Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model

2007 IEEE Symposium on Security and Privacy (SP '07) Pub Date : 2007-05-20 DOI:10.1109/SP.2007.10

Marco Pistoia, A. Banerjee, D. Naumann

{"title":"Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model","authors":"Marco Pistoia, A. Banerjee, D. Naumann","doi":"10.1109/SP.2007.10","DOIUrl":null,"url":null,"abstract":"Modern component-based systems, such as Java and Microsoft .NET common language runtime (CLR), have adopted stack-based access control (SBAC). Its purpose is to use stack inspection to verify that all the code responsible for a security-sensitive action is sufficiently authorized to perform that action. Previous literature has shown that the security model enforced by SBAC is flawed in that stack inspection may allow unauthorized code no longer on the stack to influence the execution of security-sensitive code. A different approach, history-based access control (HBAC), is safe but may prevent authorized code from executing a security-sensitive operation if less trusted code was previously executed. In this paper, we formally introduce information-based access control (IBAC), a novel security model that verifies that all and only the code responsible for a security-sensitive operation is sufficiently authorized. Given an access-control policy a, we present a mechanism to extract from it an implicit integrity policy i, and we prove that IBAC enforces i. Furthermore, we discuss large-scale application code scenarios to which IBAC can be successfully applied.","PeriodicalId":131863,"journal":{"name":"2007 IEEE Symposium on Security and Privacy (SP '07)","volume":"71 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-05-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"60","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE Symposium on Security and Privacy (SP '07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2007.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 60

Abstract

Modern component-based systems, such as Java and Microsoft .NET common language runtime (CLR), have adopted stack-based access control (SBAC). Its purpose is to use stack inspection to verify that all the code responsible for a security-sensitive action is sufficiently authorized to perform that action. Previous literature has shown that the security model enforced by SBAC is flawed in that stack inspection may allow unauthorized code no longer on the stack to influence the execution of security-sensitive code. A different approach, history-based access control (HBAC), is safe but may prevent authorized code from executing a security-sensitive operation if less trusted code was previously executed. In this paper, we formally introduce information-based access control (IBAC), a novel security model that verifies that all and only the code responsible for a security-sensitive operation is sufficiently authorized. Given an access-control policy a, we present a mechanism to extract from it an implicit integrity policy i, and we prove that IBAC enforces i. Furthermore, we discuss large-scale application code scenarios to which IBAC can be successfully applied.

查看原文本刊更多论文

超越堆栈检查:一个统一的访问控制和信息流安全模型

现代基于组件的系统，如Java和microsoft.net公共语言运行库(CLR)，都采用了基于堆栈的访问控制(SBAC)。它的目的是使用堆栈检查来验证负责安全敏感操作的所有代码是否获得了足够的授权来执行该操作。以前的文献表明，SBAC强制执行的安全模型存在缺陷，因为堆栈检查可能允许未经授权的代码不再在堆栈上影响安全敏感代码的执行。另一种方法是基于历史的访问控制(HBAC)，它是安全的，但如果之前执行了不太可信的代码，则可能会阻止授权代码执行对安全敏感的操作。在本文中，我们正式介绍了基于信息的访问控制(IBAC)，这是一种新的安全模型，它验证所有且仅负责安全敏感操作的代码得到充分授权。给出了一种从访问控制策略a中提取隐式完整性策略i的机制，并证明了IBAC可以强制执行i。此外，我们还讨论了IBAC可以成功应用于的大规模应用程序代码场景。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE Symposium on Security and Privacy (SP '07)

自引率

0.00%

发文量