Extended discretionary access controls

Author

Vinter, Stephen T.

Author_Institution

BBN Lab., Cambridge, MA, USA

fYear

1988

fDate

18-21 Apr 1988

Firstpage

39

Lastpage

49

Abstract

A discretionary access control mechanism proposed for a secure distributed operating system (DOS) being designed at BBN Laboratories is presented. The DOS is an object-oriented system that uses access control lists to authorize access to objects. Discretionary controls are implemented in a type-specific manner inside the managers of objects. Several extensions to conventional access control lists are proposed, including a limited form of privilege transfer, module interconnection control, support for direct operations roles, and restricted roles. A technique for automatically generating access control implementations is presented that is based on nonprocedural specifications, and an implementation approach is proposed that allows the generated code to be embedded with high assurance in untrusted object managers using hardware protection rings. The concepts and mechanisms are illustrated with a simple banking example

Keywords

distributed processing; operating systems (computers); security of data; access control lists; banking; direct operations roles; discretionary access control mechanism; hardware protection rings; high assurance; module interconnection control; nonprocedural specifications; object-oriented system; privilege transfer; restricted roles; secure distributed operating system; type-specific manner; untrusted object managers; Access control; Authentication; Authorization; Hardware; Humans; Laboratories; Operating systems; Programming profession; Protection; Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 1988. Proceedings., 1988 IEEE Symposium on

Conference_Location

Oakland, CA

Print_ISBN

0-8186-0850-1

Type

conf

DOI

10.1109/SECPRI.1988.8096

Filename

8096