lambda-RBAC: Programming with Role-Based Access Control

b Bell Labs e-mail address: aje rey bell-labs. om Abstra t. We study me hanisms that permit program omponents to express role onstraints on lients, fo using on programmati se urity me hanisms, whi h permit a ess ontrols to be expressed, in situ, as part of the ode realizing basi fun tionality. In this setting, two questions immediately arise. (1) The user of a omponent fa es the issue of safety: is a parti ular role su ient to use the omponent? (2) The omponent designer fa es the dual issue of prote tion: is a parti ular role demanded in all exe ution paths of the omponent? We provide a formal al ulus and stati analysis to answer both questions. 1. Introdu tion This paper addresses programmati se urity me hanisms as realized in systems su h as Java Authenti ation and Authorization Servi e (jaas) and .net. These systems enable two forms of a ess ontrol me hanisms1. First, they permit de larative a ess ontrol to des ribe se urity spe i ations that are orthogonal and separate from des riptions of fun tionality, e.g., in an interfa e I, a de larative a ess ontrol me hanism ould require the aller to possess a minimum set of rights. While on eptually elegant, su h spe i ations do not dire tly permit the enfor ement of a ess ontrol that is sensitive to the ontrol and data ow of the ode implementing the fun tionality onsider for example history sensitive se urity poli ies that require runtime monitoring of relevant events. Consequently, jaas and .net also in lude programmati me hanisms that permit a ess ontrol ode to be intertwined with fun tionality ode, e.g., in the ode of a omponent implementing interfa e I. On the one hand, su h programmati me hanisms permit the dire t expression of a ess ontrol poli ies. However, the programmati approa h leads to the ommingling of the on eptually separate on erns of se urity and fun tionality. 1998 ACM Subje t Classi ation: D.3, K.6.5.