Providing Policy-Neutral and Transparent Access Control in Extensible Systems

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. It works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism. This research was sponsored by the Defense Advanced Research Projects Agency, the National Science Foundation and by an equipment grant from Digital Equipment Corporation. Grimm was partially supported by fellowships from the Microsoft Corporation and IBM Corporation. Bershad was partially supported by a National Science Foundation Presidential Faculty Fellowship and an O ce of Naval Research Young Investigator Award.