Providing fine-grained access control for Java programs via binary editing

Abstract

SUMMARY There is considerable interest in programs that can migrate from one host to another and execute. Mobile programs are appealing because they support efficient utilization of network resources and extensibility of information servers. However, since they cross administrative domains, they have the ability to access and possibly misuse a host’s protected resources. In this paper, we present a novel approach for controlling and protecting a site’s resources. In this approach, a site uses a declarative policy language to specify a set of constraints on accesses to resources. A set of code transformation tools enforces these constraints on mobile programs by integrating the access constraint checking code directly into the mobile program and resource definitions. Using this approach, a site does not need to explicitly include calls to reference monitors in order to protect resources. The performance analysis show that the approach performs better than reference monitor-based approaches in many cases. Copyright © 2000 John Wiley & Sons, Ltd.