A Module System for Isolating Untrusted Software Extensions

Philip Fong
University of Regina

Simon Orr
University of Regina

With the recent advent of dynamically extensible software
systems, in which software extensions may be dynamically loaded into
the address space of a core application to augment its capability,
there is a growing interest in protection mechanisms that can isolate
untrusted software components from a host application. Existing
language-based environments such as the JVM and the CLI achieves
software isolation by an interposition mechanism known as stack
inspection. Expressive as it is, stack inspection is known to lack
declarative characterization and is brittle in the face of evolving
software configurations.

In this paper, a run-time module system, IsoMod, is proposed for the
Java platform to facilitate software isolation. A core application
may create namespaces dynamically and impose arbitrary name visibility
policies to control whether a name is visible, to whom it is visible,
and in what way the name can be accessed. Because IsoMod exercises
name visibility control at load time, loaded code runs at full speed.
Furthermore, because IsoMod access control policies are maintained
separately, they evolve independently from core application code. In
addition, the IsoMod policy language provides a declarative means for
expressing a very general form of visibility constraints. Not only
can the IsoMod policy language simulate a sizable subset of
permissions in the Java 2 security architecture, it does so with
policies that are robust to changes in software configurations. The
IsoMod policy language is also expressive enough to completely encode
a capability type system known as Discretionary Capability
Confinement. In spite of its expressiveness, the IsoMod policy
language admits an efficient implementation strategy. In short,
IsoMod avoids the technical difficulties of interposition by trading
off an acceptable level of expressiveness. Therefore, name visibility
control in the style of IsoMod is a lightweight alternative for
language-based access control.

Keywords: language-based security, access control, untrusted software extension, module system, name visibility control

Read Paper Read Paper (in PDF)