The following paper was originally published in the Proceedings of the 7th USENIX Security Symposium San Antonio, Texas, January 26-29, 1998
Operating System Protection for Fine-Grained Programs
Trent Jaeger, Jochen Liedtke, and Nayeem Islam IBM T.J. Watson Research Center
For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL:http://www.usenix.org/
Op erating System Protection for Fine-Grained Programs
Trent Jaeger Jo chen Liedtke Nayeem Islam
IBM T. J. Watson Research Center
Hawthorne, NY 10532
Emails:fjaegertjjo [email protected] m.comg
Abstract numb er of protection domain crossings must b e han-
dled securely i.e., correctly with resp ect to the secu-
We present an op erating system-level security mo del
rity requirements to prevent attacks and eciently
for controlling ne-grained programs, suchasdown-
to minimize p erformance degradation. In this pap er,
loaded executable content, and compare this security
we show that a security mo del implemented on a fast
mo del's implementation to that of language-based
and exible IPC mechanism can enforce security re-
security mo dels. Language-based security has well-
quirements that language-based systems cannot with
known limitations, such as the lack of complete me-
little p erformance impact.
diation e.g., for compiled programs or race condi-
Several op erating systems use hardware-based
tion attacks and faulty self-protection e ective secu-
protection to prevent pro cesses from inadvertently
rity is unproven. Op erating system-level mo dels are
and/or maliciously mo difying one another. Each
capable of complete mediation and self-protection,
pro cess has an address space that de nes a set of
but some researchers argue that op erating system-
memory segments and the pro cess's access rights to
level security mo dels are unlikely to supplant such
those segments. A pro cess can only access memory
language-based mo dels b ecause they lack p ortability
in its own address space. In addition, the op erating
and p erformance. In this pap er, we detail an op er-
system has a security mo del that asso ciates pro cesses
ating system-level security mo del built on the Lava
with their access rights to system resources. Using
Nucleus, a minimal, fast -kernel op erating system.
address spaces of suitable granularity and pro cess ac-
We showhow it can enforce security requirements
cess rights to controlled resources, an op erating sys-
for ne-grained programs and show that its p erfor-
tem can control a pro cess's op erations as desired.
mance overhead with the additional security can
However, op erating system security mo dels have
b e virtually negligible when compared to language-
b een deemed to lack the p erformance and exibility
based mo dels. Given the sucient p erformance and
necessary to control ne-grained programs. While
security, the p ortability issue should b ecome mo ot
some systems have b een built that eciently con-
b ecause other vendors will have to meet the higher
trol pro cesses in dynamically-de ned protection do-
security and p erformance exp ectations of their cus-
mains [3,8, 14], these systems have b een applied
tomers.
only to more traditional applications e.g., PostScript
interpreters. In an application comp osed of ne-
grained programs, programs with di erent protection
1 Intro duction
domains interact often p erhaps as much as on each
metho d invo cation. In a recent pap er, Wallach et
We demonstrate how op erating system protection can
al. [25] discard address space-based protection from
b e used to control ne-grained programs exibly and
consideration for applications with ne-grained pro-
eciently. Op erating systems use hardware-based
grams by noting that IPC b etween two COM ob jects
protection to isolate pro cesses from one another.
on Windows NT takes 1000 times longer than a pro-
However, the way that current op erating systems
cedure call 230 sto0.2s. We claim that this
implement this protection has caused researchers to
discrepancy can b e virtually eliminated while gaining
deem them to o slow and in exible for controlling ne-
security and maintaining exibility.
grained programs. Fine-grained programs have dif-
ferent protection domains and mayinteract often in Wehave develop ed a prototyp e implementation of
the course of a computation. The e ect of a large a exible security mo del for controlling downloaded
content. This mo del is implemented on the Lava Nu- individual content. The securitykernel must b e able
cleus. The Lava Nucleus provides address spaces, to mediate all controlled op erations. To enforce least
threads, fast IPC, exible paging, and IPC inter- privilege on content p ermissions may b e based on ap-
ception that enable ecient and exible control of plication state and evolve as application state evolves.
pro cesses. In this pap er, we primarily concentrate on The securitykernel must b e able to control this evolu-
the e ectiveness of the Lavanucleus for implement- tion within reasonable limits. Lastly, the kernel must
ing a exible security mo del and its resultant p er- b e able to protect itself from mo di cations that may
formance. We show that fast IPC and IPC intercep- result in tamp ering with its b ehavior.
tion enable the implementationof dynamical ly autho-
A question that has re-app eared recently is whether
rized IPC that can b e p erformed in as little as 9.5 s.
language-based or op erating system-based protection
We b elieve further ro om for optimziation is p ossible,
is b etter suited for e ectively and eciently control-
given an ideal estimate for dynamically authorized
ling such ne-grained programs. Or otherwise stated:
IPC is ab out 4 s. Also, exible page mapping in the
to what extent can op erating system protection e-
Lava Nucleus enables ob jects of size greater than the
ciently provide e ective security and to what extent
hardware page size to b e shared among pro cesses, so
can language protection e ectively provide ecient
coarse-grained sharing of memory b etween pro cesses
security? As describ ed b elow, op erating system pro-
is p ossible.
tection has several advantages over language protec-
The structure of this pap er is as follows. In Sec-
tion from a security p ersp ective, but the cost of do-
tion 2, we compare language-based and op erating
main crossings make it questionable whether ecient
system-based security mo dels. In Section 3, we de-
op erating system protection for ne-grained pro cesses
scrib e an op erating system security mo del for down-
is p ossible. On the other hand, language protection
loaded executable content. In Section 4, we describ e
can b e implemented eciently, but some key security
the implementation of this mo del on the Lava Nu-
safeguards are weakened such that e ective security
cleus. In Section 5, we examine the p erformance of
may b e lost.
the prototyp e implementation and compare its p er-
Traditionally, op erating systems have enforced sys-
formance to language-based mo dels for ne-grained
tem security requirements b ecause hardware-based
programs of the sort discussed byWallach et al. In
protection provides signi cant advantages in the key
Section 6, we conclude and present future work.
areas of economy of mechanism, fail-safe defaults,
and complete mediation [23]. The op erating system's
TCB can protect pro cesses by restricting them to
2 Language vs. O/S Protection
their own address spaces which can b e enforced by
a simple mechanism at least compared to a com-
The basic problem is to implement a securitykernel
piler. Since only the program requested is placed in
that e ectively and eciently enforces the security
the address space, other, indep endent programs are
requirements of downloaded executable content. The
not a ected by its failure assuming the op erating
basic requirements of any security infrastructure are
1 system adequately protects itself from such failures.
that it can adapted from [2]:
Also, since the op erating system can intercept any in-
terpro cess communication IPC b etween pro cesses,
assign p ermissions dynamically to individual
controlled op erations by a program including com-
content,
piled ones can b e completely mediated by the op er-
mediate all controlled op erations using such p er-
ating system.
missions i.e., an op eration that a pro cess is not
Language-based protection has gained favor in re-
unconditionally trusted to invoke,
centyears, however. We attribute this p opularity
to three factors: 1 improvements in the develop-
manage the evolution of p ermissions as content
ment of \safe" languages; 2 the p erception that
is executed,
programs will b ecome increasingly ne-grained, and
protect itself from tamp ering
ne-grained domains are prohibitively exp ensiveto
enforce; and 3 lack of exibility in op erating system
For a system that uses dynamically downloaded ex-
security mo dels. \Typ e-safe" languages are strongly-
ecutable content, p ermissions must b e assignable to
typ ed i.e., all data is typ ed and casting is restricted
1
There is an additional requirement that any \securityker-
or prohibited and do not p ermit direct addressing
nel" b e simple enough that indep endentevaluators can assess
of the system's memory i.e., no p ointers. There-
whether it will op erate prop erly. While we will not prove such
fore, all data is accessed according to its interface, so
a feature ab out our system here we do attempt to keep the
security mo del as simple as is feasible. complete mediation of controlled op erations in pro-
grams written in such languages is p ossible. Other the current call stackmay not represent the actual
\safe" languages, such as Safe-Tcl [4,21], Penguin [7], context since classes that are no longer on the stack
and Grail [24] dep end on removal of op erations that may in uence the execution. In addition, security
would enable the language security infrastructure to dep ends on the prop er placement of calls to the au-
b e circumvented. Also, with the increased p opular- thorization ob ject. For applications, this means that
ity of comp onent-based system infrastructure, such co de must b e changed to control a previously uncon-
as Java Beans, and the abilitytodownloaded co de trolled ob ject.
dynamically, are leading p eople to predict that pro-
The question is whether op erating system protec-
grams with b ecome more ne-grained. Mediation of
tion can b e made exible enough and ecient enough
IPC b etween pro cesses has signi cant p erformance
for ne-grained programs. We b elieve that the ex-
implications for op erating systems b ecause they may
ibility question has b een answered for a long time,
need to p erform exp ensive op erations, such as han-
but the systems for whichitwas answered are no
dling TLB misses, up on domain changes. Also, the
longer in wide use. Several research op erating sys-
security mo dels of current commercial op erating sys-
tems were develop ed that used capabilities to attach
tems, such as UNIX and DOS/Windows, lack the
exible protection domains to pro cesses in a secure
exibility to dynamically assign p ermissions to user
manner [16,20,28]. For example, Hydra [28] ob-
pro cesses or p ermit controlled sharing of memory
tained exibilityby attaching capabilities to pro ce-
among pro cesses.
dures. SCAP [16] and PSOS [20] demonstrated that
anumb er of security prop erties could b e enforced by
Language-based protection has some signi cant
these systems. However, the applications of the time
weaknesses, however. First, the TCB of a system
had much simpler security requirements, so much less
dep ending on language protection is larger b ecause
secure systems were adopted as de facto standards.
nowwemust trust the compilers and co de veri ers
We, therefore, b elieve that the key problem to us-
as well as the \system" TCB ob jects provided by
ing op erating system protection for ne-grained pro-
the system. While compilers are much b etter un-
grams is p erformance. At IBM, we are developing
dersto o d than they once were, a minimal TCB is still
the Lava Nucleus which is a minimal, fast, and exi-
preferred. Second, since all programs run within a
single address space, fail-safety is not what it is in ble -kernel. It provides the basic system constructs,
op erating systems. This means that a security aw such as pro cesses, address spaces, and threads, and
provides general mechanisms for using these primi-
will result in the attacker gaining all privileges that
tives, such as exible memory mapping primitives,
the virtual machine has. Given that single domain
fast IPC, and IPC redirection. In this pap er, we show
op erating systems based on language protection are
b eing built e.g., Java OS, this means that compro- that a exible op erating system protection mo del for
mise of the virtual machine can result in signi cant downloaded executable content can b e designed and
that it can b e implemented eciently using the Lava
losses. Third, it is not clear what the actual size and
Nucleus. From this, we measure the currently achiev-
numb er of comp onents that can share a protection
able p erformance of op erating system protection and
domains will b e. In Wallach et al., they measured
30,000 domain crossings p er second. It is not explicit evaluate how this a ects the overall system p erfor-
in their pap er, but we assume that many of these mance. In the future, we exp ect that language-based
and op erating system protection to b e jointly used
domain crossings involved trusted classes whose use
dep ending on the security requirements with op-
have few security implications. Therefore, we b elieve
erating system protection providing a simple, fail-
that many of these claimed domain crossings can b e
safe security mechanism that may completely mediate
avoided. Lastly, and most obviously, language-based
protection is language-sp eci c and do es not apply to controlled domains.
compiled co de. Therefore, complete mediation de-
p ends on a homogeneous system whichwe b elieveis
unlikely.
3 Security Mo del
Also, language-based protection has its own p er-
formance problems and the optimizations to improve An e ective security mo del for downloaded exe-
p erformance intro duce subtle security aws. For ex- cutable content requires signi cant exibility in the
ample, in the JDK 1.2 sp eci cation [10], excess au- creation of principals, assignment of their p ermis-
thorizations on every metho d invo cation since there sions, and management of their p ermissions through-
may b e many real domains within a single protection out the content's execution. We use Lampson's pro-
domain are prevented by using the call stack to de- tection matrix [17] to help describ e these require-
termine the current authorization context. However, ments. It shows the relationships among sub jects,
ob jects, and the op erations that sub jects can p erform
w consider the security on ob jects p ermissions. No Secure System
Process
requirements for controlling downloaded executable
content describ ed b elow. IPC
Process
Sub jects: There may b e one sub ject p er down-
Monitor
loaded content, although some sub jects maybe
reused within a session. Load
Create Authorized IPC
Ob jects: The ob jects may refer to logical ob- ust b e mapp ed to the individual jects that m Process Authentication Object
Load
wnloading principals system at runtime. do Server Server
Server
Permissions: The set of p ermissions that a sub-
Micro-kernel
ject has at any time to ob jects mayevolveas
tent sub jects executes.
system's con Secure Boot Mechanism
In traditional systems, the set of sub jects is gen-
erally mapp ed to the set of users and a set of well-
Figure 1: Security Mo del Architecture
known services. This granularity is to o coarse for
downloaded content. Each contentmay b e asso ci-
ated with a di erent principal that is an aggregate of
server derives the p ermissions for this content prin-
basic principals e.g., downloading principal execut-
cipal. The pro cess load server assigns a monitor to
ing content from a provider within a sp eci c instance
enforce a pro cess's p ermissions. Monitors intercept
of an application. Also, in traditional systems, the
and authorize all IPCs emanating from or directed
set of ob jects is well-known. This may not b e the case
to the controlled pro cess. Monitors maintain a rep-
in downloaded content systems b ecause the content
resentation of the controlled pro cesses access rights
providers mayhave limited knowledge ab out the sys-
and can b oth add to and revoke access rights from
tems up on which their content is run. In addition, the
the controlled pro cess.
amount of p olicy sp eci cation can b e reduced if the
In the design of our security mo del, we make the
logical ob jects that are mapp ed to a sp eci c princi-
following assumptions. System administrators are
pal's domain at runtime can b e used. Lastly, enforce-
completely trusted to set system p olicy. A set of
ment of least privilege on content is more imp ortant
certi cation authorities are trusted to vouch for the
than for traditional programs b ecause these programs
public keys of principals. A secure b o oting mech-
are transient and from only partially trusted sources
anism is trusted to initialize the op erating system
i.e., mayhave bugs. In traditional systems, p ermis-
prop erly.We assume the existence of such a mecha-
sions are assigned to principals and must cover every
nism as prop osed for the Taos op erating system [27].
execution of that principal, or else some application
The kernel itself is trusted to create pro cesses and
executions would fail. For content, the state of an
threads prop erly, separate pro cess address spaces,
application may also b e used to limit the p ermissions
identify the source of IPC, and redirect the IPC of
to those necessary for the task at hand.
controlled pro cesses to monitors. The authentication
To solve these problems, we prop ose an security
server is trusted to p erform cryptographic op erations
mo del that provides basic security mechanisms and
correctly. The pro cess load server is trusted to setup
p olicy representations to enable the control of down-
the pro cesses and monitors prop erly, so the security
loaded executable content. The mo del is shown in
requirements as sp eci ed can b e enforced. Monitors
Figure 1. In this security mo del, a securebooting
are trusted within a domain limited by the rights that
mechanism loads a nucleus of an op erating system.
they can delegate to pro cesses. Monitors may also
The nucleus provides the basic functionality to cre-
b e trusted to read and not leak server data to other
ate and execute pro cesses and enables them to in-
pro cesses. The system has limited trust in users, ap-
tercommunicate via IPC. The nucleus initiates a
plications, and downloaded content.
process load server that creates subsequent pro cesses
and can dynamically load libraries and co de comp o- The following three subsections describ e how the
nents into existing pro cesses. The pro cess load server rst three of the security requirements of the system
uses an authentication server to authenticate content are enforced. The fourth security requirement's must
and determine the content principal. A derivation b e enforced throughout each of these op erations.
3.1 Pro cess Loading other. In addition, the content and pro cess must also
b e able to e ectively p erform their jobs with the re-
The pro cess load server receives load requests for
sultant rights for the co-lo cation to b e feasible.
ob jects and retrieves, validates, and loads the ob-
While these restrictions limit the content that can
ject. Some ob jects may b e executable and some may
b e loaded into the requesting pro cess, a variety of use-
not, but our discussion fo cuses on the loading of ex-
ful content can still b e downloaded and co-lo cated.
ecutable ob jects.
Trusted libraries can b e co-lo cated with the request-
The pro cess load server solves the following prob-
ing pro cess in many instances. For example, many
lems:
Java classes in java.lang package although not the
Java ClassLoader whose functionalitywe are sup er-
retrieve requested executable content,
seding can b e loaded into a requesting pro cess. For
example, the String class do es not provide the user's
uses the authentication server to verify the au-
pro cess any additional rights although it maybe
thenticity of content and derive the content prin-
used to circumvent language-based security, so it can
cipal,
b e loaded into the requestor's address space. Also, we
uses the derivation server to derive the content's
think that all the classes in the java.io can b e loaded
p ermissions,
into a requesting pro cess, b ecause restricted access
to the le server can b e enforced by the monitor. Of
nd the pro cess in which to load the content,
the 30,000 domain crossings p er second measured by
Wallach et al.,we exp ect that many of those do not
load the contentinto that pro cess
really require a change in domain for the requesting
pro cess. Our exp erience with the FlexxGuard proto-
Our e ort here is concentrated on a mechanism
typ e system a controlled Javainterpreter was that
for loading executable content. We prop ose mech-
restricting the p ermissions of the Java system classes
anisms and p olicy representations for authentication
to that of the current applet b eing run still p ermitted
and p ermission derivation elsewhere [12,13]. These
many useful applications to b e implemented [1].
mechanism enable p ermissions to b e derived dynami-
cally for downloaded content given limited input from
multiple principals.
3.2 Permission Management
While IPC can b e faster than 230 s, it is still well
understo o d that pro cedure calls are faster. IPC in the A pro cess's monitor also manages the evolution of
Lava Nucleus takes 4 times longer on a Pentium than its p ermissions throughout its execution. In general,
p ermission changes o ccur for two reasons: 1 an ap-
a pro cedure call than Wallach et al. [26] measure for
plication state change maywarrantachange in the
a PC. In addition, there are indirect costs that are a
result of the context switch, such as the handling TLB controlled pro cess's p ermissions and 2 one content
and cache misses. While the Lava Nucleus is designed using another may result in a restriction of p ermis-
to enable these costs to b e reduced, the fewer context sions to prevent information leakage. In the rst case,
switches the b etter. a user may p erform an op eration that results in the
delegation of rights to downloaded content. For ex-
To reduce these overheads, wewant the ability
ample, the loading of a le into an application may
to link supp orting content in the requesting pro cess.
result in the delegation of the p ermissions to read
However, only links that ensure that b oth the request-
and write the le to content used in the application.
ing pro cess and the downloaded content do not ob-
These p ermission changes must b e limited to prevent
tain any unauthorized access rights can b e p ermitted.
a pro cess from obtaining an unauthorized right. Also,
This is only p ossible if: 1 neither the downloaded
the interaction of twountrusted content pro cesses
content nor the requesting pro cess gain any p ermis-
may require that their p ermissions b e intersected to
sions as a result of the co-lo cation; 2 the downloaded
prevent the callee from p erforming unauthorized op-
content is p ermitted access to the requesting pro cess's
erations on b ehalf of the caller.
data and vice versa; and 3 the downloaded content
can run prop erly with the rights of the requesting
Permission management requires:
pro cess. For the rst condition to hold, the p ermis-
sions of the joint pro cess must b e the intersection of
the ability to add rights to the current p ermis-
the p ermissions of the content loaded into it. Thus,
sions,
neither pro cess can use a p ermission unless b oth had
it previously. Also, neither contentmayhave data in the ability to revoke rights from the current p er-
its address space that it must keep secret from the missions,
a mapping of events to p ermission transforma- authorized by the monitor, and if successful, the re-
tions, quested is forwarded to the destination.
Pro cess mediation requires that the following tasks
a limit to the rights that can b e delegated to
b e accomplished:
content,
con gure the system such that monitors can au-
thorize all controlled op erations,
In this security mo del, a monitor can add a rightto
a pro cess's p ermissions if: 1 the delegating pro cess
describ e the authorization semantics of op era-
has the p ermission; 2 the delegating pro cess is p er-
tions well enough to enable their authorization,
mitted to delegate that p ermission to the delegatee;
and 3 the p ermission is within the maximal per-
provide monitors with the pro cess's current p er-
missions for the pro cess. Each monitor maintains
missions to authorization
a mapping of its pro cesses to its delegating princi-
pals and p ermissions called assignment limits that
Each IPC must b e intercepted for complete media-
that principal can delegate to this pro cess. Any del-
tion. Therefore, it is necessary to place a monitor on
egated rightmust b e within the pro cess's maximal
each IPC path. Typically, monitoring is asso ciated
p ermissions b oth the initial current p ermissions and
either with the server which enforces access control
maximal p ermissions for a pro cess are derived by the
on its clients or on the client limits access of the
derivation service. This limits the rights available to
client. There are limitations to b oth approaches. In
a pro cess in general.
client monitoring, monitors can, in theory, enforce
Revo cation of rights is more dicult b ecause ca-
arbitrary security p olicy, but in practice they have
pabilities can b e copied. To prevent a pro cess from
limited knowledge ab out the servers to which they
using a revoked capability, the monitor do es not pass
are controlling access. On the other hand, servers
capabilities to its controlled pro cesses. Instead, a de-
are typically trusted to enforce security requirements
scriptor is returned to the pro cess which enables it
on clients, but they may not understand the security
to refer to the capability. Revo cation of the capa-
requirements that the monitor is trying to enforce.
bilityinvalidates the descriptor, so capabilities can
Wecho ose a security mo del that enables b oth kinds
b e immediately revoked. Unlike Redell's capability
of control, but erlies more heavily on client-side mon-
indirection [22], no sp ecial capabilities are seen by
itoring. Each pro cess mayhave a monitor that can
the servers and the Java and UNIX APIs can b e
enforce b oth its incoming and outgoing IPCs. There-
supp orted transparently.To revoke capabilities for-
fore, a pro cess that is b oth a client and a server in dif-
warded to other pro cesses actually their monitors,
ferentinteractions can have its op erations to servers
the monitors must maintain a mapping of capabilities
authorized and can restrict the op erations that it p er-
to the pro cesses/monitors that they were forwarded
form for its clients. We do emphasize the client-
to. Servers must maintain a similar mapping.
side control of the monitor by enabling it to place
Mapping events to p ermission mo di cations is done
tighter restrictions on the op erations it can p erform
by transforms [13,15]. Transforms map op erations
that server monitors may. An additional b ene t that
to p ermission transformations. Three typ es of trans-
results from this mo del is that monitors themselves
forms are de ned that implement di erent metho ds of
can b e restricted to di erent domains b ecause they
transformation transformation by p ermission, trans-
are di erent pro cesses. Weovercome the problem
formation by memb ership to an ob ject group, and
of server security requirements for pro cesses, by en-
transformation by combining p ermission sets. See
abling the servers to delegate p ermissions to content
Jaeger et al. for more details [13].
and providing authorization semantics of server op-
erations to the monitors see b elow and Section 4.3.
A result of this decision is that an IPC from one
3.3 Pro cess Mediation
controlled task to another requires an additional IPC
between the two monitors. However, Lava Nucleus
Complete pro cess mediation requires that each IPC
IPC and op eration authorization should b e fast <
b e authorized by a monitor. We prefer that monitor-
1.5 s for small IPCs, so the b ene t can b e gained ing b e triggered automatically. Otherwise, it maybe
at low cost. It is unclear yet whether the cost is worth
p ossible to a programmer to forget to call the monitor
the added security,however.
and lose complete mediation. Therefore, there must
The authorization semantics of a server's interface b e a mechanism for redirecting IPCs to the monitor.
is de ned by operation authorization ob jects see Sec- Then, the monitor must b e able determine what p er-
tion 4.3. These ob jects are used to transform op er- missions are to b e authorized. These p ermissions are
Implementation
Secure System 4
y mo del is implemented up on the Lava Controlled The securit
Process
va Nucleus provides minimal, gen- Controlled Nucleus. The La
Process
eral, and ecient functionality for building op er-
ating systems. It enables the creation of tasks
i.e., pro cesses with p otentially-overlapping address
Process-Specific Monitor
spaces that may contain multiple threads of execu-
Process-Specific Monitor
tion. An optimized IPC mechanism is provided for
tertask communication. The Lava Nucleus also pro- Security Policy in
Security Policy
vides a mechanism for IPC redirection whichwe use
to redirect controlled op erations to our monitors.
yp e implementation of this security
Server The protot
mo del is as follows. The Grub b o ot loader loads
va Nucleus and the ro ot Lava task. This task Object Security the La
Space Policy
b o otstraps the memory system and provides some ba-
sic system functionality e.g., page-fault handling and
task-id creation. This task initiates the pro cess load
server and the core system services e.g., a network
Figure 2: Monitor Architecture
server to download comp onents and the download-
ing principal's task. In general, these tasks may
also have a monitor assigned to them, but do not
at present. The downloading principal's task may re-
ations into the set of p ermissions that must b e au-
quest that a new executable task b e downloaded by
thorized b efore the op eration can b e run. These are
asking the pro cess load server to retrieve the task's
useful for enforcing least privilege with go o d p erfor-
content. The pro cess load server has the co de authen-
mance wehave found the cost of pro cessing these is
ticated and derives its p ermissions and transforms.
low.
Dep ending on the load option, the pro cess load server
assigns a monitor task to control the new executable.
The monitor obtains authorization op eration from
The monitor starts the new executable or restarts
the server de nition e.g., via an IDL extension.
the requestor if loaded into the same address space.
When a server is loaded, its op eration authorization
Monitors p erform b oth the p ermission management
ob jects are stored in a place accessible to all mon-
and authorization services for their tasks using trans-
itors. The semantics of these op erations must b e
forms and p ermissions, resp ectively.
well-understo o d. Therefore, monitors control client
In this pap er, we fo cus primarily on the implemen-
op erations based on the current and maximal p er-
tation of the architecture's monitors. The monitors
missions to any server that they are p ermitted to
store the current and maximal p ermissions of its con-
access.
tent, implement its content's p ermission transforma-
tions, intercepts IPCs that are sentby or destined for Our architecture for using monitors and servers to
the its content, determines the authorization require- control pro cesses is shown in Figure 2. In this mo del,
ments of the op eration encapsulated in the IPC, and a monitor is assigned to each controlled pro cess.
authorizes the op eration using the content's p ermis- When a pro cess makes an IPC, its monitor intercepts
sions. We rst describ e the monitor's p ermission rep- the IPC automatically via a kernel-provided mech-
resentation and how it enables exible and ecient anism. After the op eration authorization semantics
authorization. Next, we detail the Lava Nucleus's have determined the op erations that need to b e au-
IPC redirection mechanism. Then, we outline how thorized, the monitor uses its pro cess's p ermissions
an IPC is converted to the set of op erations to b e to authorize the op eration. The op eration must b e
authorized. Lastly,we detail the authorization mech- within the content's current p ermissions and maximal
anisms used by the monitor. The monitor uses two p ermissions to b e authorized. Since the content's cur-
mechanisms: a slow one for \binding" to an actual rent p ermissions may expand and the content's max-
ob ject and a fast one for subsequent calls to the same imal p ermissions may b e restricted, an op eration at
ob ject. a certain time may need to b e checked against b oth.
Capability Structure (96 bits)
4.1 Principals and Permissions
Server and Object Access
h pro cess in our implementation is asso ciated with
Eac Object Type Identifier Rights
a principal data structure. A principal contains ref-
32 bits 32 bits 32 bits
erences to its complex identity, current and maximal
p ermissions, comp osition mo de, and transforms. The
complex identity is the comp osition of principals used
Symbolic wnloading princi-
to form this principal e.g., the do Name
pal, content provider, application, application role,
Null Terminated String
and session. Current and maximal p ermissions are
as describ ed ab ove. A composition mode de nes how
the p ermissions of the caller transforms the p ermis-
tent. For example, a trusted principal
sions of this con Count Entries R L C ...
may union the current p ermissions of the caller with
32 bits 32 bits their own. However, content not trusted to leak p er-
missions may maintain its current p ermissions and
Figure 3: Capability format
intersect its maximal p ermissions. The comp osition
mo de is designed to implement p ermission set trans-
forms intersection or union of the p ermissions of two
thorization.
or more principals eciently, but other transforms
are implemented in a traditional manner b ecause they
Both typ es of capabilities use the same represen-
are not highly p erformance critical.
tation shown in Figure 3: a server, a typ e, an ob-
ject identi er, and the capability's rights. The server
To implement b oth p ermanent and transient p er-
and typ e are captured in one 32-bit eld. The server
mission set transforms, b oth the current and maxi-
refers to the Lava task identi er for the server 12
mal p ermissions consist of static and lexical p ermis-
bits is the Lava-sp eci c limit. The remaining 20 bits
sions. Static p ermissions are the content p ermissions
are used to indicate the ob ject typ e. An object iden-
that apply each time the content is called. Lexical
ti er sp eci es the name of the ob ject reference to a
p ermissions mo dify the content's p ermissions based
string or an ob ject reference. References to names
on its current call context. Both enable p ermissions
are word aligned, so the least signi cant bit is used
of other principals to b e unioned or intersected with
to di erentiate b etween the name p ointers and OIDs.
those of this principal either p ermanently using the
static p ermissions or temp orarily using the lexical
The capability's rights indicates the op erations that
p ermissions. Given that a comp osition may result
the capability grants. Again, a 32-bit eld is used.
in a union, intersection, or no change to the maximal
There are 3 status bits, so 29 op erations can b e
and current p ermissions either statically or lexically,
granted by default. One status bit signi es that an
24 comp osition mo des are used. Comp ositions are
extended capability rights eld is used. Using this
always p erformed using the calling principal's static
eld, access to an arbitrary numb er of rights entries
p ermissions to preventhuge concurrency control over-
sp eci ed by count and entries reference is p ossible.
heads that would b e likely if lexical p ermissions were
Each rights entry sp eci es the op erations it applies
used.
to the R eld and any limits on the use of these
op erations the L eld with the current countinthe
The current p ermissions are divided into two cat-
C eld. Another status bit indicates whether the ca-
egories: authorize and active capabilities maximal
pability indicates a p ositive or negative access right.
p ermissions are only authorize p ermissions. Capa-
The third status bit indicates whether the capabil-
bilities are software-managed ob jects stored by the
ityisveri ed or not. For example, a change in the
monitors that are unforgeable, revo cable, strongly-
pro cess's access rights may require a re-authorization
typ ed mappings from ob ject identi ers to op erations.
of a capability.
As we will discuss b elow, bind op erations establish a
capability for the content to p erform a set of op era- Authorize capabilities are unforgeable b ecause
tions on an ob ject. These op erations are authorized monitors will only accept them from pro cess load
using authorize capabilities that may grant access to servers or other monitors i.e., pro cesses trusted to
more rights than are required for the op eration. The provide them. They are revo cable b ecause the con-
result of a bind op eration is the generation of an ac- trolled pro cesses never have access to them. Active
tive capability that sp eci es exactly the rights autho- capabilities derived from them can b e revoked, as de-
rized by the bind. Active capabilities enable fast au- scrib ed b elow. They are clearly strongly-typ ed since
they have a dedicated typ e eld. However, the servers
i i
must enforce this
Active capabilities are formed from the results of
i i -
' ' $ $
the bind op erations. For example, the OID is ob-
BM i
B tained from the ob ject server for fast direct access.
i
The capability's rights are set to those authorized
P
P
i ?
P i
Pq
in the bind op eration. In addition, active capabili-
i
&
ties mayhave an additional eld that stores a unique
&
identi er for the controlled pro cess called principal
identity. This eld could include a cryptographically
Figure 4: IPC Redirection \Original" IPC is denoted
secure numb er that the server can use to identify the
by thick lines, redirected IPC by thin lines
calling pro cess in a distributed environment[9].
Active capabilities are unforgeable on a single ma-
chine b ecause the monitor is trusted to send them
the security p olicy. All server requests from the en-
only to the prop er server and the kernel is trusted
to implement this delivery. In a distributed envi-
i
ronment, the capabilities are unforgeable if a cryp-
Pi
P
P
tographically secure principal identity is sent via a
P
P
i y
secure channel i.e., that authenticates the sender.
' $
Active capabilities are revo cable b ecause they are
J]
i
J
never given to the controlled pro cess. Instead, they
i
J
are stored in the monitor, and the only index of the
i
i i
capability e.g., a descriptor in the active capabil-
ity table of the principal is returned to the controlled
&
pro cess. We will see that fast IPC makes this indi-
rection tolerable. Revo cation of active capabilities as
Figure 5: Security-Policy Monitor
the result of a revo cation of an authorize capability
is also p ossible. Basically, all active capabilities can
capsulated tasks are insp ected by the monitor lled
b e marked unveri ed, so they must b e re-authorized
circle. The monitor drops any request whichwould
b efore they can b e used. Therefore, the monitor must
violate the security p olicy. In particular, it uses ac-
b e able to retrieve the original ob ject name e.g., by
counting mechanisms to restrict denial-of-service at-
caching it.
tacks. Note that all page-faults and mappings are also
handled by IPC. Therefore, the according resources
are also under the monitor's control.
4.2 IPC Redirection
Instead of enwalling suspicious sub jects, monitors
The Lavanucleus provides a general mechanism that
can also b e used to protect a system from suspicious
can b e used for implementing security p olicies based
sub jects outside the own clan. In gure 6 the monitor
on IPC redirection. A monitor can b e assigned to
multiple pro cesses. Any IPC to a pro cess that is ad-
i i
ministered by another monitor is automatically redi-