Article

Authorizing applications in singularity

Authors:

Aydan Yumerefendi,

Andrew Birrell,

Daniel R. SimonAuthors Info & Claims

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

Pages 355 - 368

https://doi.org/10.1145/1272996.1273033

Published: 21 March 2007 Publication History

Abstract

We describe a new design for authorization in operating systems in which applications are first-class entities. In this design, principals reflect application identities. Access control lists are patterns that recognize principals. We present a security model that embodies this design in an experimental operating system, and we describe the implementation of our design and its performance in the context of this operating system.

References

[1]

M. Abadi, A. Birrell, and T. Wobber. Access Control in a World of Software Diversity. In Proceedings of the 10th Workshop on Hot Topics in Operating Systems (HotOS X), Santa Fe, NM, pp. 127--132, June 2005.

Digital Library

[2]

M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A Calculus for Access Control in Distributed Systems. ACM Transactions on Programming Languages and Systems, 15(4): 706--734, September 1993.

Digital Library

[3]

M. Aiken, M. Fähndrich, C. Hawblitzel, G. Hunt, J. Larus. Deconstructing Process Isolation. In Proceedings of the 2006 Workshop on Memory System Performance and Correctness, San Jose, CA, pp. 1--10, October 2006.

Digital Library

[4]

J. Anderson. Computer Security Technology Planning Study Volume II. ESD-TR-73-51. Air Force Systems Command, Oct. 1972.

[5]

R. Anderson. Security Engineering. John Wiley & Sons, Chapter 4: Access Control, pp. 58--59. 2001 (also http://www.cl.cam.ac.uk/~rjal4/book.html).

[6]

L. Badger. A Domain and Type Enforcement UNIX Prototype. USENIX Comp. Sys., 9(1): 47--83, Winter 1996.

[7]

L. Bauer, S. Garriss, M. Reiter. Distributed Proving in Access-Control Systems. In Proceedings of IEEE Symposium on Security and Privacy, pp. 81--85, May 2005.

Digital Library

[8]

A. Birrell, A. Hisgen, C. Jerian, T. Mann, and G. Swart. The Echo Distributed File System. DEC SRC Technical Report 111. October 1993.

[9]

D. Box. Essential .NET, Volume 1: The Common Language Runtime. Addison-Wesley Professional (2002).

Digital Library

[10]

K. Brown. Programming Windows Security. Addison-Wesley Professional (2000).

Digital Library

[11]

ECMA International. C# Language Specification. ECMA Standard ECMA-334. June 2006. http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-334.pdf.

[12]

P. England, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. A Trusted Open Platform. IEEE Computer, 36(7): 55--62, 2003.

Digital Library

[13]

M. Fähndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. Hunt, J. Larus, and S. Levi. Language Support for Fast and Reliable Message-based Communication in Singularity OS. In Proceedings of EuroSys 2006, Leuven, Belgium, pp. 177--190, April 2006.

Digital Library

[14]

D. Ferraiolo and D. Kuhn, Role-Based Access Control, In Proceedings of the 15th National Computer Security Conference, pp. 554--563, 1992.

[15]

B. Fried, A. Lowry, and M. Stanley. "BigDog: Hierarchical Authentication, Session Control, and Authorization for the Web". USENIX Second Workshop on Electronic Commerce, Nov. 1996.

[16]

M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The Digital Distributed System Security Architecture. In Proceedings of the National Computer Security Conference, pp. 305--319, 1989

[17]

L. Gong, G. Ellison, M. Dageforde. Inside Java 2 Platform Security, Second Edition. Addison-Wesley (May 2003).

[18]

G. Hunt, M. Aiken, P. Barham, M. Fähndrich, C. Hawblitzel, O. Hodson, J. Larus, S. Levi, N. Murphy, B. Steensgaard, D. Tarditi, T. Wobber, and B. Zill. Sealing OS Processes to Improve Dependability and Security. To appear, EuroSys'07, Lisboa, Portugal.

Digital Library

[19]

G. Hunt, J. Larus, M. Abadi, M. Aiken, P. Barham, M. Fähndrich, C. Hawblitzel, O. Hodson, S. Levi, N. Murphy, B. Steensgaard, D. Tarditi, T. Wobber, and B. Zill. An Overview of the Singularity Project. Microsoft Research Technical Report MSR-TR-2005-135.

[20]

M. Kaminsky, G. Savvides, D. Mazières, and F. Kaashoek. Decentralized User Authentication in a Global File System. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), Bolton Landing, NY, pp. 60--73, October 2003.

Digital Library

[21]

B. Lampson. Designing a global name service. In Proceedings of the 5^th ACM Symposium on Principals of Distributed Computing, pp. 1--10, 1986.

Digital Library

[22]

B. Lampson, M. Abadi, M. Burrows and E. Wobber. Authentication in Distributed Systems: Theory and Practice. ACM Trans. Comp. Sys., 10(4):265--310, Nov. 1992

Digital Library

[23]

B. Lampson. Protection. ACM Operating Systems Review, 8(1): 18--24, January 1974.

Digital Library

[24]

Microsoft Corporation. Assembly Manifest. .NET Framework Development Guide. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconAssemblyManifest.asp.

[25]

Microsoft Corporation. Client Impersonation. Win32 and COM Development. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/client_impersonation.asp.

[26]

Microsoft Corporation. Strong Named Assemblies. .NET Framework Development Guide. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconStrong-NamedAssemblies.asp.

[27]

E. Shi, A. Perrig and L. Van Doorn. BIND: A Fine-grained Attestation Service for Secure Distributed Systems. In Proceedings of IEEE Symposium on Security and Privacy, pp. 154--168, May 2005.

Digital Library

[28]

A. Shieh, D. Williams, E. Sirer, F. Schnieder. Nexus: A New Operating System for Trustworthy Computing. Work in progress session - SOSP 2005, Brighton, UK, October 2005, http://doi.acm.org/10.1145/1095810.1118613.

Digital Library

[29]

M. Swift, J. Trostle, J. Brezak, and B. Gossman. Improving the Granularity of Access Control for Windows 2000. ACM Trans. Info. and Sys. Security, 5(4): 398--437, Nov. 2002.

Digital Library

[30]

The Open Group. DCE 1.1: Authentication and Security. Catalog number C311, August 1997. http://www.opengroup.org/pubs/catalog/c311.htm.

[31]

Trusted Computing Group. Trusted Platform Module (TPM) Specifications. https://www.trustedcomputinggroup.org/specs/TPM.

[32]

D. Wallach, A. Appel, and E. Felten. "SAFKASI: A Security Mechanism for Language-based Systems". ACM Trans. Soft. Eng. and Meth., 9(4): 341--378, Oct. 2000.

Digital Library

[33]

E. Wobber, M. Abadi, M. Burrows and B. Lampson. Authentication in the Taos Operating System. ACM Trans.Comp.Sys., 12(1): 3--32, Feb. 1994.

Digital Library

Cited By

Abadi MBurrows MPucha HSadovsky AShankar ATaly A(2015)Distributed Authorization with Distributed GrammarsEssays Dedicated to Pierpaolo Degano on Programming Languages with Applications to Biology and Security - Volume 946510.5555/2963891.2963894(10-26)Online publication date: 1-Aug-2015
https://dl.acm.org/doi/10.5555/2963891.2963894
Vahldiek-Oberwagner AElnikety EMehta AGarg DDruschel PRodrigues RGehrke JPost ARéveillère LHarris THerlihy M(2015)GuardatProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741958(1-16)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741958
Abadi MBurrows MPucha HSadovsky AShankar ATaly A(2015)Distributed Authorization with Distributed GrammarsProgramming Languages with Applications to Biology and Security10.1007/978-3-319-25527-9_3(10-26)Online publication date: 20-Nov-2015
https://doi.org/10.1007/978-3-319-25527-9_3
Show More Cited By

Index Terms

Authorizing applications in singularity
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Authorizing applications in singularity
EuroSys'07 Conference Proceedings

We describe a new design for authorization in operating systems in which applications are first-class entities. In this design, principals reflect application identities. Access control lists are patterns that recognize principals. We present a security ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A rule-based framework for role-based delegation and revocation

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

March 2007

431 pages

ISBN:9781595936363

DOI:10.1145/1272996

ACM SIGOPS Operating Systems Review Volume 41, Issue 3
EuroSys'07 Conference Proceedings
June 2007
386 pages
ISSN:0163-5980
DOI:10.1145/1272998
Issue’s Table of Contents

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 March 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

EuroSys07

Sponsor:

SIGOPS

EuroSys07: Eurosys 2007 Conference

March 21 - 23, 2007

Lisbon, Portugal

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
428
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abadi MBurrows MPucha HSadovsky AShankar ATaly A(2015)Distributed Authorization with Distributed GrammarsEssays Dedicated to Pierpaolo Degano on Programming Languages with Applications to Biology and Security - Volume 946510.5555/2963891.2963894(10-26)Online publication date: 1-Aug-2015
https://dl.acm.org/doi/10.5555/2963891.2963894
Vahldiek-Oberwagner AElnikety EMehta AGarg DDruschel PRodrigues RGehrke JPost ARéveillère LHarris THerlihy M(2015)GuardatProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741958(1-16)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741958
Abadi MBurrows MPucha HSadovsky AShankar ATaly A(2015)Distributed Authorization with Distributed GrammarsProgramming Languages with Applications to Biology and Security10.1007/978-3-319-25527-9_3(10-26)Online publication date: 20-Nov-2015
https://doi.org/10.1007/978-3-319-25527-9_3
Moshchuk AWang HLiu YSadeghi AGligor VYung M(2013)Content-based isolationProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516722(1167-1180)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516722
Almohri HYao DKafura DBertino ESandhu R(2012)Identifying native applications with high assuranceProceedings of the second ACM conference on Data and Application Security and Privacy10.1145/2133601.2133635(275-282)Online publication date: 7-Feb-2012
https://dl.acm.org/doi/10.1145/2133601.2133635
He RLacoste MLeneutre J(2010)Virtual Security KernelProceedings of the 2010 10th IEEE International Conference on Computer and Information Technology10.1109/CIT.2010.160(851-858)Online publication date: 29-Jun-2010
https://dl.acm.org/doi/10.1109/CIT.2010.160
Dunagan JZheng ASimon DMatthews JAnderson T(2009)Heat-rayProceedings of the ACM SIGOPS 22nd symposium on Operating systems principles10.1145/1629575.1629605(305-320)Online publication date: 11-Oct-2009
https://dl.acm.org/doi/10.1145/1629575.1629605
Cirillo ARiely J(2008)Access Control Based on Code Identity for Open Distributed SystemsTrustworthy Global Computing10.1007/978-3-540-78663-4_13(169-185)Online publication date: 2008
https://doi.org/10.1007/978-3-540-78663-4_13
Cirillo ARiely J(2007)Access control based on code identity for open distributed systemsProceedings of the 3rd conference on Trustworthy global computing10.5555/1793574.1793589(169-185)Online publication date: 5-Nov-2007
https://dl.acm.org/doi/10.5555/1793574.1793589
Hunt GAiken MFähndrich MHawblitzel CHodson OLarus JLevi SSteensgaard BTarditi DWobber T(2007)Sealing OS processes to improve dependability and safetyACM SIGOPS Operating Systems Review10.1145/1272998.127303241:3(341-354)Online publication date: 21-Mar-2007
https://dl.acm.org/doi/10.1145/1272998.1273032
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents