ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Enforcing authorization policies using transactional memory introspection
Full text PdfPdf (433 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: System security 1 table of contents
Pages 223-234  
Year of Publication: 2008
ISBN:978-1-59593-810-7
Authors
Arnar Birgisson  Reykjavik University, Reykjavik, Iceland
Mohan Dhawan  Rutgers University, Piscataway, NJ, USA
Úlfar Erlingsson  Reykjavik University, Reykjavik, Iceland
Vinod Ganapathy  Rutgers University, Piscataway, NJ, USA
Liviu Iftode  Rutgers University, Piscataway, NJ, USA
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 28,   Downloads (12 Months): 298,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455800
What is a DOI?

ABSTRACT

Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory--a new, attractive alternative for writing correct, multi-threaded software.

TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Martín Abadi , Andrew Birrell , Tim Harris , Michael Isard, Semantics of transactional memory and automatic mutual exclusion, Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 07-12, 2008, San Francisco, California, USA
 
2
M. Abadi and C. Fournet. Access control based on execution history. In NDSS, 2003.
3
Ali-Reza Adl-Tabatabai , Brian T. Lewis , Vijay Menon , Brian R. Murphy , Bratin Saha , Tatiana Shpeisman, Compiler and runtime support for efficient software transactional memory, Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, June 11-14, 2006, Ottawa, Ontario, Canada
 
4
The home of AspectC. http://www.aspectc.org.
 
5
AspectJ project. http://www.eclipse.org/aspectj.
 
6
Frederic Besson , Tomasz Blanc , Cedric Fournet , Andrew D. Gordon, From Stack Inspection to Access Control: A Security Analysis for Libraries, Proceedings of the 17th IEEE workshop on Computer Security Foundations, p.61, June 28-30, 2004  [doi>10.1109/CSFW.2004.11]
 
7
A. Birgisson and Ú. Erlingsson. An implementation and semantics for transactional memory introspection in Haskell. Technical Report RUTR-CS08007, Reykjav'ik University, Aug 2008.
 
8
M. Bishop and M. Digler. Checking for race conditions in file accesses. Computer Systems, 9(2):131--152, Spring 1996.
 
9
George Candea , Shinichi Kawamoto , Yuichi Fujiki , Greg Friedman , Armando Fox, Microreboot — A technique for cheap recovery, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.3-3, December 06-08, 2004, San Francisco, CA
 
10
T. Cargill. Exception handling: A false sense of security. C Report, 6(9), Nov 1994.
 
11
Peter M. Chen , Brian D. Noble, When Virtual Is Better Than Real, Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p.133, May 20-22, 2001
 
12
F. Christian. Exception handling. Technical Report RJ5724, IBM Research, 1987.
 
13
J. Chung, M. Dalton, H. Kannan, and C. Kozyrakis. Thread-safe dynamic binary translaction using transactional memory. In IEEE HPCA, Feb 2008.
 
14
D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In IEEE S&P, May 1987.
 
15
F. Cristian. Exception handling and tolerance of software faults. In Software Fault Tolerance. Wiley, 1995.
16
George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060309]
17
Úlfar Erlingsson , Fred B. Schneider, SASI enforcement of security policies: a retrospective, Proceedings of the 1999 workshop on New security paradigms, p.87-95, September 22-24, 1999, Caledon Hills, Ontario, Canada  [doi>10.1145/335169.335201]
18
Chi Cao Minh , Martin Trautmann , JaeWoong Chung , Austen McDonald , Nathan Bronson , Jared Casper , Christos Kozyrakis , Kunle Olukotun, An effective hybrid transactional memory system with strong isolation guarantees, Proceedings of the 34th annual international symposium on Computer architecture, June 09-13, 2007, San Diego, California, USA
 
19
K. E. Moore et al. Log™: Log-based transactional memory. In IEEE HPCA, Feb 2006.
20
Lance Hammond , Vicky Wong , Mike Chen , Brian D. Carlstrom , John D. Davis , Ben Hertzberg , Manohar K. Prabhu , Honggo Wijaya , Christos Kozyrakis , Kunle Olukotun, Transactional Memory Coherence and Consistency, Proceedings of the 31st annual international symposium on Computer architecture, p.102, June 19-23, 2004, München, Germany
21
Michelle J. Moravan , Jayaram Bobba , Kevin E. Moore , Luke Yen , Mark D. Hill , Ben Liblit , Michael M. Swift , David A. Wood, Supporting nested transactional memory in logTM, Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, October 21-25, 2006, San Jose, California, USA
22
Peter Damron , Alexandra Fedorova , Yossi Lev , Victor Luchangco , Mark Moir , Daniel Nussbaum, Hybrid transactional memory, Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, October 21-25, 2006, San Jose, California, USA
 
23
Extensible access control markup language. http://xml.coverpages.org/xacml.html.
 
24
Christof Fetzer , Pascal Felber , Karin Hogstedt, Automatic Detection and Masking of Nonatomic Exception Handling, IEEE Transactions on Software Engineering, v.30 n.8, p.547-560, August 2004  [doi>10.1109/TSE.2004.35]
 
25
B. Fletcher. Case study: Open source and commercial applications in a Java-based SELinux cross-domain solution. In Annual SELinux Symp., Mar 2006.
 
26
FreeCS--the free chatserver. http://freecs.sourceforge.net.
 
27
Vinod Ganapathy , Trent Jaeger , Somesh Jha, Retrofitting Legacy Code for Authorization Policy Enforcement, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.214-229, May 21-24, 2006  [doi>10.1109/SP.2006.34]
 
28
Vinod Ganapathy , David King , Trent Jaeger , Somesh Jha, Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis, Proceedings of the 29th international conference on Software Engineering, p.458-467, May 20-26, 2007  [doi>10.1109/ICSE.2007.54]
 
29
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, Feb 2003.
 
30
Li Gong , Gary Ellison, Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation, Pearson Education, 2003
 
31
Jim Gray , Andreas Reuter, Transaction Processing: Concepts and Techniques, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1992
32
Tim Harris , Keir Fraser, Language support for lightweight transactions, ACM SIGPLAN Notices, v.38 n.11, November 2003
33
Tim Harris , Simon Marlow , Simon Peyton-Jones , Maurice Herlihy, Composable memory transactions, Proceedings of the tenth ACM SIGPLAN symposium on Principles and practice of parallel programming, June 15-17, 2005, Chicago, IL, USA  [doi>10.1145/1065944.1065952]
34
Maurice Herlihy , Victor Luchangco , Mark Moir, A flexible framework for implementing software transactional memory, Proceedings of the 21st annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications, October 22-26, 2006, Portland, Oregon, USA
35
Maurice Herlihy , Victor Luchangco , Mark Moir , William N. Scherer, III, Software transactional memory for dynamic-sized data structures, Proceedings of the twenty-second annual symposium on Principles of distributed computing, p.92-101, July 13-16, 2003, Boston, Massachusetts  [doi>10.1145/872035.872048]
 
36
M. Hocking, K. Macmillan, and D. Shankar. Case study: Enhancing IBM Websphere with SELinux. In Annual SELinux Symp., Mar 2006.
37
Trent Jaeger , Antony Edwards , Xiaolan Zhang, Consistency analysis of authorization hook placement in the Linux security modules framework, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.175-205, May 2004  [doi>10.1145/996943.996944]
 
38
Jakarta Apache Commons. http://commons.apache.org/transaction.
 
39
JCraft. WeirdX--pure Java window system server under GPL. http://www.jcraft.com/weirdx.
 
40
D. Kilpatrick, W. Salamon, and C. Vance. Securing the X Window system with SELinux. Technical Report 03-006, NAI Labs, Mar 2003.
41
Samuel T. King , Peter M. Chen, Backtracking intrusions, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
 
42
Jim Larus , Ravi Rajwar, Transactional Memory (Synthesis Lectures on Computer Architecture), Morgan & Claypool Publishers, 2007
 
43
Michael E. Locasto , Angelos Stavrou , Gabriela F. Cretu , Angelos D. Keromytis, From STEM to SEAD: speculative execution for automated defense, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
 
44
M.D. Matthews. Distributed transactions with MYSQL XA, 2005.
 
45
Microsoft. Transactional NTFS in Windows Vista. http://msdn2.microsoft.com/en--us/library/aa363764.aspx.
46
Edmund B. Nightingale , Daniel Peek , Peter M. Chen , Jason Flinn, Parallelizing security checks on commodity hardware, Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, March 01-05, 2008, Seattle, WA, USA
 
47
S. Peyton-Jones and T. Harris. Transactional memory with data invariants. In ACM SIGPLAN TRANSACT, 2006.
48
Christopher J. Rossbach , Owen S. Hofmann , Donald E. Porter , Hany E. Ramadan , Bhandari Aditya , Emmett Witchel, TxLinux: using and managing hardware transactional memory in an operating system, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
49
Bratin Saha , Ali-Reza Adl-Tabatabai , Quinn Jacobson, Architectural Support for Software Transactional Memory, Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, p.185-196, December 09-13, 2006  [doi>10.1109/MICRO.2006.9]
50
Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000  [doi>10.1145/353323.353382]
51
Margo I. Seltzer , Yasuhiro Endo , Christopher Small , Keith A. Smith, Dealing with disaster: surviving misbehaved kernel extensions, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.213-227, October 29-November 01, 1996, Seattle, Washington, United States
52
Nir Shavit , Dan Touitou, Software transactional memory, Proceedings of the fourteenth annual ACM symposium on Principles of distributed computing, p.204-213, August 20-23, 1995, Ottowa, Ontario, Canada  [doi>10.1145/224964.224987]
53
Tatiana Shpeisman , Vijay Menon , Ali-Reza Adl-Tabatabai , Steven Balensiefer , Dan Grossman , Richard L. Hudson , Katherine F. Moore , Bratin Saha, Enforcing isolation and ordering in STM, Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, June 10-13, 2007, San Diego, California, USA
 
54
Nikhil Swamy , Michael Hicks , Stephen Tse , Steve Zdancewic, Managing Policy Updates in Security-Typed Languages, Proceedings of the 19th IEEE workshop on Computer Security Foundations, p.202-216, July 05-07, 2006  [doi>10.1109/CSFW.2006.17]
 
55
Tar for Java: The com.ice.tar package. http://trustice.com/java/tar/.
 
56
E. Walsh. Integrating X.Org with security-enhanced Linux. In Annual SELinux Symp., Mar 2007.
57
Westley Weimer , George C. Necula, Exceptional situations and program reliability, ACM Transactions on Programming Languages and Systems (TOPLAS), v.30 n.2, p.1-51, March 2008  [doi>10.1145/1330017.1330019]
 
58
Chris Wright , Crispin Cowan , Stephen Smalley , James Morris , Greg Kroah-Hartman, Linux Security Modules: General Security Support for the Linux Kernel, Proceedings of the 11th USENIX Security Symposium, p.17-31, August 05-09, 2002
 
59
x11perf: The X11 server performance test program suite.
 
60
The X11 Server, version X11R6.8 (X.Org Foundation).
 
61
A. Yumerefendi, B. Mickle, and L. Cox. TightLip: Keeping applications from spilling the beans. In USENIX NSDI, April 2007.
 
62
Xiaolan Zhang , Antony Edwards , Trent Jaeger, Using CQUAL for Static Analysis of Authorization Hook Placement, Proceedings of the 11th USENIX Security Symposium, p.33-48, August 05-09, 2002

CITED BY  2
Indrajit Roy , Donald E. Porter , Michael D. Bond , Kathryn S. McKinley , Emmett Witchel, Laminar: practical fine-grained decentralized information flow control, ACM SIGPLAN Notices, v.44 n.6, June 2009
Arnar Birgisson , Úlfar Erlingsson, An implementation and semantics for transactional memory introspection in Haskell, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, June 15-21, 2009, Dublin, Ireland

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  D. Software
  D.1 PROGRAMMING TECHNIQUES
      D.1.3 Concurrent Programming
          Subjects: Parallel programming


General Terms:
Languages, Security


Keywords:
reference monitors, transactional memory

Collaborative Colleagues:
Arnar Birgisson: colleagues
Mohan Dhawan: colleagues
Úlfar Erlingsson: colleagues
Vinod Ganapathy: colleagues
Liviu Iftode: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player