See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/2256884

White Paper

Article · May 1996

Source: CiteSeer

CITATIONS READS
0 496

4 authors, including:

Roy Campbell Liao Willy

University of Illinois, Urbana-Champaign National Cheng Kung University
631 PUBLICATIONS 17,589 CITATIONS 11 PUBLICATIONS 39 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Roy Campbell on 11 November 2015.

The user has requested enhancement of the downloaded file.

Active Capability: A Uni ed Security Model for Supporting
Mobile, Dynamic and Application Speci c Delegation
White Paper

Roy H. Campbell
Tin Qian
Willy Liao
Zhaoyu Liu
Department of Computer Science
University of Illinois, Urbana-Champaign
Digital Computer Laboratory
1304 W. Spring eld
Urbana, IL 61801
February 16, 1996
1 Introduction
As the internet becoming a house hold name, there is a great interest in providing services, like
banking, shopping and cable TV, via the internet. Although this vision is widely expected to
come into reality soon and several experimental services have already been set up over the internet,
many dicult issues still remain. Particularly the concerns on the security of internet have seri-
ously hindered the wide deployment of internet-based services. The diculties of devising security
infrastructure for the internet are largely due to the autonomous, dynamic, diverse and distributed
nature of the internet. Internet is a federation of di erent computer systems with very diverse
security policies. In [3] P. Janson et al. listed several typical scenarios with di erent security pro-
tection boundaries. They pointed out that the great diversity arising in the di erent combinations
and re nements of these scenarios requires a broad set of protection and security functions. The
recent advances in mobile computing have turned the internet into a dynamic communication envi-
ronment, which presents even greater challenge in employing secure communication, authentication
and privacy measures. The emerging point-to-point high speed networks like ATM haven't solved
the security problem. On the contrary existing study [1] showed ATM networks are also vulner-
able to eavesdropping and denial of service attack. Security issue in ATM networks presents new
challenges. Another inadequately studied issue on computer security is denial of service protection.
The few existing research in this area were mostly about de ning access-control policies which are
largely based on the traditional access matrix model. Millen in [5] pointed out that the access
matrix model "is not expressive enough to elucidate the problem of denial of service". Moreover
access control policies are inherently application dependent. Especially in internet environment it
is highly desirable to enable the constrained interconnection between autonomous network domains
so that people who want to connect their networks to internet would not worry about malicious
attacks at the availability of the services they provide.
To address these problems, we propose a new security model based on the recent innovations
on type safe scripting language, extendible systems software, and software protection. The basic
idea is to augment conventional capability-based security and protection model with user-supplied
script. The principles behind this design are:
 it provides a uni ed framework for incorporating di erent security models
 it supports delegation and revocation in dynamic communication environments like mobile
computing
 it decouples high level security functions, such as delegation, access control, from underlying
facilities, such as authentication, encryption.
 it allows application to de ne its own security policy in a descriptive way
 it provides a minimum policy-free core of security functions which can be implemented e-
ciently
 it enables extendibility, recon gurability and adaptability by keeping the complexity of ap-
plication speci c security policies in user-level scripts

2 Active Capability
The integration of security models is critical to provide genuine security functions since a security
hole in any part of the system will seriously compromise the e ort made by the rest of the sys-
1
tems. However in a large information networking environment like internet security is enforced au-
tonomously. Therefore it is inherently vulnerable to security attacks. With active capability we can
provide a uni ed security and protection model for internet without sacri cing its autonomousity.
Conceptual Model Traditionally security systems often use access matrix to model access con-
trol policies. Each column of an access matrix represents a protected object and each row corre-
sponds to a principal who wants to access that object. Each matrix entry de nes the access rights
the potential principal has on that object. The limitation of this model is that it can only model
static access control policies. Our active capability model goes beyond this limitation by replacing
passive access rights with executable scripts. In this way we can use this augmented access matrix
as a general model to unify the modeling of many di erent policies and services dynamically and
exibly.
Active Capability Active capability is an active object which carries out security functions for
protecting and controlling access to the object(s) it is associated with. In our design it is realised as
a piece of unforgeable script so that it can reside in user space and be freely passed around. When
a principal want to access an object, it has to present the capability and the desired operations. It
is essential that the system can safely run the script in a domain di erent from the one in which the
script originated. Thus we advocate the use of a safe language such as Java [2] which is type safe
and can be checked for security violations. Another bene t of using Java is that we can construct
active capability in an object-oriented fashion. For example capabilities with delegation support can
reuse the authentication part code through subclassing the authenticated capabilities. Also we may
use metaobjects to describe the internal structure and validation procedures of those capabilities.
To reduce the capability's size for the common cases, system can provide standard capability bases
and user can use references to those scripts instead of the scripts themselves.
Security Agent A security agent de nes the low level security protocols used between active
capabilities and security managers, such as authentication, encryption methods. It runs in security
managers as part of their runtime. Since it is written in Java script, it can be easily distributed
and loaded/unloaded into security managers.
Security Manager A security manager mainly consists of a java interpreter and a security run-
time. The responsibility of a security manager is to create and validate active capabilities. It
provide security management to conventional name servers by maintaining security information
about objects(servers) such as public/private keys, passwords and identity certi cates. Each se-
curity manager provides a minimum set of security services and most functionality is extended
through run-time loading in security agents and active capabilities.
Object Manager Object managers can be persistent objects, databases, kernel services or li-
braries. Conceptually they mainly consists of two kinds, static ones like persistent objects or
dynamic ones like object factories. In the active capability model, an object manager creates and
manages objects whose access rights are de ned and interpreted by the manager.
Figure 1 shows the basic interaction among those objects described before. Whenever a client
want to access an object it passes desired operations to the capability associated with this object.
The security manager dispatches a compatible security agent to verify the capability and provide
appropriate runtime environment for the capability to determine if this access will be granted or

2
 Security Manager

Object Manager
Object Manager
OID/OP OID/OP
Security Security
Agent Agent

CA CA CA
OP OP OP

Client

CA: Active Capability OID: Object Identifier OP: Operation

Figure 1: Active Capability Model

not. If it is granted, the security agent sends a message to an object manager who manages the
desired object with information about the identi er of the object and operations.

3 Delegation
As more and more information distributed through the network, a task can not be done without the
co-operation from other principals. Often it is necessary to delegate subtasks and possible access
to those foreign principals so that they can do the work on your behalf. In particular, frequent
disconnection operations in a ubiquitous computing environment require mobile systems to delegate
the computation or communication-intensive processing to more powerful servers. In our model
delegation is supported by constructing delegatable capabilities which accepts delegate operation
and generates new capabilities for delegatees. We illustrate how the active capability model can
unify the existing delegation models in the rest of this section.
3.1 Centralized Model

Many existing delegation architectures [4] use a centralized authentication server to provide dele-
gation services. Because of the di erent delegation requirements, they often devise several di erent
delegation mechanisms in one system. However with the active capability model, the diversity of
delegation mechanisms is encapsulated in an active capability itself.
3.2 Distributed Model

The major disadvantage of the centralized approach is that the delegation server can be a serious
bottleneck to the entire system even though some applications don't require any security function
at all. So some people have proposed several distributed delegation models [8].
Service-Based Delegation In one of our previous study on the security of mobile computing
[8] we designed a customizable framework supporting frequent delegation and revocation. In that
model we performed delegation in a per-service base, i.e. delegation attributes are maintained and
interpreted solely by the service being delegated. Like other static access control list approaches [6],
this model is inadequate for specifying dynamic and ne-grain delegation restrictions. In the active
capability model, this delegation model can be easily implemented by just letting active capabilities
talk to service providers whenever users want to access the service via those active capabilities.

3
Because of the descriptiveness of the Java script language, arbitrary restrictions can be put on
those delegation capabilities.
Client-Based Delegation One of the most distinctive features of the active capability model is
that it can support client-based delegation, with which the delegation service can be construct in a
fully distributed way. The essential idea is that with the property of some asymmetric encryptions
like the RSA [7] active capabilities can be veri ed and authorized locally. One of the ways to
implement this is to let each principle involved in a delegation process give the capability a certi cate
signed by its private key. Therefore the security agent or event the active capability itself can
verity its validity. It also makes cascading delegation very simple. As to revocation, depending
what the applications requirement is, di erent revocation mechanisms can be realized by de ning
a application-speci c authentication and authorization protocol between active capabilities and
security agents.

4 Progress To Date
The rst step we have done towards the fully implementation of the Active Capability model is to
employ encryption and authentication provision in Java. The authentication mechanism currently
implemented is kerberos. Basicly we took the authentication and encryption libraries from ker-
beros version 5 and added them to Java runtime as native methods. We de ned the interface of
accessing these basic security functions as a composible and extendible encryption and authentica-
tion framework so that the rest of security systems will not depend on one speci c encryption and
authentication mechanisms and the system can be easily customized and extended via subclassing
without a ecting other system components and existing applications.

References
[1] Daniel Stevenson, Nathan Hillery, and Grey Byrd. Secure communications in atm networks.
Communication of ACM, 38(2):45{52, February 1995.
[2] James Gosling and Henry McGilton. The Java Language Enviroment: a White Paper. Technical
report, Sun Microsystems Computer Company, Mountain View, CA 94043, USA, May 1995.
[3] P. Janson and R. Molva. Security in open networks and distributed systems. Computer Networks
and ISDN Systems, 22(5):323{346, October 1991.
[4] J. Kohl and C. Neuman. The kerberos network authentication service (v5). Technical Report
Internet RFC 1510, September 1993.
[5] Jonathan K. Millen. A resource allocation model for denial of service. In 1992 IEEE Symposium
on Security and Privacy, pages 137{147, Oakland, California, May 1992.
[6] B. Cli ord Neuman. Proxy-based authorization and accounting for distributed systems. In
Proceedings of the 13th International Conference on Distributed Computing Systems, May 1993.
[7] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key
cryptosystems. Communication of the ACM, 21(2):120{127, February 1978.

4
 [8] Roy Campbell, Daniel Sturman, and Theron Tock. Mobile computing, security and delegation.
In the International Workshop on Mobile Computing, Japan, 1994.

View publication stats