The invention relates to an access control system and method, to a component-based kernel including said access control system, and to its use in communication and/or broadcasting network station operating systems. The component-based kernel can in particular be used in operating systems of mobile telecommunication network user stations, known as terminals.
Telecommunication networks and terminals are increasingly dynamic: downloading code, customizable functions, etc. To address this, systems must be increasingly open, adaptable, and reconfigurable, which puts security at risk. Terminal reconfigurability has recently been extended to encompass the operating system, on which protection of the system as a whole is based. Protecting network and terminal resources is therefore critical for service and infrastructure providers if they are to earn and keep the confidence of their customers.
Mechanisms for enforcing the security policy of the system grouping together all elements critical to network and terminal security (known as the confidence base) must guarantee the following properties:
It is difficult to find a fair balance between these often mutually-contradictory properties.
Compromises have nevertheless already been proposed, and have proved more or less satisfactory as a function of the design parameters used: type of kernel, security model, location of the protection mechanism. The emphasis in onboard systems, in particular in mobile telecommunication network terminals, is currently on expandable kernels with a single addressing space, for example SPIN: easy to reconfigure, easier to certify (minimal kernels containing only indispensable services), but vulnerable to attack. Component-based kernels such as Think, described in the paper “Think: a Software Framework for Component-Based Operating System Kernels” by J. P. Fassino, J. B. Stefani, J. Lawall, and G. Muller, USENIX Annual Technical Conference, June 2002, provide greater flexibility by means of a more homogeneous architecture model: the whole of the kernel is assembled from individual reconfiguration units, i.e. components. The performance obtained is comparable to that of standard systems. However, these kernels offer nothing in terms of security. Access policies intended to make them more secure have explored many security properties, from confidentiality or integrity to separation of privileges. The multiplicity of models reflects a lack of consensus, which is addressed by policy-neutral authorization mechanisms. The benefit lies in being able to support multiple policies and federate them using a common mechanism, for example the component-based kernel security architecture of T. Jarboui, J. P. Fassino, and M. Lacoste described in the paper “Reconfigurable Access Control for Component-Based OS Kernels”, E2R Workshop on Reconfigurable Mobile Systems and Networks beyond 3G, IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, September 2004. Different locations of the protection mechanism have been envisaged in order to optimize the compromise between the various properties to be guaranteed: at the hardware level (for example a memory management unit (MMU) provides confinement of applications by defining addressing spaces) or using secure languages, such as Java, that provide complete mediation and offer relatively flexible solutions for easy implementation of fine-grain access control that is relatively weak from the security point of view. The closer the protection mechanism to the kernel, the more secure the system (because it is less likely that the mechanism will be bypassed) but, in contrast, the more complex the reconfiguration process.
Whether applied to monolithic kernels or microkernels, the protection techniques implemented in current operating systems essentially rely on the addressing space concept. Monolithic kernels suffer from complexity, which generates security weaknesses going as far as corruption of the operating system. Microkernels suffer from execution overheads that are incompatible with lightweight mobile terminals. Finally, these systems are characterized by the impossibility of providing fine-grain protection and the fixed nature of the security architectures (no choice of security mechanism location, making it impossible to adapt protection as a function of the required property: simple use, compatibility with existing code, performance or high security).
Of all the paths explored in recent years, the approach to access control as applied to component-based kernels described by T. Jarboui et al. (see above reference) seems to succeed in maintaining the delicate balance between reconfigurability and security. The proposed security model uses a reference monitor and a security policy manager, thus splitting access control between the decision-taking and implementation mechanisms. Fine-grain access control is achieved by distributing reference monitors between components. This architecture should instill confidence (minimal kernels), at the same time as allowing simple adaptation of the system to changes occurring during its life cycle without compromising its security, the component being both a security unit and a reconfiguration unit. However, apart from the multiplicity of reference monitors, this architecture has the drawback that it degrades performance because systematic control of access to resources involves the reference monitor, with no possibility of optimization, for example through hardware-only control. Moreover, with this approach, because it is still possible to forge memory references directly and to access all the data and code of the kernel, it is not possible to prevent bypassing, to make the reference monitor inviolable or to assure the integrity of the security policy manager.
The present invention achieves a compromise between high security and reconfigurability without recourse to the costly concept of addressing space. This compromise is achieved by combining access control decision means and an access protection mechanism for protecting access to a set of objects, whether they are secured or not.
One aspect of the invention is a system for controlling access by subjects to secured or non-secured objects for operations, the system comprising an access protection mechanism for authorizing or denying access by a requesting subject to an object depending on the validity of the corresponding capacity to access said object, and access control decision means for allocating capacities for access to a non-secured object and modifying the access capacities to a secured object as a function of the rights of the subject to access the object. The access protection mechanism prevents bypassing of the access control decision means by calling said access control decision means if the capacity to access an object is invalid. Diverse security policies can be supported because of this clear split between decision implementation by the access protection mechanism and decision making by the access control decision.
To enable fine-grain access control, the access control system can include means for intercepting requests to access certain predetermined objects.
The access protection mechanism can be a memory management unit (MMU) available off the shelf or a two-bit table with one bit representing the object reading capacity and the other bit representing the object writing capacity, which enables a compact representation of the security policy. Using a two-bit table rather than an MMU reduces manufacturing, use, and implementation costs at the same time as improving performance (by at least around 3% on modern processors). These advantages are especially critical in mobile onboard environments.
To go beyond fixed security architectures, and for security policy to be able to evolve, the access control decision means can add, modify, or eliminate access rights.
Another aspect of the invention is a method of controlling access to objects by subjects for operations, the method comprising the following steps:
Thus certain objects have high security and others reflect a compromise between reconfigurability and security.
In order to be able to provide fine-grain access control, the protection step can include, if the subject requests access for an operation to an object having operations that do not all have the same access rights:
The invention further consists in a component-based kernel, each component including code and data, said kernel comprising:
Using a component-based kernel ensures total control of the complexity of the system architecture in terms of implementation and configuration.
To enable the access protection hardware mechanism to assign and manipulate access rights and to detect access to objects with invalid capacities, the component-based kernel can be organized into a plurality of segments, each consisting of a continuous series of memory areas:
The invention also consists in a method of fabricating the above component-based kernel, the method comprising the following steps:
The invention proposes using this component-based kernel in communication network and/or multimedia data broadcasting station operating systems.
The features and advantages of the invention become more clearly apparent on reading the following description, which is given by way of example, and from the figures to which it refers, in which:
FIG. 1 is a block diagram showing a set of objects access to which is controlled by an access control system of the invention;
FIG. 2 shows an example of segmentation of a memory that contains objects and is used by an access protection mechanism of the access control system of the invention;
FIG. 3 shows a different example of segmentation in accordance with the invention of a portion of a memory containing homogeneous secured objects;
FIG. 4 is a block diagram showing one example of the architecture of a mechanism for protecting a secure object in accordance with the invention;
FIG. 5 is a detailed block diagram of interception means conforming to the invention; and
FIG. 6 is a block diagram of an example of an access control method of the invention.
The application selected to illustrate the access control system and method is to a component-based kernel. The components C 1 . . . C q are entities that encapsulate both code 30 1 . . . 30 q and data 40 1 . . . 40 q . They can be assigned an identity and appear in software systems in the form of execution, configuration and administration, deployment, or mobility units. They enable system designers to control the complexity of software infrastructure implementation and configuration. They interact with their environment via a set of operations, also known as methods, grouped at access points known as interfaces.
FIG. 1 shows a system of the invention for controlling access to objects, whether secured or not, by subjects S for given operations m ij, 1≦i≦q . Those objects C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q are passive entities that contain and receive information. In the present example of a component-based kernel, the objects C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q are components. The subjects S are active entities that initiate a flow of information between the objects C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q and change the state of the system. The access control system includes an access protection mechanism PA for authorizing or denying access by a requesting subject S to an object C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q depending on the validity of the corresponding capacity to access said object C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q . Access protection can be managed by an object 11 PA within the access protection mechanism PA. This access protection management object 11 PA groups the access capacities corresponding to each object C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q and/or to each operation m ij that can be performed on each object. The access control system further includes access control decision means 10 for validating and modifying the validity of the capacities for access to the secured objects C n+1 . . . C q as a function of the rights in accordance with the defined security policy of the subject S to access the objects C n+1 . . . C q . The access protection mechanism PA implements said decision means 10 if the access capacities are invalid. This access control system clearly separates:
The security policy associates with a pair comprising a subject S and an object C i access rights defining the operations m ij that the subject S can effect on the object C i .
The access control system can further include means 20 m+1 . . . 20 q for intercepting requests to access certain predetermined objects C m+1 . . . C q . Respective interception means 20 i, m+1≦i≦q are associated with each predetermined object C i . For the predetermined objects C m+1 . . . C q , the control system also clearly separates:
Thus the control system proposes two types of access control: coarse-grain access control by the combination of the access protection mechanism PA and the decision means 10 , and fine-grain access control by the combination of the interception means 20 m+1 . . . 20 q and the decision means 10 . The decision means 10 are common to coarse-grain and fine-grain access control, enabling the implementation of a unified security policy applicable to the system as a whole.
The objects C 1 . . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q can be classified into four categories according to the type of access control applied to them (coarse grain, fine grain, hardware control, etc.) and as a function of their security level, as follows:
Control objects 10 , 11 PA : The objects 10 , 11 PA in this category manage access control policy and access protection and cannot be accessed by the subjects S that are executed. Thus no access capacity to the control objects 10 , 11 PA must be created. Accordingly, in the event of access to these control objects, the access protection mechanism PA calls on the decision means 10 , which systematically deny access. In the kernel example, these objects or components 10 , 11 PA are executed in supervisor mode.
Non-secured objects NS {C 1 . . . C n }: Access to these objects C 1 . . . C n is always authorized. In the event of access to them, no verification of access rights is effected and access capacities are always granted. Thus at the time of the first access the access protection mechanism PA calls the decision means 10 , which systematically allocate the capacity to access this category of objects NS {C 1 . . . C n }, as shown by the double-headed arrow in chain-dotted line in FIG. 1. Thereafter, the capacity being valid, the decision means 10 are not invoked for the non-secured objects C 1 . . . C n because the capacity to access them is always granted, and therefore automatically validated: the access protection mechanism PA authorizes access to the objects C 1 . . . C n .
Homogeneous secured objects SHM {C n+1 . . . C m }: All operations m ij on an object C n+1 . . . C m have the same access rights. The access decision is taken only once, on the first invocation or on the first access to the data 40 n+1 . . . 40 m of the object. Thus at the time of the first access the access protection mechanism PA calls the decision means 10 , which allocate the capacity to access a homogeneous secured object C n+1 . . . C m if the access rights allow this (double-headed arrow in dashed line in FIG. 1). Thereafter, if the capacity is valid, the access protection mechanism PA authorizes access to the object. The access capacity remains valid until revoked by the decision means 10 .
Heterogeneous secured objects SH 7 {C m+1 . . . C q }: The operations m ij on such an object do not all have the same access rights. An access decision is taken on each invocation I j . Access control in this category is of finer grain (operation m ij level) than access control of homogeneous secured objects (object level). Heterogeneous secured objects can therefore be predetermined objects requests to access which are intercepted by the interception means 20 m+1 . . . 20 q . To prevent illicit access, the access protection mechanism PA is also used for such an object (cf. FIG. 6, steps [S 5 -S 8 ]). If the subject S addresses the heterogeneous secured object C m+1 . . . C q directly, the access protection mechanism PA calls the decision means 10 , which systematically maintain the access capacity invalid, as shown by the double-headed arrow in solid line in FIG. 1. Access is not authorized. The interception means 20 m+1 . . . 20 q can therefore not be bypassed. If the subject S addresses the interception means 20 m+1 . . . 20 q to invoke an operation m ij on a heterogeneous secured object C m+1 . . . C q , the interception means 20 m+1 . . . 20 q call the decision means 10 , which allocate or do not allocate a capacity to access the object. If the access capacity has been validated, the interception means 20 m+1 . . . 20 q invoke the operation m ij and then again call the decision means 10 , which invalidate the access capacity, thereby limiting access by the subject S to the operation m ij at the time of subsequent invocations.
The benefit of two secured object categories is that this improves performance because passage through the interception means 20 i can be minimized to the degree that it is not necessary to use the interception means 20 i at all with the homogeneous secured objects C n+1 . . . C m . Access is nevertheless verified anyway, by the access protection mechanism PA at least.
The access protection mechanism PA can be a hardware mechanism. In particular, with a kernel, the access protection mechanism PA can be a memory access protection mechanism. A memory area is the smallest contiguous entity of physical memory with which it is possible to associate individually the read or write access rights referred to as access capacities. The access protection mechanism PA must be able to allocate and manipulate access capacities for each memory area and to detect access to memory areas whose access capacities are invalid via an “area defect” exception.
The access capacities are used to detect illicit direct access at object level. This access control is effected by means of the access protection mechanism PA. The memory management unit (MMU) mechanism offered by modern processors satisfies these requirements by assuming that a memory area is similar to a page of the memory management unit MMU and that no distinction is made between virtual addresses and physical addresses. The memory address of a component is therefore the same for all subjects. The memory management unit MMU mechanism is nevertheless costly to use and to implement, mainly in terms of the memory imprint for representing page tables. The access control system of the invention in reality requires only a small portion of the functions offered by this mechanism, in particular access control functions. For representing access capacities, an access protection mechanism PA could therefore content itself with two bits (read and write) rather than the 32 or 64 bits of the memory management units. The access protection mechanism PA would therefore use a table containing 2 bits for each operation on an object, one bit representing the read capacity and the other bit representing the write capacity.
With a component-based kernel, to simplify management of the access protection object 11 PA , the components C 1 . . . C q , 10 , 11 PA , 20 m+1 . . . 20 q in memory can be organized into segments ( 1 , 2 , 3 , 4 1 , . . . 4 q ), as shown in FIG. 2. A segment is a continuous series of memory areas. The following types of segments in particular can be defined:
A supervisor segment 1 including the code and data of the control components 10 and 11 PA . This segment is accessible only in supervisor mode, ensuring complete mediation of the access control system and the integrity of access capacities and rights.
A segment 2 including all the interception means 20 m+1 . . . 20 q whose object is to verify that a call to the decision means 10 really comes from the interception means 20 m+1 . . . 20 q , by checking that the address Mx of the caller's invocation instruction is in fact situated in segment 2 . This segment is declared read-only in order to avoid insertion of malicious code into the call sequence and to protect the integrity of the reference to the encapsulated component C m+1 . . . C q .
Declaring a segment read-only amounts to allocating it only reading capacities. If a segment is formed of more than one memory area, it is necessary to allocate one capacity for each area.
A segment 3 including the codes 30 1 . . . 30 q of the remaining components C 1 . . . C q to prevent violation of the integrity of the code. This segment 3 is declared as read-only.
A segment 4 1 including the data 40 1 . . . 40 n of the non-secured components C 1 . . . C n . This segment 4 1 is declared in read mode and in write mode.
For each of the secured components C n+1 . . . C n , segments 4 n+1 . . . 4 q including their data 40 n+1 . . . 40 q .
FIG. 3 shows an alternative way of segmenting the set SHM of homogeneous secured components. The data ( 40 n+1 . . . 40 j ) . . . ( 40 I+1 . . . 40 m ) of the homogeneous components (C n+1 . . . C j ) . . . (C I+1 . . . C m ) subject to the same rights can be grouped in a common segment 4 n+1 . . . 4 I+1 and allocated the same capacities. This option optimizes memory by reducing the number of segments, and therefore reduces the number of areas, because a plurality of components can be situated in the same area.
The access control system can in particular be implemented in a flexible component-based operating system such as the “Think” kernel based on the Fractal component-based model described in the paper “Recursive and Dynamic Software Composition with Sharing” by E. Bruneton, T. Coupaye and J. B. Stefani, Seventh International Workshop on Component-Oriented Programming, 2002. The benefit of using a Fractal component-based kernel is that it enables clear separation between the decision means and the access control means, known as a “policy-neutral” approach.
“Think” specifies an interface description language (IDL) for defining the interfaces used by a component C i . The IDL compiler can be used to generate interception means 20 i for intercepting invocations. To represent the composition of the components C i , “Think” defines an architecture description language (ADL) for specifying the interfaces provided and required by each component C i and allocating a security controller to each component C i , i.e. interception means 20 i for heterogeneous secured components or objects C m+1 . . . C q .
“Think” provides the components 11 PA for manipulating hardware resources, for example a memory management unit, used to implement the hardware protection access mechanism PA. The allocation of access capacities is reflected in manipulation of permissions at the level of the page tables managed by the memory management unit 11 PA .
FIG. 4 is a logical view of the architecture of decision means 10 and interception means 20 i of the control system of the invention. This combination is used to control access to the heterogeneous secured objects SH 7 . Each heterogeneous secured object C i, m+1≦i≦q is associated with respective interception means 20 i . The interception means 20 i supervise the content of the objects C i to be protected by filtering incoming calls I. In effect, the role of the interception means 20 i is to intercept invocations I of operations of that object C i by effecting a call sequence to the decision means 10 . The call sequence received by the decision means 10 at the interface V can be as follows:
At the end of invocation, to prevent its re-use in new invocations or on direct access to the data 40 i , the access capacity must be revoked by effecting a call to the operation Revoke M of the decision means 10 . This can be achieved by atomic execution of the call sequence, which can be effected by denying dynamic modification of the code 20 C i of the interception means 20 i. The decision means 10 therefore export via the interface V (see FIG. 4) two operations Check M and Revoke M which, for the kernel, are effected via a call to the supervisor, because the component including the decision means 10 is a control component. To prevent the application code from usurping rights, only the interception means 20 i can invoke these two operations. The decision means 10 verify if the call to the operations of the interface V in fact emanated from the interception means 20 i in the step [S 10 ] of the process shown in FIG. 6, for example by verifying that the call did in fact emanate from the segment 2 in FIG. 2.
For the “Think” component-based kernel based on the Fractal model, the interception means 20 i are connected to the decision means 10 via two interfaces V and A that are independent of the authorization module. Access control is based on security contexts assigned both to the objects C i and to the subjects S. The decision means 10 maintain a table of the security contexts of the subjects S and another table of the security contexts of the objects C i. The calculation means 103 calculate permissions as a function of the authorization policy and are held in an access matrix that is managed by the administration means 102 .
The component constituting the decision means 10 can therefore include three primitive components:
The decision means 10 are also solicited by the access protection mechanism PA on detecting access to a memory area whose capacity is invalid, which can arise if the access is illicit or with a homogeneous secured object C i, n+1≦i≦m. The decision means 10 must then determine the access rights of the subject S. If it has the rights, the decision means 10 allocate an access capacity to the subject S, and execution thereof continues. Otherwise, the access capacity remains invalid, access is denied, and execution of the subject S is stopped.
The decision means 10 can also control access to the registers of hardware components such as a network peripheral device, a graphics card, etc. Its interface A includes administrative operations for adding, modifying and eliminating access rights.
A better compromise between high security and reconfigurability is achieved as a result of the synergy resulting from combining the advantages of the component-based approach to obtain an access control mechanism clearly separating the access control decision means and the mechanisms for protecting access to a set of components, secured or not, of an operating system and a hardware memory protection mechanism to prevent bypassing of the access protection mechanism.
FIG. 5 is a block diagram showing in detail the interception means 20 i of the invention. The invocations I 1 , I 2 and I 3 (I j, j=1 . . . 3 ) to the object C i are intercepted by the interception means 20 i , which execute respective operations m i1 , m i2 and m i3 that call the decision means 10 , which allocate access or not, enabling execution of these operations on the data of the object C i where appropriate.
The access control system obtained in this way offers flexible access control for warning a kernel of certain attacks:
The access control system is independent of the access control model and policy. It enables dynamic reconfiguration of the authorization policy, in particular by changing the calculation component 103 .
FIG. 6 is a block diagram of the access control method of the invention: it summarizes a sequence of steps executed to process a request to access an object C i. This access control method can be executed by the access control system described above.
On starting up, a subject S has no access capacity relating to objects: in an operating system with a component-based kernel, the subject S has no access capacity in relation to the components C i of the system, to be more precise relative to any memory area. The subject S has to acquire access capacities to the objects that it requires for its execution. Thus if the subject S wishes to access an object for which it does not yet have an access capacity, it requests the decision means 10 to assign it that capacity, either via the interception means 20 i with a heterogeneous secured object C i, m+1≦i≦q or by detecting access to a homogeneous secured object C i, n+1≦i≦m by the access protection mechanism PA (generation of the “area defect” exception). It is therefore possible to distinguish two execution sequences:
When this method is executed by the above access control system, the decision means 10 verify the category of the object [S 5 ], where appropriate verify the access rights [S 6 ], and where appropriate allocate the capacity for access from the subject S to the requested object C i [S 7 ], and the access protection mechanism PA authorizes access [S 2 ] or not [S 8 ] depending on the validity of the access capacity.
The second sequence corresponds to a subject S SH7 invoking an operation m ij on a predetermined object C i , i.e. an object C i that has been associated with individual protection means (for example the heterogeneous secured objects C i having the benefit of the interception means 20 i ). The request S SH7 must pass through the interception means 20 i , which effect a call I RM (to the supervisor mode of the processor in an application to the operating system in the form of an “SHT verification”) and execute an operation Check M to verify the access rights [S 11 ]. The identification step [S 10 ] is effected first: If the Check M call did not emanate from the interception means 20 i , access is denied [S 8 ]. Otherwise, the operation Check M determines the rights of the subject S SH7 to access the operation m ij of the object C i [S 11 ]. If the subject S SH7 does not have the required rights, access is denied [S 8 ]. Otherwise, access capacity is allocated [S 12 ]. In an implementation by the above access control system, the decision means 10 , which have verified if the call in fact emanated from the interception means 20 i [S 10 ] and have also verified the access rights [S 11 ], call the access protection mechanism PA in order to allocate the capacity [S 12 ] (as shown by the dashed line box illustrating the action of the access protection mechanism PA). The call in supervisor mode terminates after allocation of the capacity (as indicated by the cross-hatched areas in FIG. 6 illustrating the supervisor mode). The interception means 20 i call the required operation m ij of the encapsulated object C i [S 13 ] and then resume control by calling the operation Revoke M [S 14 ]. In the above control system, the operation Revoke M is an operation of the decision means 10 which, in the application to an operating system, is called in supervisor mode (S cancellation). After invalidation of the access capacity, the processor exits the interception means 20 i and returns to user mode.
The invention further consists in a method of fabricating a component-based kernel intended in particular for light operating systems. This component-based kernel includes a flexible access control policy. The fabrication process includes the following steps:
The access control system of the invention can install secured operating systems without recourse to the addressing concept and is therefore directly applicable to all light terminals. In particular, a component-based kernel with an access control system according to the invention can be used in communication and/or multimedia data broadcasting network operating systems. Generally speaking, the access control method and system according to the invention can be applied to all applications having major security requirements in the terminals, in particular in onboard mobile terminals, or communication and/or broadcasting network intermediate stations, e.g. for applications like e-commerce, digital radio broadcasting (such as DRM for protecting the contents of MP3 players, for example), protection of personal data in medical computing, etc.