Authorization And Trust In Software Systems

Abstract

Nexus Authorization Logic (NAL) provides a principled basis for specifying and reasoning about credentials and authorization policies. It extends prior access control logics that are based on "says" and "speaks for" operators. NAL enables authorization of access requests to depend on (i) the source or pedigree of the requester, (ii) the outcome of any mechanized analysis of the requester, or (iii) the use of trusted software to encapsulate or modify the requester. To illustrate the convenience and expressive power of this approach to authorization, a document-viewer application suite was implemented for the [alpha]-Nexus operating system. One of the viewers enforces policies that concern the integrity of excerpts a document contains; another viewer enforces confidentiality policies specified by labels tagging blocks of text; and a third viewer enforces policies that impose chain-ofcustody restrictions on stages of an image-editing pipeline. To study how compatible this approach to authorization is with existing principles for building trustworthy systems, a filesystem that pervasively instantiates a number of well-known security principles was implemented for [alpha]-Nexus. The design and overall performance of this filesystem was compared to a Linux filesystem that largely ignores the security principles.