Computer Laboratory

Technical reports

Access policies for middleware

Ulrich Lang

May 2003, 138 pages

This technical report is based on a dissertation submitted March 2003 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Wolfson College.


This dissertation examines how the architectural layering of middleware constrains the design of a middleware security architecture, and analyses the complications that arise from that. First, we define a precise notion of middleware that includes its architecture and features. Our definition is based on the Common Object Request Broker Architecture (CORBA), which is used throughout this dissertation both as a reference technology and as a basis for a proof of concept implementation. In several steps, we construct a security model that fits to the described middleware architecture. The model facilitates conceptual reasoning about security. The results of our analysis indicate that the cryptographic identities available on the lower layers of the security model are only of limited use for expressing fine-grained security policies, because they are separated from the application layer entities by the middleware layer. To express individual application layer entities in access policies, additional more fine-grained descriptors are required. To solve this problem for the target side (i.e., the receiving side of an invocation), we propose an improved middleware security model that supports individual access policies on a per-target basis. The model is based on so-called “resource descriptors”, which are used in addition to cryptographic identities to describe application layer entities in access policies. To be useful, descriptors need to fulfil a number of properties, such as local uniqueness and persistency. Next, we examine the information available at the middleware layer for its usefulness as resource descriptors, in particular the interface name and the instance information inside the object reference. Unfortunately neither fulfils all required properties. However, it is possible to obtain resource descriptors on the target side through a mapping process that links target instance information to an externally provided descriptor. We describe both the mapping configuration when the target is instantiated and the mapping process at invocation time. A proof of concept implementation, which contains a number of technical improvements over earlier attempts to solve this problem, shows that this approach is useable in practice, even for complex architectures, such as CORBA and CORBASec (the security services specified for CORBA). Finally, we examine the security approaches of several related middleware technologies that have emerged since the specification of CORBA and CORBASec, and show the applicability of the resource descriptor mapping.

Full text

PDF (0.8 MB)

BibTeX record

  author =	 {Lang, Ulrich},
  title = 	 {{Access policies for middleware}},
  year = 	 2003,
  month = 	 may,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-564}