Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Systems That Flexibly Control Downloaded Executable Content

Published byNeil Patrick Modified over 6 years ago

Similar presentations

Presentation on theme: "Building Systems That Flexibly Control Downloaded Executable Content"— Presentation transcript:

1 Building Systems That Flexibly Control Downloaded Executable Content
Michael Hicks CIS 640

2 Mobile Program Architecture
Remote Principal Untrusted Network Untrusted Program Java Ocaml Telescript. ‘Safe’ Interpreter: chroot Role based access control Network Computing Envs. System: 11/21/2018 Michael Hicks

3 Mobile Program Security
Protect the downloading principal from actions performed by the downloaded executable content obtained from a remote principal Do so at least expense to application’s expressiveness and performance 11/21/2018 Michael Hicks

4 Approaches Limit content language’s expressiveness (i.e. use a ‘safe’ interpreter) Restrict ‘unsafe’ operations globally (all mobile programs) selectively (per user, per program, etc.) Combine these two 11/21/2018 Michael Hicks

5 Discretionary Access Control
Specification of access rights per system object files processes network descriptors ... per application object 11/21/2018 Michael Hicks

6 Discretionary Access Control
Enforcement of access rights per remote principal per application per content-type Alteration of rights at runtime 11/21/2018 Michael Hicks

7 Discretionary Access Control
Advantages More granular flexibility Disadvantages Greater complexity Reduced performance 11/21/2018 Michael Hicks

8 Terminology Principal Object Operation Domain 11/21/2018 Michael Hicks

9 Expanded Architecture
Application-specific interpreter executes downloaded content Browser controls access to system objects from interpreters System control access outside of interpreter (I.e. spawned processes) 11/21/2018 Michael Hicks

10 Expanded Architecture
Remote Principal Untrusted Network Content Application-specific ‘Safe’ Interpreter Trusted, Application-independent Interpreter (Browser) System: System w/ Object Access Control and Authenticated Communication 11/21/2018 Michael Hicks

11 Executing Downloaded Content
Download and verify content Determine access rights Execute content while enforcing the access rights 11/21/2018 Michael Hicks

12 Executing Downloaded Content
Remote Principal Content, Type Application Interpreter ... ... Browser Security Manager Operating System 11/21/2018 Michael Hicks

13 Executing Downloaded Content
Principal Group Thread System Browser Authenticate Content Map Principal to Group Execute Content Authorize Operation Execute Limited Operation Network Service Execute Content Local Software Local File Application Object 11/21/2018 Michael Hicks

14 Access Control Model Principal group Object group Access rights
Domain Rights Exceptions Class Operation Transform 11/21/2018 Michael Hicks

15 Example Class Operations Principal Group Method 1 P Method 2 ... P
Domain Rights PG 1: 1,2 P O O Exceptions PG 2: no 1 Transform O O Object Groups 11/21/2018 Michael Hicks

16 Implementation Authentication mechanisms etc.) Tcl 7.5 interpreter
application-specific interpreter browser DCE (based on Kerberos) system enforcement 11/21/2018 Michael Hicks

17 Implementation Authentication mechanisms etc.) Tcl 7.5 interpreter
application-specific interpreter browser DCE (based on Kerberos) system enforcement 11/21/2018 Michael Hicks

18 Implementation Authentication mechanisms Tcl 7.5 interpreter
public and secret key Tcl 7.5 interpreter application-specific interpreter browser DCE (based on Kerberos) system enforcement 11/21/2018 Michael Hicks

19 Downloading Content Content message (r,c,t,a,s):
r = identity of remote principal c = content t = content type a = content’s authentication information (n,i) = nonce, integrity info s = session identifier (optional) 11/21/2018 Michael Hicks

20 Downloading Content Receive content message cm Authenticate cm
If r is allowed to execute content c’s interpreter t then set up/update the session s invoke t with c 11/21/2018 Michael Hicks

21 Determining Access Rights
Determine rights for interpreter t Determine rights for principal groups in t static, and alterable by transforms Map remote principal to principal group 11/21/2018 Michael Hicks

22 Enforcing Access Rights
To system objects ‘safe’ operation calls browser authorization and execution occurs within browser To system software authorize within browser specify access rights to DCE hand control to DCE (hand-waving here) 11/21/2018 Michael Hicks

23 Criticisms Access descriptions are complicated
How to determine reasonable rights? How to know which rights to change (where to put transforms in code)? Implementation details not concrete How to use a non-TCL content interpreter? How are class operations specified? How are DCE access rights specified? 11/21/2018 Michael Hicks

24 Criticisms No mention of performance Cost of delegation
Cost of authentication/authorization Cost of DCE/Kerberos 11/21/2018 Michael Hicks

25 Conclusions Mechanisms developed for fine-grained access control:
per user, per application at the application and system level Obviates need for arbitrary restrictions (no file I/O, etc.) Questions of performance and policy remain 11/21/2018 Michael Hicks

Download ppt "Building Systems That Flexibly Control Downloaded Executable Content"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
P. Bellavista, A. Corradi, C. Stefanelli - ISADS'99 - Tokyo, 22 March 1999 1 A Secure and Open Mobile Agent (SOMA) Programming Environment Paolo Bellavista,

P. Bellavista, A. Corradi, C. Stefanelli - ISADS'99 - Tokyo, 22 March A Secure and Open Mobile Agent (SOMA) Programming Environment Paolo Bellavista,
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.

Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.
Co-design Environment for Secure Embedded Systems Matt Eby, Janos L. Mathe, Jan Werner, Gabor Karsai, Sandeep Neema, Janos Sztipanovits, Yuan Xue Institute.

Co-design Environment for Secure Embedded Systems Matt Eby, Janos L. Mathe, Jan Werner, Gabor Karsai, Sandeep Neema, Janos Sztipanovits, Yuan Xue Institute.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.

14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Similar presentations

Ads by Google