学术文献库

This paper introduces a run-time mechanism for preventing leakage of secure information in distributed systems. We consider a general concurrency language model, where concurrent objects interact by asynchronous method calls and futures. The aim is to prevent leakage of confidential information to low-level viewers. The approach is based on the notion of a security wrapper, which encloses an object or a component and controls its interactions with the environment. A wrapper is a mechanism added by the run-time system to provide protection of an insecure component according to some security policies. The security policies of a wrapper are formalized based on a notion of security levels. At run-time, future components will be wrapped upon need, while only objects of unsafe classes will be wrapped, using static checking to limit the number of unsafe classes and thereby reducing run-time overhead. We define an operational semantics and prove that non-interference is satisfied. A service provider may use wrappers to protect its services in an insecure environment, and vice-versa: a system platform may use wrappers to protect itself from insecure service providers.