>Below is my position paper for the DOC Security workshop.  I apologize
>for the lateness of the submission.  I believe that it fits the DOC
>Security Integration Issues topic.  Several of us from TIS attended last
>year's workshop and found it to be very interesting.  We hope to be
>included in the workshop again this year.
>
>Thank you.
>--
>
>Above-kernel Object-Oriented Domain and Type Enforcement
>
>At the first workshop in 1997, we described an implementation of a
>kernel-based version of Object-Oriented Domain and Type Enforcement
>(OO-DTE).  A DTE-enhanced kernel applies a type to each passive entity
>(file or IPC message).  Each process runs in a domain which constrains
>the process’s access to entities of certain types as described by the
>DTE policy.  A DTE Language (DTEL) policy describes the assignment of
>types to files and the ability of each domain to access entities of
>particular types.
>
>Kernel-based OO-DTE extends operating system protection mechanisms to
>CORBA operation invocations by requiring the ORB to apply a type to each
>operation.  An OO-DTE policy is described in the DTEL++ language.
>DTEL++ is a superset of DTEL that describes access policy for CORBA
>operations.  The kernel mediates access to the operations according to
>the type assigned to the operation and the ability of a process’s domain
>to invoke or implement the type.
>
>The kernel-based OO-DTE prototype uses a modified version of the ILU ORB
>(from Xerox PARC) running on a DTE-enhanced version of BSD/OS.  While
>this is an effective approach to non-bypassable CORBA security, it has
>limitations from a commercial perspective due to the requirement to run
>applications on a customized kernel.  To achieve some of the benefits of
>OO-DTE in a more practical operating environment, we have begun an
>implementation that uses a popular commercial operating system and ORB.
>We call this implementation above-kernel OO-DTE.  The benefits of
>above-kernel OO-DTE  include fine-grained access control, scalability,
>and ease of  policy administration, all on a commercial platform.
>
>Our initial above-kernel OO-DTE prototype implementation has been as a
>plug-in module for Iona’s Orbix running on Solaris.  The prototype is
>implemented as an Orbix per-process filter which intercepts all
>operation request and reply messages.  The filter performs the functions
>previously performed by both the ORB and operating system in the
>kernel-based version of OO-DTE.  In addition to determining the proper
>type for an operation, the filter also performs access control based
>upon the operation’s type and a pseudo-domain for the process.
>
>To date, we have demonstrated the following capabilities in above-kernel
>OO-DTE:
>· interoperability of kernel-based OO-DTE with above-kernel OO-DTE
>· scaleable DTEL++ policies
>· per-object access control
>
>Our current work is focused on the following enhancements:
>· strong authentication for domain determination using SSL
>· policy updates and synchronization across hosts
>· interoperability with CORBA boundary control mechanisms, such as the
>ORB Gateway
>
>This work has been funded by Rome Labs and DARPA as part of the Sigma
>project, which will be completed in 1998.  The technology will be
>integrated into DARPA’s AITS Security Reference Architecture through the
>Information Assurance program.
>
>--
>Gregg Tally
>Trusted Information Systems, Inc.
>3060 Washington Rd (Rte. 97)
>Glenwood, MD  21738
>http://www.tis.com
>(301)854-5729
>
>
>
>