Distributed Policy Management for JDK 1.2
Download: Paper (PDF)
Date: 4 Feb 1999
Document Type: Reports
Additional Documents: Slides
Associated Event: NDSS Symposium 1999
In JDK 1.2, the security architecture supports ﬁne grained access control. In the default implementation, Java runtime modules (classes) are signed, and permissions are conﬁgured through a conﬁguration ﬁle using the signer’s identity and the loading location (URL) of the module. In a large network, the number of applets and the frequency of changes to the security policy will eventually grow very large. In a large organization, changing the conﬁguration ﬁle in all Java enabled workstations and devices every time a need arises may be very hard.
In this paper, we describe a better scaling solution. We use authorization certiﬁcates to delegate permissions toJava modules. In JDK 1.2, the permissions are attached to the runtime modules through protection domains. In our implementation, each protection domain may be decorated with one or more SPKI certiﬁcates. These certiﬁcates directly describe the possible permissions of the domain.The actual permissions depend on the currently valid certiﬁcate chains leading to these certiﬁcates.
In addition to the certiﬁcates distributed with the modules, certiﬁcates for the chains may be retrieved from a distributed directory service. This approach makes it possible to fully distribute Java security policy management, allowing, among other things, security policy to be changed and new permissions types to be introduced without any modiﬁcations to the local conﬁguration. Furthermore, the permissions need not be statically assigned but can be dynamically derived from the SPKI certiﬁcates as needed.
Our approach also enables further extensions. In particular, we propose how permissions could be delegated from a domain in one JVM to a domain in another JVM. This could eventually lead to a fully distributed secure Java execution environment.