Flexible control of downloaded executable content.

Abstract

The goal of this thesis is to develop security services to control the access rights of downloaded executable content. Downloaded executable content, such as active mail, mobile agents, applets, and command scripts, are programs that are retrieved from a remote source, often over untrusted networks, and executed upon receipt. Downloaded content can, in general, enable complex programs to be built that provide custom interfaces, perform file I/O, communicate with remote principals, and execute the commands available in traditional languages. From a security perspective, the important feature of downloaded executable content is that it enables remote principals, whom we call content providers, to execute programs in a process owned by the downloading principal. Unless controlled, malicious downloaded content could enable its provider to: (1) gain access to the downloading principal's private data; (2) masquerade as the downloading principal to others; and (3) read secret system data, such secret passwords, on the downloading principal's system. To protect systems from these and other attacks, current downloaded content systems strictly limit the access rights of the content. For example, some Java-enabled web browsers do not permit their applets to perform any file I/O on the downloading principal's system and permit them to communicate only with processes at the originating IP address of the content. However, many applications have greater I/O requirements than are permitted by these systems, whereas some have fewer I/O requirements. For example, a workflow system needs to read and modify forms available on the downloading principal's system. In addition, communication with principals other than the content provider may be necessary to complete a workflow activity. On the other hand, it should be possible to download an application and not grant it the permission to communicate with the application's content provider. In this thesis, we develop a downloaded content execution system to control the access rights of content for this variety of applications. Therefore, content from trusted principals may be granted substantial rights to the downloading principal's system while content from untrusted sources can be given few if any rights. Our contributions are the identification of three key problems that must be solved for content to be flexibly controlled and the development of downloaded content execution systems that solve these problems under varying environmental assumptions. The key problems in flexibly controlling content are: (1) authentication of content providers; (2) derivation of content access rights given the trust in those content providers and their purpose; and (3) enforcement of these rights throughout the execution of the content. We detail solutions to these problems in three downloaded content systems that control content in progressively less restricted environments. In the first system, principals interact over a trusted network using a shared file system. In the second system, principals interact over an untrusted network, but where the users are trusted to make access control decisions at runtime without being spoofed. In the third system, the network is assumed to be untrusted, and the access control decisions that users are trusted to make are limited. We evaluate the functionality offered by this third system and the effect of a prototype implementation on its performance.