A Module System for Isolating Untrusted Software Extensions

Fong, Philip W. L.; Orr, Simon

doi:10.1109/acsac.2006.7

Cited by 2 publications

(1 citation statement)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Likewise, also confined types can be understood using the concept of capabilities that are represented by types (Fong 2005). This idea is further elaborated by Fong in (Fong & Zhang 2004), (Fong 2006), (Fong 2008), and (Fong & Orr 2006). In the first paper, an additional type system is introduced that allows to specify the permitted operations on an object as it is passed from one method to the next.…”

Section: Type-based Securitymentioning

confidence: 94%

Extending the Object-Capability Model with Fine-Grained Type-Based Capabilities.

Wismüller,

Ludwig,

Breitweiser

2024

JOT

View full text Add to dashboard Cite

Although the Principle Of Least Authority (POLA) is a well-recognized guideline for building secure software systems, there is actually a lack of concepts that really encourage programmers to use POLA consequently. The best support for POLA is currently offered by secure languages based on the Object-Capability (OCap) paradigm, where object references serve as capabilities for accessing objects. However, the OCap model just controls the overall accessibility of objects, it does not directly support fine-grained control over the use of specific operations on these objects. While access control at the level of individual methods can be implemented by using the membrane pattern, this approach creates a heavy burden for the programmer, may lead to performance problems, and suffers from the fact that it is difficult to determine the minimum permissions that must be granted.In this paper, we present a type-based split capability model, where the access permissions granted by a reference are restricted by the type of the variables used to send and receive that reference. In this way, required and granted permissions are directly represented in the type definition of a software component's interface. Furthermore, compliance with access restrictions can often be checked statically when a software component is deployed, thus avoiding the run-time overhead of using a membrane.In the case where membranes are needed to enforce access control at run-time, these membranes are automatically built by the run-time system.As a foundation for this model, we specify type checking rules that prevent software components from from amplifying their authority by downcasting a reference to a more permissive type. Finally, we identify the necessary requirements for the run-time system as well as the run-time overhead induced by our security model.

show abstract

Section: Type-based Securitymentioning

confidence: 94%