Beyond Stack Inspection: A Unified Access-Control and
Information-Flow Security Model
Marco Pistoia
IBM Research
Tuesday, May 15, 1:00PM
Babbio Center, Room 202
Stevens Institute of Technology
Abstract
Modern component-based systems, such as Java and Microsoft .NET Common
Language Runtime (CLR), have adopted Stack-Based Access Control
(SBAC). Its purpose is to use stack inspection to verify that all the
code responsible for a security-sensitive action is sufficiently
authorized to perform that action. However, previous literature has
shown that the security model enforced by SBAC is flawed in that stack
inspection may allow unauthorized code no longer on the stack to
influence the execution of security-sensitive code. A different
approach, History-Based Access Control (HBAC), is safe but may
unjustly prevent authorized code from executing a security-sensitive
operation if less trusted code was previously executed. In this
paper, we formally introduce Information-Based Access Control (IBAC),
a novel security model that verifies that all and only the code
responsible for a security-sensitive operation is sufficiently
authorized. Given an access-control policy, we present a mechanism to
extract from it an implicit information-flow policy, and we prove that
IBAC enforces both policies. Furthermore, we discuss large-scale
application code scenarios to which IBAC can be successfully applied.