level mechanism for controlling

multiple ne-grained extensions in the future.

ne-grained is comparable to that of a language-based

mechanism, particularly if references are typically We exp ect that muchinteresting research in the

passed b etween pro cesses rather than ob ject data. future will examine the synergy b etween op erating

Since compiled co de can execute signi cantly faster system and language security mo dels. If a lot of

than JIT Java co de, it is not unreasonable to estimate data is to b e shared b etween pro cesses, it is yet to

that the compiled co de can do more pro cessing in the b e determined if the b est trade-o b etween security

remaining 60-70 of the time than the Java co de can and p erformance is language-based protection or ex-

do in 100 of the time. Given the additional se- ible memory mapping of shared data. Lava's exi-

curity b ene ts of op erating system and address space ble memory mapping enables two pro cesses to share

protection execute compiled co de with complete me- memory in a manner that is still revo cable by their

diation, these security mo dels are worthy of strong monitors. However, language-based protection o ers

consideration. safety at a cost as well for data structures within the

address space. We predict that the future direction [12] T. Jaeger, F. Giraud, N. Islam, and J. Liedtke. A

role-based access control mo del for protection do-

of system and application security will b e strongly

main derivation and management. In Proceedings of

in uenced by the answers to such questions.

the Second ACM Role-BasedAccess Control Work-

shop,Novemb er 1997.

[13] T. Jaeger, N. Islam, R. Anand, A. Prakash, and

Acknowledgements

J. Liedtke. Flexible control of downloaded executable

content. Technical Rep ort RC 20886, IBM T. J. Wat-

We'd like to thank Asit Dan, Li Gong, Paul Karger,

son Research Center, 1997.

Ajay Mohindra, and Dan Wallach for their valuable

insights. Also, we thank the anonymous referees for

[14] T. Jaeger and A. Prakash. Supp ort for the le sys-

their comments whichhave led to signi cant improve-

tem security requirements of computational e-mail

systems. In Proceedings of the 2nd ACM Conference

ments in this pap er.

on Computer and Communications Security, pages

1{9, 1994.

References

[15] T. Jaeger, A. Rubin, and A. Prakash. Building

systems that exibly control downloaded executable

[1] R. Anand, N. Islam, T. Jaeger, and J. R. Rao. A ex-

content. In Proceedings of the 6th USENIX Security

ible security mo del for using Internet content. IEEE

Symposium, pages 131{148, July 1996.

Software, 1997.

[16] P. A. Karger. Improving Security and Performance

[2] J. P. Anderson. technology plan-

for Capability Systems. PhD thesis, Universityof

ning study.Technical Rep ort ESD-TR-73-51, James

Cambridge, 1988.

P. Anderson and Co., Fort Washington, PA, USA,

[17] B. Lampson. Protection. ACM Operating Systems

1972.

Review, 81:18{24, January 1974.

[3] A. Berman, V. Bourassa, and E. Selb erg. TRON:

[18] J. Liedtke. Improving IPC bykernel design. In Pro-

Pro cess-sp eci c le protection for the UNIX op er-

ceedings of the 14th Symposium on Operating Sys-

ating system. In Proceedings of the 1995 USENIX

tems Principles, pages 175{187, 1993.

Winter Technical Conference, pages 165{175, 1995.

[19] D. Mazieres and M. F. Kaasho ek. Secure applications

[4] N. S. Borenstein. Email with a mind of its own: The

need exible op erating systems. In Proceedings of the

Safe-Tcl language for enabled mail. In ULPAA '94,

Sixth Workshop on Hot Topics in Operating Systems,

pages 389{402, 1994.

pages 56{61, May 1997.

[5] A. Dan, A. Mohindra, R. Ramaswami, and

[20] P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N.

D. Sitaram. ChakraVyuha: A sandb ox op erating

Levitt, and L. Robinson. A provably secure op erat-

system for the controlled execution of alien co de.

ing system: The system, its application s, and pro ofs.

Technical Rep ort 20742, IBM T. J. Watson Research

Technical Rep ort CSL-116, SRI International, 1990.

Center, 1997.

[21] J. Ousterhout, J. Levy, and B. Welch. The

[6] C. Frib erg and A. Held. Supp ort for discretionary

Safe-Tcl security mo del, 1997. Available at

role-based access control in acl-oriented op erating

http://www.sunlabs.com/ ouster/safeTcl.html.

systems. In Proceedings of the Second ACM Role-

[22] D. D. Redell. Naming and Protection in Extensible

BasedAccess Control Workshop,Novemb er 1997.

Operating Systems. PhD thesis, University of Cal-

[7] F. S. Gallo. Penguin: Java done right. The Perl

ifornia, Berkeley, 1974. Published as Pro ject MAC

Journal, 12:10{12, 1996.

TR-140, Massachusetts Institute of Technology.

[8] I. Goldb erg, D. Wagner, R. Thomas, and E. Brewer.

[23] J. H. Saltzer and M. D. Schro eder. The protection

A secure environment for untrusted help er applica-

of information in computer systems. Proceedings of

tions. In Proceedings of the 6th USENIX Security

the IEEE, 639:1278{1308, Septemb er 1975.

Symposium, pages 1{14, July 1996.

[24] G. van Rossum. Grail { The browser for

[9] L. Gong. A secure identity-based capability system.

the rest of us draft, 1996. Available at

In IEEE Symposium on Security and Privacy, pages

http://monty.cnri.reston.va.us/grail /.

56{63, 1989.

[25] D. Wallach, D. Balfanz, D. Dean, and E. W. Felten.

[10] L. Gong. New security architectural directions for

Extensible security architectures for java. Technical

Java. In IEEE COMPCON '97,February 1997.

Rep ort 546-97, Princeton University, 1997.

[26] D. Wallach, D. Balfanz, D. Dean, and E. W. Felten. [11] R. Grimm and B. Bershad. Security for extensible

Extensible security architectures for java. In Proceed- systems. In Proceedings of the Sixth Workshop on

ings of the 16th Symposium on Operating Systems Hot Topics in Operating Systems, pages 62{66, May

Principles, 1997. 1997.

[27] E. Wobb er, M. Abadi, M. Burrows, and B. Lampson.

Authentication in the Taos op erating system. ACM

Transactions on Computer Systems, 121:3{32, Feb-

ruary 1994.

[28] W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin,

C. Pierson, and F. Pollack. HYDRA: The kernel of

amultipro cessor op erating system. Communications

of the ACM, 176:337{345, June 1974.