Role-based access control model for protection domain derivation and management

Abstract

We present a role-based access control (RBAC) model for deriving and managing protection domains of dynamically-obtained, remote programs, such as downloaded executable content. These are programs that are obtained from remote sources (e.g., via the web) and executed upon receipt. The protection domains of these programs must be limited to prevent content providers from gaining unauthorized access to the downloading principal's resources. However, it can be difficult to determine the proper, limited protection domain for a program in which downloading principals need to share some of their resources. Current systems usually rely on one of a number of possible principals to specify the content protection domains, but the exclusion of input from other principals limits the flexibility in which protection domains can be derived and managed. In this paper, we describe a RBAC model for deriving protection domains and managing their evolution throughout the execution of the content. This model accounts for the variety of principals that may be involved in domain derivation and how their input is managed. We demonstrate the use of this model to specify a variety of protection domain derivation and management policies.