Benjamin Venelle, Jérémy Briffaut, Laurent Clevy, C. Toinard
{"title":"Security Enhanced Java: Java虚拟机的强制访问控制","authors":"Benjamin Venelle, Jérémy Briffaut, Laurent Clevy, C. Toinard","doi":"10.1109/ISORC.2013.6913208","DOIUrl":null,"url":null,"abstract":"Since 70's, and despite its operational complexity, Mandatory Access Control (MAC) has demonstrated its reliability to enforce integrity and confidentiality. Surprisingly, the Java technology, despite its popularity, has not yet adopted this protection principle. Current security features within the JVM (JAAS and bytecode verifier) can be bypassed, as demonstrated by summer 2012 attacks. Thus, a MAC model for Java and a cross platform reference monitor are required for the Java Virtual Machine. Security Enhanced Java (SEJava) enables to control dynamically the information flows between all the Java objects requiring neither bytecode nor source code instrumentations. The main idea is to consider Java types as security contexts, and method calls/field accesses as permissions. SEJava allows fine-grain MAC rules between the Java objects. Thus, SEJava controls all the information flows within the JVM. Our implementation is faster than concurrent approaches while allowing both finer and more advanced controls. A use case shows the efficiency to protect against Common Vulnerability and Exposures in an efficient manner.","PeriodicalId":330873,"journal":{"name":"16th IEEE International Symposium on Object/component/service-oriented Real-time distributed Computing (ISORC 2013)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Security Enhanced Java: Mandatory Access Control for the Java Virtual Machine\",\"authors\":\"Benjamin Venelle, Jérémy Briffaut, Laurent Clevy, C. Toinard\",\"doi\":\"10.1109/ISORC.2013.6913208\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Since 70's, and despite its operational complexity, Mandatory Access Control (MAC) has demonstrated its reliability to enforce integrity and confidentiality. Surprisingly, the Java technology, despite its popularity, has not yet adopted this protection principle. Current security features within the JVM (JAAS and bytecode verifier) can be bypassed, as demonstrated by summer 2012 attacks. Thus, a MAC model for Java and a cross platform reference monitor are required for the Java Virtual Machine. Security Enhanced Java (SEJava) enables to control dynamically the information flows between all the Java objects requiring neither bytecode nor source code instrumentations. The main idea is to consider Java types as security contexts, and method calls/field accesses as permissions. SEJava allows fine-grain MAC rules between the Java objects. Thus, SEJava controls all the information flows within the JVM. Our implementation is faster than concurrent approaches while allowing both finer and more advanced controls. A use case shows the efficiency to protect against Common Vulnerability and Exposures in an efficient manner.\",\"PeriodicalId\":330873,\"journal\":{\"name\":\"16th IEEE International Symposium on Object/component/service-oriented Real-time distributed Computing (ISORC 2013)\",\"volume\":\"39 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-06-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"16th IEEE International Symposium on Object/component/service-oriented Real-time distributed Computing (ISORC 2013)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISORC.2013.6913208\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"16th IEEE International Symposium on Object/component/service-oriented Real-time distributed Computing (ISORC 2013)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISORC.2013.6913208","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Security Enhanced Java: Mandatory Access Control for the Java Virtual Machine
Since 70's, and despite its operational complexity, Mandatory Access Control (MAC) has demonstrated its reliability to enforce integrity and confidentiality. Surprisingly, the Java technology, despite its popularity, has not yet adopted this protection principle. Current security features within the JVM (JAAS and bytecode verifier) can be bypassed, as demonstrated by summer 2012 attacks. Thus, a MAC model for Java and a cross platform reference monitor are required for the Java Virtual Machine. Security Enhanced Java (SEJava) enables to control dynamically the information flows between all the Java objects requiring neither bytecode nor source code instrumentations. The main idea is to consider Java types as security contexts, and method calls/field accesses as permissions. SEJava allows fine-grain MAC rules between the Java objects. Thus, SEJava controls all the information flows within the JVM. Our implementation is faster than concurrent approaches while allowing both finer and more advanced controls. A use case shows the efficiency to protect against Common Vulnerability and Exposures in an efficient manner.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
