Secure Internet Programming

Trust provides many practical benefits in open distributed systems. It enables cooperation between pairs of entities, provides a safe and inexpensive basis for lowering access barriers to secured resources, and facilitates complex transactions among multiple entities. In this paper, we describe a wide range of notions and aspects of trust in open systems, with particular focus on trust between autonomous entities. We argue for computational models and mechanisms that enable trust between entities to be produced, manipulated and degraded and we summarize the state-of-the-art from this perspective.

We discuss abstractions for protection and the correctness of their implementations. Relying on the concept of full abstraction, we consider two examples: (1) the translation of Java classes to an intermediate bytecode language, and (2) in the setting of the pi calculus, the implementation of private channels in terms of cryptographic operations.

We analyze how to use the reflective approach to integrate an authorization system into a distributed object-oriented framework. The expected benefits from the reflective approach are: more stability of the security layer (i.e., with a more limited number of hidden bugs), better software and development modularity, more reusability, and the possibility to adapt the security module with at most a few changes to other applications. Our analysis is supported by simple and illustrative examples written in Java.

We discuss the difficulties caused by mobile computing and mobile computation over wide-area networks. We propose a unified framework for overcoming such difficulties.

We study type-safety properties of open distributed systems of mobile agents, where not all sites are known to be well-typed. We adopt the underlying model of an anonymous network, allowing that code may be corrupted on transmission and that the source of incoming code is unknowable. Nonetheless, we are able to guarantee a weak form of type-safety at “good” sites using a mix of static and dynamic typing.

This paper formalizes the folklore result that strongly-typed applets are more secure than untyped ones. We formulate and prove several security properties that all well-typed applets possess, and identify sufficient conditions for the applet execution environment to be safe, such as procedural encapsulation, type abstraction, and systematic type-based placement of run-time checks. These results are a first step towards formal techniques for developing and validating safe execution environments for applets.

Existing authorization mechanisms fail to provide powerful and robust tools for handling security at the scale necessary for today’s Internet. These mechanisms are coming under increasing strain from the development and deployment of systems that increase the programmability of the Internet. Moreover, this “increased flexibility through programmability” trend seems to be accelerating with the advent of proposals such as Active Networking and Mobile Agents.

In this paper, we examine existing authorization mechanisms and their inadequacies. We introduce the concept of trust management, explain its basic principles, and describe some existing trust-management engines, including PolicyMaker and KeyNote. We also report on our experience using trust-management engines in several distributed-system applications.

New key-oriented discretionary access control systems are based on delegation of access rights with public-key certificates. This paper explains the basic idea of delegation certificates in abstract terms and discusses their advantages and limitations. We emphasize decentralization of authority and operations. The discussion is based mostly on the SPKI certificates but we avoid touching implementation details. We also describe how threshold and conditional certificates can add flexibility to the system. Examples are given of access control between intelligent networks services.

Specifying and managing access control policies for large distributed systems is a non-trivial task. Commonly, access control policies are specified in natural language and later reformulated in terms of a particular access control model. This paper presents and discusses concepts for an object-oriented access model that is more suitable for describing access control policies for CORBA objects than the default access model specified in the OMG security service specification.

Active networks enable to deploy new services at run-time by using mobile code. While considerable effort is under way to build active network infrastructures and to understand how to create corresponding services, less is known about how to end them. A particular problem is the coordinated steering of mobile code based services, especially in the case of “strong” active networks where each data packet is replaced by a mobile program and where a distributed service can consists of a myriad of anonymous active packets. In this paper we introduce the concept of apoptosis for mobile code based services. This term is borrowed from cell biology and designates the programmed cell death. We discuss the need for a self-destruction mechanism inside a distributed mobile service and address the problem of securing such a mechanism against malicious activation, for which a simple solution is shown.

The Sanctuary project at UCSD is building a secure infrastructure for mobile agents, and examining the fundamental security limits of such an infrastructure.

Security is a fundamental precondition for the acceptance of mobile agent systems. In this paper we discuss protocols to improve agent security by distributing critical data and operations on mutually supporting agents which migrate in disjunct host domains. In order to attack agents, hosts must collude/conspire across domains. Proper selection of itineraries can minimize the risk of such coalitions being formed.

In a configurable system, operating systems and applications are composed dynamically from executable modules. Since dynamically downloaded modules may not be entirely trusted, the system must be able to restrict their access rights. Current systems assign permissions to modules based on their executor, provider, and/or name. Since such modules may serve specific purposes in programs (i.e., services or applications), it should be possible to restrict their access rights based on the program for which they are used and the current state of that program. In this paper, we examine the access control infrastructure required to support the composition of systems and applications from modules. Access control infrastructure consists primarily of two functions: access control policy specification and enforcement of that policy. We survey representations for access control policy specification and mechanisms for access control policy enforcement to show the flexibility they provide and their limits. We then show how the Lava Security Architecture is designed to support flexible policy specification and enforcement.

Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency, but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization’s security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection, and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

Many contemporary operating systems utilize a system call interface between the operating system and its clients. Increasing numbers of systems are providing low-level mechanisms for intercepting and handling system calls in user code. Nonetheless, they typically provide no higher-level tools or abstractions for effectively utilizing these mechanisms. Using them has typically required reimplementation of a substantial portion of the system interface from scratch, making the use of such facilities unwieldy at best.

This paper presents a toolkit that substantially increases the ease of interposing user code between clients and instances of the system interface by allowing such code to be written in terms of the high-level objects provided by this interface, rather than in terms of the intercepted system calls themselves. This toolkit helps enable new interposition agents to be written, many of which would not otherwise have been attempted. This toolkit has also been used to construct several agents including: system call tracing tools, file reference tracing tools, and customizable filesystem views. Examples of other agents that could be built include: protected environments for running untrusted binaries, logical devices implemented entirely in user space, transparent data compression and/or encryption agents, transactional software environments, and emulators for other operating system environments.

Safe language technology can be used for protection within a single address space. This protection is enforced by the language’s type system, which ensures that references to objects cannot be forged. A safe language alone, however, lacks many features taken for granted in more traditional operating systems, such as rights revocation, thread protection, resource management, and support for domain termination. This paper describes the J-Kernel, a portable Java-based protection system that addresses these issues. J-Kernel protection domains can communicate through revocable capabilities, but are prevented from directly sharing unrevocable object references. A number of micro-benchmarks characterize the costs of language-based protection, and an extensible web and telephony server based on the J-Kernel demonstrates the use of language-based protection in a large application.

In this chapter, we present a history-based access-control mechanism that is suitable for mediating accesses from mobile code. The key idea behind history-based access-control is to maintain a selective history of the access requests made by individual programs and to use this history to improve the differentiation between safe and potentially dangerous requests. What a program is allowed to do depends on its own behavior and identity in addition to currently used discriminators like the location it was loaded from or the identity of its author/provider. History-based access-control has the potential to significantly expand the set of programs that can be executed without compromising security or ease of use. We describe the design and implementation of Deeds, a history-based access-control mechanism for Java. Access-control policies for Deeds are written in Java, and can be updated while the programs whose accesses are being mediated are still executing.

The desire for flexible networking services has given rise to the concept of “active networks.” Active networks provide a general framework for designing and implementing network-embedded services, typically by means of a programmable network infrastructure. A programmable network infrastructure creates significant new challenges for securing the network infrastructure.

This paper begins with an overview of active networking. It then moves to security issues, beginning with a threat model for active networking, moving through an enumeration of the challenges for system designers, and ending with a survey of approaches for meeting those challenges. The Secure Active Networking Environment (SANE) realizes many of these approaches; an implementation exists and provides acceptable performance for even the most aggressive active networking proposals such as active packets (sometimes called “capsules”).

We close the paper with a discussion of open problems and an attempt to prioritize them.

Mobile agents are usually expected to execute in open environments. This openness implies that they should be able to dynamically learn how to interact with other agents and services which were not known at development time. The interlocutors therefore have to publish enough information about their functionality, while at the same time they have to restrict access rights in order to preserve their integrity. We describe in this paper a messenger-based framework which proposes run-time generated interfaces to address this duality.

The mobile agent paradigm gains ever more acceptance for the creation of distributed applications, particularly in the domain of electronic commerce. In such applications, a mobile agent roams the global Internet in search of services for its owner. One of the problems with this approach is that malicious service providers on the agent’s itinerary can access confidential information contained in the agent or tamper with the agent.

In this article we identify trust as a major issue in this context and propose a pessimistic approach to trust that tries to prevent malicious behaviour rather than correcting it. The approach relies on a trusted and tamper-resistant hardware device that provides the mobile agent with the means to protect itself. Finally, we show that the approach is not limited to protecting the mobile agents of a user but can also be extended to protect the mobile agents of a trusted third party in order to take full advantage of the mobile agent paradigm.