Meta Objects for Access Control: Extending Capability-Based Security

Meta Objects for Access Control: Extending Capability-Based Security

Thomas Riechmann, Franz J. Hauck

New Security Paradigms Workshop 97, NSPW '97, Great Langdale, UK,

english Feb. 1998, 6 pages

TR-I4-97-15

[Abstract] [Full Paper (ps,http) , 37 kB] [Full Paper (pdf) , 32 kB]

Abstract: Object-based programming is becoming more and more popular and is currently conquering the world of distributed programming models. In object-based systems, access control is often based on capabilities, as capability-based security is a well-known paradigm. It has been extended by means to restrict, revoke, and expire capa- bilities. On the other hand, capabilities have serious drawbacks. First, in ob- ject-based systems, programming is based on the frequent exchange of object references (i.e., capabilities). Thus, it is hard to check which parts of an application are able to gain control of a certain ca- pability. This becomes even harder if we consider distributed ob- ject-based systems like Java RMI and CORBA. Second, a capability usually cannot prevent method invocations from leaking unprotect- ed references as return values. Transitive access control is not pos- sible in a transparent way, which is independent of the code describ- ing the invocation. We present a new security paradigm based on meta objects. Meta objects can be attached to object references and control access to the corresponding objects. Meta objects offer the same functionality as capability-based security. In addition, they can be used for implicit and transitive access control of object references passed as a param- eter or as a result. Such a reference can be automatically protected by the meta object by attaching itself or another meta object to the reference before passing it on. Meta objects can implement arbitrary and user-defined security pol- icies. They help to separate security policies from application code, and thus support reuse.