ABSTRACT
With the recent advent of dynamically extensible software systems, in which
software extensions may be dynamically loaded into the address space of a core
application to augment its capability, there is a growing interest in
protection mechanisms that can isolate untrusted software components from the
host application, while allowing them controlled access to system facilities.
Existing language-based run-time environments such as the Java platform and the
CLR address the challenge of software isolation by an interpositioning
mechanism known as stack inspection. Expressive as it is, stack inspection is
known to have issues such as lack of declarative characterization and poor
accommodation of evolving software configurations.
In this work, a run-time module system, IsoMod, is proposed for the Java
platform to facilitate software isolation. A core application may create
namespaces dynamically and impose arbitrary name visibility policies to control
whether a name is visible, to whom it is visible, and in what way the name can
be accessed. Because IsoMod exercises name visibility control only at load
time, loaded code runs at full speed. Furthermore, because IsoMod access
control policies are expressed declaratively and maintained separately, they
evolve independently from core application code. IsoMod therefore avoids many
technical problems associated with interposition. But the most surprising
finding of this study is that a rich family of access control policies can be
expressed as name visibility constraints. The IsoMod policy language provides
a declarative means for expressing a very general form of visibility
constraints. Not only can the IsoMod policy language simulate a sizable subset
of permissions in the Java 2 security architecture, it can do so with policies
that are robust to changes in software configurations. The IsoMod policy
language is also expressive enough to completely encode a capability type
system known as Discretionary Capability Confinement (DCC). In spite of its
expressiveness, the IsoMod policy language admits an efficient implementation
strategy. Consequently, this work demonstrates that name visibility management
is a useful addition to the repertoire of language-based access control
mechanisms.
BIOGRAPHY
Philip Fong is an Assistant Professor at the Department of Computer
Science, University of Regina, Saskatchewan, Canada. He received his B.Math.
and M.Math. in Computer Science from the University of Waterloo, Ontario,
Canada, and his Ph.D. in Computer Science from Simon Fraser University, BC,
Canada. His dissertation proposes a modular verification architecture for
mobile code systems. His research interests include software security,
programming languages, and software engineering.