A Security Policy Language for CORBA (SPLC)


Stoney Jackson

Project Proposal


CORBA [?] offers an architecture for designing distributed applications and integrating legacy systems. CORBA also specifies a set of services to provide functionality that is generally common across all applications. Among these service specifications is CORBAsecurity [?]. The CORBAsecurity service is based on the CORBA Security Reference Model [?], which describes abstract mechanisms for enforcing security policies within the distributed application. The CORBAsecurity service essentially gives CORBA application implementors an API by which to implement security policies via the CORBA Security Reference Model. The API is an abstraction layer that relieves the application implementor from the security mechanisms that are used to implement the security reference model. This abstraction layer is important because it provides a level of portability between platforms with different security mechanisms. However, the implementation of security policies is still left to the application implementor.


The goal of this project is to develop a security policy language for specifying policies that are relevant to the distributed object computing (DOC) model [reference here]. Specifically, it will be designed with the intent to be embedded in CORBA's interface definition language (IDL), and enforced automatically via the CORBA Security Service.


This project will begin by developing a set of requirements for a security policy language for CORBA. Next, existing existing languages (e.g. DTEL [Ste+99], ASL [JSS97], Adage [ref], LaSCO [Hoa2000], Ponder [Nic+2000], Adage [RZ97], Miro [Hey+90], etc.) and their corresponding security models/mechanisms (e.g. OO-DTE [Ste+99], ACM [Lam71], history-based access control [EAV98], logic-based access control, rule-based access control, etc.) will be evaluated with respect to this set of requirements. Finally, a prototype language will be suggested and partially implemented (to demonstrate feasibility).


[Ste+99] Sterne, Daniel F., Gregg W. Tally, et. al., "Scalable Access Control for Distributed Object Systems." In Proceedings of the 8th USENEX Security Symposium. Washington, D.C., USA. USENIX. August 1999.

[Lam71] Lampson, B.W., "Protection," In Proceedings of the 5th Symposium on Information Sciences and Systems, Princeton University, March 1971.

[EAV98] Edjlali, Guy, Anurag Acharya, and Vipin Chaudhary, "History-based Access-control for Mobile Code." In Proceedings of the Fifth ACM Conference on Computer and Communications Security, San Francisco, CA, USA. November 1998.

[JSS97] Jajodia, Sushil, Pierangela Samarati, and V.S. Subrahmanian, "A Logical Language for Expressing Authorizations." In Proceedings of the 1997 IEEE Symposium on Security and Privacy. Oakland, CA, USA; IEEE Press, 1997.

[Hen+96] Henze, G.; Koch, T.; Kramer, B. Annotations for synchronization constraints in CORBA IDL. Proceedings. Third International Workshop on Services in Distributed and Networked Environments. IEEE Comput. Soc. Press, 1996.

[Hoa2000] Hoagland, J. Specifying and Implementing Security Policies using LaSCO, the Language for Security Constraints on Objects. Ph.D. Dissertation,  Department of Computer Science UC Davis, 2000.

[Ko96] Ko, C. Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach. Ph.D. Dissertation, Department of Computer Science, UC Davis, 1996.

[Nic+2000] Damianou Nicodemos, et al., "Ponder: A Language for Specifying Security and Management Policies for Distributed Systems." Department of Computing, Imperial College. Available at: http://www-dse.doc.ic.ac.uk/policies/ponder.html. January 2000.

[SZ97] Simon, Rich and Mary Ellen Zurko, "Adage: An architecture for distributed authorization." Technical report, Open Group Research Institute, 1997.

[Hey+90] Heydon, Allan, Mark W. Maimone, J.D Tygar, Jeannette M. Wing, and Amy Moormann Zaremski, "Miro: Visual Specification of Security." In IEEE Transactions on Software Engineering, October 1990.

Send email to bishop@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
Davis, CA 95616=8562

Page last modified on 4/23/2000