DARPA ISO Sponsored Research

1999 Project Summary
Containment and Integrity for Mobile Code
Cornell University

Project Website:  http://www.cs.cornell.edu/fbs/darpaISO.99/Project.Site.html
Quad Chart:  Quad chart (.ppt) on Inlined Reference Monitors
Objective: Increasingly, networked information systems are built using extensible components and spanning hosts having different levels of trust in each other. Enforcing security policies in this setting is crucial, as our nation's critical infrastructures come to depend on such systems. Key elements of any solution will include flexible support and efficient implementations of fine-grained access control, application-level security policies that take into account the source as well as the contents of information being used in authorization decisions, and combinations of fault-tolerance and security properties. Addressing these new needs is the objective of this research project.
Approach: Language Based Security. A new family of security policy-enforcement techniques is emerging. These new techniques are made possible by advances in the general area of programming languages:
  • Inlined Reference Monitors allow enforcement of rich and flexible access control policies at any interface of a system by merging policy enforcement code into each application prior to execution. The approach promises an efficient technology for enforcing the Principle of Least Privilege, which is essential for implementing security in extensible systems and in systems involving mobile code.
  • Static program analysis allows trust assumptions and privacy policies, attached as annotations to system components, to be validated. Flows of private information can thus be controlled, even in systems that contain mutually distrustful principals and that span hosts in large-scale networks. The annotations permit programs to be rewritten automatically so that they can remain secure, despite changes to the configuration of their distributed system.

  • Composing Fault-Tolerance and Security. Replication enhances fault-tolerance but, unless done carefully, can lead to systems with greater vulnerability to attack. In particular, once servers are replicated, it must not be possible for an attacker compromise the secrecy or integrity of the service.

    • The NAP approach for mobile code fault-tolerance instantiates the primary-backup approach for a setting where the identity of neither primary nor backup remains static. Orchestrating fail-overs and configuration management is particularly challenging in this setting.
    • Proactive secret sharing allows a service to employ a secret key --- for secrecy or signatures to certify integrity --- even if some fraction of the servers comprising the service have been compromised by attackers. Previous work requires strong assumptions about network synchrony; new protocols for asynchronous systems, coupled with Byzantine Quorum systems, promise to support construction of services that employ replication and offer both fault-tolerance and security.
Recent FY-98 Accomplishments:
  • Distributed version 0.9 of PoET/PSLang toolkit for specifying in-lined reference monitors.
  • Developed inlined reference monitor implementations of Java 2 stack inspection policy. One implementation is more flexible than and exhibits performance competitive with SUN's (commercially available) Java 2 systems.
  • Completed initial implementation of JLTools, a new platform for research on Java-based privacy protection.
FY-99 Plans:
  • Understand and document issues associated with deploying inlined reference monitors at arbitrary interfaces of a system architecture.
  • Complete prototype implementation of a secure data repository that uses asynchronous proactive secret sharing protocols. Implement certificate server using this data repository and analyze performance.
  • Implement, using JLTools, Java Information Flow (JIF) language to enable static analysis of information flow in Java applications.
Technology Transition:
  • A major Java software provider has signed a product evaluation agreement to investigate the feasibility of adopting the PoET/PSLang toolkit.
  • Cornell Prism Digital Library Project adopted PoET/PSLang for security and for collection-preservation.
Principal Investigators:
Fred B. Schneider
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-9221
FAX (607) 255-4428
fbs@cs.cornell.edu
Andrew Myers
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-8597
FAX (607) 255-4428
andru@cs.cornell.edu
Administrative Contact: Pat Musa
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-9219
FAX (607) 255-4428
musa@cs.cornell.edu

Return to the ITS Project Summary Page  ]