Our investigation of policy enforcement for digital libraries evolves out of two research programs at Cornell:
FEDORA, an extensible and interoperable architecture for digital objects and repositories
In-Line Reference Monitoring (IRM), a form of language-based security for policy enforcement.
In the area of digital objects, we are using our FEDORA model to experiment with policy enforcement for complex digital objects. FEDORA prescribes a modular architecture built on the principle that interoperability and extensibility are best achieved by the clean separation of data, interfaces, and mechanisms. A Fedora Repository provides a general-purpose management layer for Digital Objects. In their simplest form, Digital Objects are containers that aggregate mime-typed streams of data (e.g., digital images, XML files, metadata), known as DataStreams. Clients interact with Fedora Digital Objects through a set of generic methods that constitute a well-defined open interface shared by all Digital Objects. Digital Objects can be extended to support one or more behavior interface types (e.g., a book interface, a lecture interface). These uniquely identified interface types are associated with Digital Objects via pluggable components known as Disseminators. Each Disseminator points to the formal definition of a behavior interface type, and to an executable mechanism that runs the interface methods. Both the interface type definitions and the mechanisms can be stored locally with the object, or at a network location where they can be shared.
We are investigating the use of language-based security techniques for the enforcement of security policies for complex, extensible objects. Specifically, we are experimenting with Cornell's Policy Enforcement Toolkit (PoET) as a means of applying In-lined Reference Monitoring (IRM) to Fedora Digital Objects. This is described in our current Research section.
Substantial research has already be done at Cornell on new models for security. IRM is grounded in security automata theory. IRMs can simulate security automata; as such, they can enforce a rich class of access control policies. In general, a reference monitor enforces security policies by mediating all executions that pertain to the policy it is enforcing. A reference monitor must be transparent to applications, and must be protected from attack by applications. IRMs achieve this through bytecode modification by a trusted program rewriter. The result is that an application, itself, becomes its own reference monitor.
PoET implements IRM for the Java environment. In PoET, java applications are converted to secured applications by a code rewriter that embeds checks into Java Machine Language programs (bytecode). The embedded checks terminate forbidden executions before they violate the security policy for an object or application. To ensure the integrity of the checks, and to increase performance of the modified code, PoET performs program analysis and optimization during the rewriting process. It should be noted that PoET modifies bytecode - not Java source code. Thus, the Java compiler is not part of the trusted computing base. Accordingly, a computer running PoET does not require the presence of a Java compiler, nor Java source code for an application. In PoET, security policies are specified in the Policy Specification Language (PSLang), which is a simple, event-oriented language that is somewhat similar to Java in syntax. Policies that are modeled as security automata can be easily expressed in PSLang.
The process of in-lining and loading Java classes using PoET:
