• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Secure Execution Environments

Agility - Technical Overview

Security Agility embeds the knowledge of security policy models and the ability to extend existing functionality to react to dynamic policy updates into running components. The Security Agility Toolkit, which encapsulates this security awareness and adaptability, consists of three primary components as presented in the figure below: 1) an agile policy, 2) an AGility Authority (AGA), and 3) an agility subsystem. The agile policy specifies the embedded security models, application-level security policy rules, and dynamic code extensions for the agile components of the system. The agility authority provides the agile and security policy management service for a host, including the runtime representation of its agile policy. The agility subsystem performs all the security-specific functionality for a component as directed by the agile policy. The component-specific code represented by the agile component's oval in the figure below implements the component's non-security responsibilities.

Download PowerPoint slide: security_agility.ppt [38K]

The agility subsystem contains the toolkit's embedded policy models and its framework to employ dynamic code extensions to add security relevant processing or conform to policy changes. The subsystem is composed of reusable libraries that can be augmented for additional embedded policy models and security semantics. The "extensions" boxes shown in figure above depict the dynamic code extensions the agile policy directs a component's security agility subsystem to employ. The toolkit employs interposition-based techniques, referred to as Control Transition Points (CTPs) in the figure above, to transfer processing control to the agility subsystem at key points during normal component operation (e.g., resource acquisition). Associated with each CTP is an agility subsystem routine that carries out the security services for the original (intercepted) call.

At system startup, a host's AGA is initialized to parse the host's agile policy file into a shared memory representation for agile processes then updates the shared memory policy structures as policy changes are received. When an agile process begins execution, control passes to the agility subsystem using common language and compiler techniques before executing any of the original component code. The subsystem's initialization routine configures the component by loading the control transition points and connecting to the shared memory agile policy segments. During component operation, each occurrence of a library call that is wrapped by a control transition point will transfer processing control to the agility subsystem. The subsystem's library routine invokes access control mediation as well as any dynamic code extensions associated with the control transition point through the agile policy's specification. Dynamic code extensions may be specified for execution before or after a CTP's invocation of the original function call. Post processing of dynamic code extensions can also be specified according to the result of the operation (success or failure) or for each occurrence of the operation. Resource state information on objects is retained by the agility subsystem to revisit previous access control decisions on resources when a security policy change occurs.