IsoMod: A Module System for Isolating Untrusted Software Extensions

Professor Philip W. L. Fong (University of Regina)


ABSTRACT

With the recent advent of dynamically extensible software systems, in which software extensions may be dynamically loaded into the address space of a core application to augment its capability, there is a growing interest in protection mechanisms that can isolate untrusted software components from the host application, while allowing them controlled access to system facilities. Existing language-based run-time environments such as the Java platform and the CLR address the challenge of software isolation by an interpositioning mechanism known as stack inspection. Expressive as it is, stack inspection is known to have issues such as lack of declarative characterization and poor accommodation of evolving software configurations.

In this work, a run-time module system, IsoMod, is proposed for the Java platform to facilitate software isolation. A core application may create namespaces dynamically and impose arbitrary name visibility policies to control whether a name is visible, to whom it is visible, and in what way the name can be accessed. Because IsoMod exercises name visibility control only at load time, loaded code runs at full speed. Furthermore, because IsoMod access control policies are expressed declaratively and maintained separately, they evolve independently from core application code. IsoMod therefore avoids many technical problems associated with interposition. But the most surprising finding of this study is that a rich family of access control policies can be expressed as name visibility constraints. The IsoMod policy language provides a declarative means for expressing a very general form of visibility constraints. Not only can the IsoMod policy language simulate a sizable subset of permissions in the Java 2 security architecture, it can do so with policies that are robust to changes in software configurations. The IsoMod policy language is also expressive enough to completely encode a capability type system known as Discretionary Capability Confinement (DCC). In spite of its expressiveness, the IsoMod policy language admits an efficient implementation strategy. Consequently, this work demonstrates that name visibility management is a useful addition to the repertoire of language-based access control mechanisms.

BIOGRAPHY

Philip Fong is an Assistant Professor at the Department of Computer Science, University of Regina, Saskatchewan, Canada. He received his B.Math. and M.Math. in Computer Science from the University of Waterloo, Ontario, Canada, and his Ph.D. in Computer Science from Simon Fraser University, BC, Canada. His dissertation proposes a modular verification architecture for mobile code systems. His research interests include software security, programming languages, and software engineering.