Thomas Riechmann, Franz J. Hauck: Meta Objects for Access Control: Extending Capability-Based Security

Abstract.

Object-based programming is becoming more and more popular and is currently conquering the world of distributed programming models. In object-based systems, access control is often based on capabilities, as capability-based security is a well-known paradigm. It has been extended by means to restrict, revoke, and expire capabilities.

On the other hand, capabilities have serious drawbacks. First, in object-based systems, programming is based on the frequent exchange of object references (i.e., capabilities). Thus, it is hard to check which parts of an application are able to gain control of a certain capability. This becomes even harder if we consider distributed object-based systems like Java RMI and CORBA. Second, a capability usually cannot prevent method invocations from leaking unprotected references as return values. Transitive access control is not possible in a transparent way, which is independent of the code describing the invocation.

We present a new security paradigm based on meta objects. Meta objects can be attached to object references and control access to the corresponding objects. Meta objects offer the same functionality as capability-based security. In addition, they can be used for implicit and transitive access control of object references passed as a parameter or as a result. Such a reference can be automatically protected by the meta object by attaching itself or another meta object to the reference before passing it on.

Meta objects can implement arbitrary and user-defined security policies. They help to separate security policies from application code, and thus support reuse.