Úlfar Erlingsson
John MacCormick
Skip Abstract Section
Abstract
General-purpose, commercial software platforms are increasingly used as system building blocks, even for dependable systems. One reason for their generality, usefulness, and popular adoption is that these software platforms can evolve through ad hoc extensions: behavior tweaks outside the scope of supported platform interfaces. Unfortunately, such use of internal platform implementation details is fundamentally incompatible with security and reliability. Even so, platforms that exclude ad hoc extensions---for instance, by enforcing full isolation and strict interfaces---will, most likely, either have their security enforcement circumvented or be relegated to a niche market. In this paper, we identify ad hoc extensions as well as the economic and technical factors surrounding their existence. Subsequently, we propose the enforcement of novel access-control policies for reconciling ad hoc extensibility with security and reliability.
- R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.]] Google Scholar
Digital Library
- M. Barnett, K. Leino, and W. Schulte. The Spec# programming system. In Proc. CASSIS'04, 2004.]]Google Scholar
- M. Barnett and W. Schulte. Runtime verification of .NET contracts. J. Syst. Softw., 65(3), 2003.]] Google ScholarDigital Library
- B. Bershad, S. Savage, P. Pardyak, E. Sirer, M. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety and performance in the SPIN operating system. In Proc. SOSP'95, 1995.]] Google ScholarDigital Library
- M. Chen, E. Kiciman, A. Accardi, A. Fox, and E. Brewer. Using runtime paths for macroanalysis. In Proc. HotOS'03, 2003.]] Google ScholarDigital Library
- Citrix Systems, Inc. Citrix Terminal Services. http://www.citrix.com/.]]Google Scholar
- Citrix Systems, Inc. GoToMyPC. http://gotomypc.com/.]]Google Scholar
- J. Cooper. Special Edition Using MS-DOS 6.22. Que, 3 edition, 2001.]] Google ScholarDigital Library
- DaggerWare. HackMaster 0.9 for the original Palm Pilot. http://www.palmblvd.com/software/pc/HackMaster-1999-02-21-palm-pc.html.]]Google Scholar
- R. Daley and J. Dennis. Virtual memory, processes, and sharing in MULTICS. Commun. ACM, 11(5), 1968.]] Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazieres, and M. K. R. Morris. Labels and event processes in the Asbestos operating system. In Proc. SOSP'05, 2005.]] Google ScholarDigital Library
- Ú. Erlingsson, T. Roeder, and T. Wobber. Virtual environments for unreliable extensions. Technical Report MSR-TR-2005-82, Microsoft Research, 2005.]]Google Scholar
- Ú. Erlingsson and F. Schneider. IRM enforcement of Java stack inspection. In Proc. of 2000 IEEE Symposium on Security and Privacy, May 2000.]] Google ScholarDigital Library
- C. Flanagan, K. Leino, M. Lillibridge, G. Nelson, J. Saxe, and R. Stata. Extended static checking for Java. In Proc. PLDI'02, 2002.]] Google ScholarDigital Library
- L. Gong. Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, 1999.]] Google ScholarDigital Library
- Google, Inc. Google Toolbar. http://toolbar.google.com/.]]Google Scholar
- G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2005.]] Google ScholarDigital Library
- G. Hunt and D. Brubacher. Detours: Binary interception of Win32 functions. In Proc. of the 3rd USENIX Windows NT Symposium, 1999.]] Google ScholarDigital Library
- G. Hunt and J. Larus. Singularity design motivation. Technical Report MSR-TR-2004-105, Microsoft Research, Dec. 2004.]]Google Scholar
- M. Jones. Interposition agents: transparently interposing user code at the system interface. In Proc. SOSP'93, 1993.]] Google ScholarDigital Library
- D. Lafferty and V. Cahill. Language-independent aspect-oriented programming. In Proc. OOPSLA '03, 2003.]] Google ScholarDigital Library
- L. Lamport. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Pearson Education, 2002.]] Google ScholarDigital Library
- B. Lampson. Protection. In Proc. 5th Princeton Conf. Information Sciences and Systems, 1971. Reprinted in ACM Op. Sys. Rev. 8, 1 (Jan. 1974), pages 18--24.]] Google ScholarDigital Library
- B. Lampson. Software components: Only the giants survive. In Computer Systems: Theory, Technology, and Applications: A Tribute to Roger Needham. Springer, 2004.]]Google Scholar
- B. Laurie and P. Laurie. Apache: The Definitive Guide. O'Reilly & Associates, 3 edition, 2002.]] Google ScholarDigital Library
- B. Liblit, M. Naik, A. Zheng, A. Aiken, and M. Jordan. Public deployment of cooperative bug isolation. In Proc. RAMSS'04, 2004.]]Google ScholarCross Ref
- K. Loney. Oracle Database 10g: The Complete Reference. McGraw-Hill Osborne Media, 2004.]] Google ScholarDigital Library
- J. P. Mello, Jr. Developer raps Linux security. LinuxInsider, January 11th, 2005.]]Google Scholar
- Microsoft Corp. Debugging tools and symbols. http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx.]]Google Scholar
- Microsoft Corp. Windows application compatibility. http://msdn.microsoft.com/compatibility/.]]Google Scholar
- Microsoft Corp. Frequently asked questions about Authenticode, 2000. http://msdn.microsoft.com/library/en-us/dnauth/html/signfaq.asp.]]Google Scholar
- T. Ming and S. Mitchell. Extension Overload. http://www.xoverload.com/extensionoverload/.]]Google Scholar
- G. Nebbett. Windows NT/2000 Native API Reference. New Riders Publishing, 2000.]] Google ScholarDigital Library
- G. Necula. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pages 106--119, January 1997.]] Google ScholarDigital Library
- W. Oney. Programming the Microsoft Windows Driver Model. Microsoft Press, 2 edition, 2002.]] Google ScholarDigital Library
- Open Systems Resources, Inc. Peter pontificates. The NT Insider, 11(4), Dec 2004. http://www.osronline.com/.]]Google Scholar
- J. Redstone, M. Swift, and B. Bershad. Using computers to diagnose computer problems. In Proc. HotOS'03, 2003.]] Google ScholarDigital Library
- M. Russinovich and B. Cogswell. SysInternals. http://www.sysinternals.com/.]]Google Scholar
- A. Schulman. Undocumented DOS: A programmer's guide to reserved MS-DOS functions and data structures. Addison-Wesley, 1990.]] Google ScholarDigital Library
- M. Seltzer, Y. Endo, C. Small, and K. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In Proc. OSDI'96, Oct. 1996.]] Google ScholarDigital Library
- E. Siever, A. Weber, and S. Figgins. Linux in a Nutshell. O'Reilly & Associates, 4 edition, 2003.]] Google ScholarDigital Library
- J. Siracusa. Mac OS X 10.4 Tiger: Kernel updates. Ars Technica, page 4, April 28th, 2005. http://arstechnica.com/reviews/os/macosx-10.4.ars/4.]]Google Scholar
- D. Solomon and M. Russinovich. Windows Internals. Microsoft Press, 4 edition, 2005.]]Google Scholar
- A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.]]Google Scholar
- A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation, 1994.]]Google ScholarDigital Library
- W. Stanek. Microsoft IIS 6.0 Administrator's Pocket Consultant. Microsoft Press, 2003.]] Google ScholarDigital Library
- J. Sugerman, G. Venkitachalam, and B. Lim. Virtualizing I/O devices on VMware Workstation's hosted virtual machine monitor. In Proc. USENIX'02, June 2001.]] Google ScholarDigital Library
- M. Swift, B. Bershad, and H. Levy. Improving the reliability of commodity operating systems. ACM Trans. Computer Systems, 22(4), Nov 2004.]] Google ScholarDigital Library
- Symantec Corp. Symantec Norton SystemWorks 2005. http://www.symantec.com/sabu/sysworks/basic/.]]Google Scholar
- Symantec Corp. Veritas Backup Exec. http://www.veritas.com/.]]Google Scholar
- Unsanity LLC. APE Application Enhancer. http://www.unsanity.com/haxies/ape/.]]Google Scholar
- H. Wang, J. Platt, Y. Chen, R. Zhang, and Y. Wang. Automatic misconfiguration troubleshooting with PeerPressure. In Proc. OSDI'04, 2004.]] Google ScholarDigital Library
- Y. Wang, C. Verbowski, J. Dunagan, Y. Chen, H. Wang, C. Yuan, and Z. Zhang. STRIDER: A black-box, state-based approach to change and configuration management and support. In Proc. LISA, 2003.]] Google ScholarDigital Library
- I. Welch and R. Stroud. Kava - A reflective Java based on bytecode rewriting. In Proc. 1st OOPSLA Workshop on Reflection and Software Engineering, 1999.]] Google ScholarDigital Library
- Wily Technology, Inc. Interscope. http://www.wilytech.com/solutions/products/Introscope.html.]]Google Scholar
- E. Witchel, J. Rhee, and K. Asanovic. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proc. SOSP'05, 2005.]] Google ScholarDigital Library
- F. Yuan. Windows Graphics Programming: Win32 GDI and DirectDraw. Prentice Hall, 2001.]]Google Scholar
Index Terms
- Ad hoc extensibility and access control
Recommendations
Opportunistic media access control and routing for delay-tolerant mobile ad hoc networks
In delay-tolerant mobile ad hoc networks, motion of network nodes, network sparsity and sporadic density can cause a lack of guaranteed connectivity. These networks experience significant link delay and their routing protocols must take a store-and-...
Efficient on-demand routing for mobile ad hoc wireless access networks
In this paper, we consider a mobile ad hoc wireless access network in which mobile nodes can access the Internet via one or more stationary gateway nodes. Mobile nodes outside the transmission range of the gateway can continue to communicate with the ...
Joint design of routing and medium access control for hybrid mobile ad hoc networks
Efficient routing and medium access control (MAC) are very important for Mobile Ad hoc Networks (MANETs). Most existing routing and MAC protocols consider homogeneous ad hoc networks, in which all nodes are modeled as the same, i.e., they have the same ...
Comments