The introduction of Java applets has taken the World Wide Web by storm. Information servers can customize the presentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by Web application writers and the security needs of their users, and we suggest how both might be accommodated. 1.

We present a method for detecting exploitations of vulnerabilities in privileged programs by monitoring their execution using audit trials, where the monitoring is with respect to specifications of the security-relevant behavior of the programs. Our work is motivated by the intrusion detection paradigm, but is an attempt to avoid ad hoc approaches to codifying misuse behavior. Our approach is based on the observation that although privileged programs can be exploited (due to errors) to cause security compromise in systems because of the privileges accorded to them, the intended behavior of privileged programs is, of course, limited and benign. The key, then is to specify the intended behavior (i.e., the program policy) and to detect any action by privileged program that is outside the intended behavior and that imperils security. We describe a program policy specification language, which is based on simple predicate logic and regular expressions. In addition, we present specifications ...

Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos’s kernel-enforced label mechanism, including controls on inter-process communication and systemwide information flow. A new event process abstraction provides lightweight, isolated contexts within a single process, allowing the same process to act on behalf of multiple users while preventing it from leaking any single user’s data to any other user. A Web server that uses Asbestos labels to isolate user data requires about 1.5 memory pages per user, demonstrating that additional security can come at an acceptable cost.

Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for world-wide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certification authority keys, bank and e-cash keys, etc.). One crucial defense against exposure of private keys is offered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it ca...

Designing a suitable mechanism to confine commonly used applications is challenging as such a mechanism needs to satisfy conflicting requirements. The trade-off is between configurability and ease of use. In this paper, we present the design, implementation and evaluation of MAPbox, a general-purpose confinement mechanism that retains the ease of use of specialized sandboxes such as Janus and SBOX while providing significantly more configurability. The key idea is to group application behaviors into classes based on the expected functionality and the resources required to achieve that functionality. Classification of behaviors provides a set of behavior labels (class names) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to the MIME-types used to concisely describe the expected format of data files. Classification of application behaviors also allows class-specific sandboxes to be built and instantiat...

Today's computer systems are vulnerable to both abuse by insiders and penetration by outsiders, as evidenced by the growing number of incidents reported in the press. Because closing all security loopholes from today's systems is infeasible, and since no combination of technologies can prevent legitimate users from abusing their authority in a system, auditing is viewed as the last line of defense. What is needed are automated tools to analyze the vast amount of audit data for suspicious user behavior. This paper presents a survey of the automated audit trail analysis techniques and intrusiondetection systems that have emerged in the past several years. 1 Introduction The last few years have seen a sudden and growing interest in automated security analysis of computer system audit trails and in systems for real-time intrusion detection. There is a growing number of research activities devoted to the subject, and some operational systems and even a few commercial products have ...

In this paper, we present a history-based access-control mechanism that is suitable for mediating accesses from mobile code. The key idea behind history-based access-control is to maintain a selective history of the access requests made by individual programs and to use this history to improve the differentiation between safe and potentially dangerous requests. What a program is allowed to do depends on its own behavior and identity in addition to currently used discriminators like the location it was loaded from or the identity of its author/provider. History-based access-control has the potential to significantly expand the set of programs that can be executed without compromising security or ease of use. We describe the design and implementation of Deeds, a history-based access-control mechanism for Java. Accesscontrol policies for Deeds are written in Java, and can be updated while the programs whose accesses are being mediated are still executing.

Although a computer system's primary defense is its access controls, computer system access controls cannot be relied upon in most cases to safeguard against a penetration or insider attack. Even the most secure systems are vulnerable to abuse by insiders who misuse their privileges, and audit trails may be the only means of detecting authorized but abusive user activity. While many computer systems collect audit data, most do not have any capability for automated analysis of that data. Moreover, many systems collect large volumes of data that are not necessarily security relevant. To address the need for automated security analysis of audit trails, SRI is developing a real-time intrusion-detection expert system (NIDES). NIDES is an independent system that runs on its own workstation and processes audit data characterizing user activity received from a target system. NIDES provides a system-independent mechanism for real-time detection of security violations, whether they are initiated...

Abstract not found

Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access control policies can be applied, corresponding to different criteria for defining what should, and what should not, be allowed, and, in some sense, to different definitions of what ensuring security means. In this chapter we investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration. We discuss several access control policies, and models formalizing them, that have been proposed in the literature or that are currently under investigation.