Language-Based Security for Malicious Mobile Code

Abstract

This report summarizes progress over the past year in developing language-based technologies for defending software systems against attacks from mobile code and system extensions. The approach promises to support a wide range of flexible, finegrained access-control and information-flow policies. During the past year, the authors developed a more refined characterization of what policies can be enforced using reference monitors. This new work extends earlier work by Schneider by taking into account the limits of computability. Specifically, they developed a model based on standard Turing machines, adapted Schneider's criteria for enforceable security policies, and introduced computability requirements. They also integrated static analysis and program rewriting into the model. By providing this unifying model, and by basing it on Turing machines, they were able to compare the relative power of the various enforcement mechanisms, and to relate them to standard computability results. For instance, it was relatively easy to show that the class of policies precisely supported by static analysis could also be supported by both reference monitors and by program rewriting. In addition, they found that introducing a computability requirement on reference monitors was necessary, but not sufficient, for precise characterization of the class of policies realizable by reference monitors. And they identified a new property, which they call "punctuality," that provides a more accurate upper bound on the power of reference monitors. Most importantly, they were able to show that the class of policies enforceable through rewriting does not correspond to any class of the Kleene hierarchy, which shows that rewriting truly is a powerful security enforcement technique. A list of 28 publications supported under this contract is included.

Document Details

Document Type

Technical Report

Publication Date

Jul 31, 2003

Accession Number

ADA416770

Entities

Tags