Expressing Security Policies for Distributed Objects Applications

B.C. Popescu, B. Crispo, A.S. Tanenbaum, M. Zeeman

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


In this paper we describe the design and implementation of a policy engine for
enforcing security policies for distributed object applications. We show how our
design can be integrated as part of the Globe [11] system - a middleware for
supporting wide-area replicated objects.
While extensive work has been done in the area of security policy languages
and policy engines, this paper makes two important contributions: first we
identify a number of security policy requirements that arise in the context of
replicated applications, more specically, the need for policy mechanisms to
express dierent amounts of trust one wants to place into dierent replicas of
the same service. Second, we come up with a design that bridges the gap between an abstract security policy description and the actual service implementation. This is consistent to our goal to provide a policy engine at the middleware level which would make it simpler for application developers to integrate the policy engine with their applications. Traditional policy engines [2] work at a more abstract level, which in theory makes them very versatile, but in practice means that developers need to write rather complex translators (for passing parameters and environment variables) in order to bridge the gap between the engine and the application.
The rest of the paper is organized as follows: in Section 2 we give an overview
of the Globe system, which is the testbed for the policy engine we have devel-
oped. In Section 3 we describe the trust model for Globe applications; our policy
language is specically designed to support this trust model. In the next three
sections we describe the policy language constructs, grouped into constructs for
supporting administrative policies, access control and method execution policies.
Finally, in Section 7 we give an overview of our implementation, in Section 8 we
examine related work, and in Section 9 we conclude.
Original languageEnglish
Title of host publicationProceedings of the 11th Cambridge International Workshop on Security Protocols
Publication statusPublished - 2003


Dive into the research topics of 'Expressing Security Policies for Distributed Objects Applications'. Together they form a unique fingerprint.

Cite this