Submission - SSP 2001 2001 IEEE Symposium on Security and Privacy 5 / 13 / 2001 - 5 / 16 / 2001 Oakland , CA USA

This paper discusses the difficulties of describing an appropriate notion of the security attributes caller and target in object-oriented middleware systems such as CORBA. Our analysis points out that, whilst there is no information available on the ORB layer to describe the caller and target, it is possible in practice to use descriptors from other layers. In CORBA security, the mechanism-specific identifiers on the caller side and the information from the object reference on the target side turn out to be most appropriate and trustworthy for describing client and target application objects at the right granularity. As a proof of concept we present our MICOSec CORBA Security implementation which demonstrates the feasibility of our approach. Our paper shows that it is unrealistic to expect a security service layer to be able to abstract fully from the underlying security mechanisms without severe implications on granularity and semantic mismatches.