|
This paper presents manditory access control (MAC) in Java. Below is an excerpt:
... we have extended the JVM with functionality to do mandatory access control at the
granularity of objects. Our implementation strictly separates the enforcement mechanism from the
specification of polices. This allows flexible specification and enforcement of a wide range of
policies. Moreover, we show that these techniques are implementable in current JVMs with minimal
modifications to other JVM subsystems, while maintaining full backwards compatibility.
We have implemented this by adding an access control tag to each object, and modifying the virtual
machine to check that tag at every data access to an object. Policies will take the form of predicates
over these access control tags. Since mechanism and policy are strictly separated, various
policies can be plugged in to the VM.
|
