2000 Project Summary
Containment and Integrity for Mobile Code
Cornell University

• Inlined Reference Monitors allow enforcement of rich and flexible access control policies at any interface of a system by merging policy enforcement code into each application prior to execution. The approach promises an efficient technology for enforcing the Principle of Least Privilege, which is essential for implementing security in extensible systems and in systems involving mobile code.
• Static program analysis allows trust assumptions and privacy policies, attached as annotations to system components, to be validated. Flows of private information can thus be controlled, even in systems that contain mutually distrustful principals and that span hosts in large-scale networks. The annotations permit programs to be rewritten automatically so that they can remain secure, despite changes to the configuration of their distributed system.

 

 

Composing Fault-Tolerance and Security. Replication enhances fault-tolerance but, unless done carefully, can lead to systems with greater vulnerability to attack. In particular, once servers are replicated, it must not be possible for an attacker compromise the secrecy or integrity of the service.

• The NAP approach for mobile code fault-tolerance instantiates the primary-backup approach for a setting where the identity of neither primary nor backup remains static. Orchestrating fail-overs and configuration management is particularly challenging in this setting.
• Proactive secret sharing allows a service to employ a secret key --- for secrecy or signatures to certify integrity --- even if some fraction of the servers comprising the service have been compromised by attackers. Previous work requires strong assumptions about network synchrony; new protocols for asynchronous systems, coupled with Byzantine Quorum systems, promise to support construction of services that employ replication and offer both fault-tolerance and security.

• Distributed version 0.9 of PoET/PSLang toolkit for specifying in-lined reference monitors.
• Developed inlined reference monitor implementations of Java 2 stack inspection policy. One implementation is more flexible than and exhibits performance competitive with SUN's (commercially available) Java 2 systems.
• Completed initial implementation of JLTools, a new platform for research on Java-based privacy protection.

• Understand and document issues associated with deploying inlined reference monitors at arbitrary interfaces of a system architecture.
• Complete prototype implementation of a secure data repository that uses asynchronous proactive secret sharing protocols. Implement certificate server using this data repository and analyze performance.
• Implement, using JLTools, Java Information Flow (JIF) language to enable static analysis of information flow in Java applications.

• A major Java software provider has signed a product evaluation agreement to investigate the feasibility of adopting the PoET/PSLang toolkit.
• Cornell Prism Digital Library Project adopted PoET/PSLang for security and for collection-preservation.