Embedding security enforcement code into applications is an alternative to traditional security mechanisms. This dissertation supports the thesis that such Inlined Reference Monitors, or IRMs, offer many advantages and are a practical option in modern systems. IRMs enable flexible general-purpose enforcement of security policies, and they are especially well suited for extensible systems and other non-traditional platforms. IRMs can exhibit similar, or even better, performance than previous approaches and can help increase assurance by contributing little to the size of a trusted computing base. Moreover, IRMs' agility in distributed settings allows for their cost-effective and trustworthy deployment in many scenarios. In this dissertation, IRM implementations are derived from formal automata-based specifications of security policies. Then, an IRM toolkit for Java is described in detail. This Java IRM toolkit uses an imperative policy language that allows a security policy, in combination with the details of its enforcement, to be given in a single complete specification. Various example policies, including the stack-inspection policy of Java, illustrate the approach. These examples shed light on practical issues in policy specification, the support needed from an IRM toolkit, and the advantages of the IRM approach.
展开▼
