Separating access control policy, enforcement, and functionality in extensible systems

Robert Grimm, Brian N. Bershad

Research output: Contribution to journalArticlepeer-review


Extensible systems, such as Java or the SPIN extensible operating system, allow for units of code, or extensions, to be added to a running system in almost arbitrary fashion. Extensions closely interact through low-latency but type-safe interfaces to form a tightly integrated system. As extensions can come from arbitrary sources, not all of whom can be trusted to conform to an organization's security policy, such structuring raises the question of how security constraints are enforced in an extensible system. In this paper, we present an access control mechanism for extensible systems to address this problem. Our access control mechanism decomposes access control into a policy-neutral enforcement manager and a security policy manager, and it is transparent to extensions in the absence of security violations. It structures the system into protection domains, enforces protection domains through access control checks, and performs auditing of system operations. The access control mechanism works by inspecting extensions for their types and operations to determine which abstractions require protection and by redirecting procedure or method invocations to inject access control operations into the system. We describe the design of this access control mechanism, present an implementation within the SPIN extensible operating system, and provide a qualitative as well as quantitative evaluation of the mechanism.

Original languageEnglish (US)
Pages (from-to)36-70
Number of pages35
JournalACM Transactions on Computer Systems
Issue number1
StatePublished - Feb 2001


  • Access check
  • Auditing
  • D.4 [Software]: Operating Systems
  • D.4.6 [Operating Systems]: Security and Protection - Access controls
  • Extensible systems
  • Java
  • Protection domain
  • Protection domain transfer
  • SPIN
  • Security
  • Security policy

ASJC Scopus subject areas

  • General Computer Science


Dive into the research topics of 'Separating access control policy, enforcement, and functionality in extensible systems'. Together they form a unique fingerprint.

Cite this