- Dan Seth Wallach
This dissertation presents a novel security architecture called
security-passing style and motivates its application to security
issues that arise in mobile code systems such as Java.
Security-passing style, and its predecessor, stack inspection,
allow the system to capture the complex security relationships
that occur when trusted and untrusted code are run together
and interact closely.
Where traditional security architectures can answer general questions
of the form ``can subject X use object Y,'' they fail when
considering problems where one subject may be acting on behalf of
another, or may be acting on its own behalf. These systems generally
have neither the mechanisms to capture the full security context
of a request nor the policies expressive enough to be able to
resolve whether these requests should be allowed or denied.
Issues such as these arise in mobile code systems, requiring
new security mechanisms to address their security.
While a number of traditional security architectures, including
capability systems and process-structured systems, can be adapted to
the secure execution of mobile code, this dissertation describes an
architecture that addresses these issues and does it using an
efficient implementation that requires no special hardware or language
runtime support. Security-passing style has a well defined semantics
describing how it works and allowing for proofs of its soundness.
These semantics also allow us to produce an implementation that has
extremely low overhead (in principal, just over one instruction per
method invocation) based on static analysis of the program to be run
and dynamic caching to make common-cases execute faster.
- PhD Dissertation, Princeton University, January 1999.
- GZip'ed Postscript (244k)
PDF (Adobe Acrobat) (432k)