<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2012.32010</article-id><article-id pub-id-type="publisher-id">JIS-18779</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Reference Encryption for Access Right Segregation and Domain Representation
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>anfranco</surname><given-names>Lopriore</given-names></name><xref ref-type="aff" rid="aff1"><sub>1</sub></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib></contrib-group><aff id="aff1"><label>1</label><addr-line>Dipartimento di Ingegneria dell’Informazione: Elettronica, Informatica, Telecomunicazioni,Università di Pisa, Pisa, Italy</addr-line></aff><author-notes><corresp id="cor1">* E-mail:<email>l.lopriore@iet.unipi.it</email></corresp></author-notes><pub-date pub-type="epub"><day>26</day><month>04</month><year>2012</year></pub-date><volume>03</volume><issue>02</issue><fpage>86</fpage><lpage>90</lpage><history><date date-type="received"><day>January</day>	<month>30,</month>	<year>2012</year></date><date date-type="rev-recd"><day>February</day>	<month>29,</month>	<year>2012</year>	</date><date date-type="accepted"><day>March</day>	<month>25,</month>	<year>2012</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  With reference to a protection model featuring processes, objects and domains, we consider the salient aspects of the protection problem, domain representation and access right segregation in memory. We propose a solution based on protected references, each consisting of the identifier of an object and the specification of a collection of access rights for this object. The protection system associates an encryption key with each object and each domain. A protected reference for a given object is always part of a domain, and is stored in memory in the ciphertext form that results from application of a double encryption using both the object key and the domain key.
 
</p></abstract><kwd-group><kwd>Access Right; Domain; Protection; Symmetric-Key Cryptography</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>We shall refer to a well-known protection model featuring active entities, the processes, that perform access attempts to passive entities, the objects [1,2]. Objects are typed; the type of a given object states the set of operations that can be carried out on this object and, for each operation, the access rights that a process must hold to accomplish this operation successfully. At any given time, a protecttion domain is associated with each process: this is a collection of access rights on the objects that the process can access at that time.</p><p>A salient aspect of the protection problem is the representation of access rights and protection domains in memory. A classical solution is based on the concept of a capability [3,4]. This is a pair , where B is the identifier of an object and AR is a set of access rights for this object. A protection domain takes the form of a collection of capabilities, which correspond to the access rights included in that domain.</p><p>Capabilities are sensitive objects that cannot be treated as ordinary data [<xref ref-type="bibr" rid="scirp.18779-ref5">5</xref>]: we must prevent processes from modifying the access right field and add new access rights, for instance. Capabilities can be segregated into capability segments [6,7]. In this case, a protection domain usually takes the form of a tree, where the root of the tree is a capability segment that includes the capabilities for other capability and data segments, and the data segments are the tree leaves. Alternatively, we can take advantage of a tag associated with each memory cell, which specifies whether this cell contains a capability or an ordinary data item [8,9]. In a third approach, a set of passwords is associated with each object, and each password corresponds to one or more access rights. A password capability is a pair where B is an object identifier and PSW is a password [10,11]. If a match exists between PSW and one of the passwords associated with object B, then the password capability grants its holder the access rights corresponding to that password on B.</p><p>In the approaches to capability segregation in memory, outlined so far, a process that holds a capability can take full advantage of this capability, independently of the capability origin. This means that segregation does not prevent a process from taking advantage of a capability obtained illegitimately by means of a fraudulent action of capability copy, for instance.</p><p>In this paper, we propose an alternative approach to access right representation in memory, which solves the segregation problem by taking advantage of a form of symmetric-key cryptography [12,13]. In our approach, possession of an access privilege on a given object is certified by possession of a protected reference (p-reference from now on, for short) including the specification of a collection of access rights for this object. P-references are never stored in memory in plaintext. Instead, the protection system associates an encryption key, called the object key, with each object, and a further encryption key, the domain key, with each domain. A p-reference for a given object is always part of a protection domain and is stored in memory in the ciphertext form that results from application of a double encryption using both the object key and the domain key.</p></sec><sec id="s2"><title>2. The Protection System</title><sec id="s2_1"><title>2.1. Protected References</title><p>Let T be an object type, let S<sub>0</sub>, S<sub>1</sub>, &#183;&#183;&#183; be the operations that can be executed on an object of type T, and let AR<sub>0</sub>, AR<sub>1</sub>, &#183;&#183;&#183; be the access rights defined by T. For each given operation S<sub>m</sub>, the definition of type T states the subset of access rights AR<sub>0</sub>, AR<sub>1</sub>, &#183;&#183;&#183; that is necessary to accomplish that operation successfully. P-reference R takes the form R = , where AR is a bit configuration that specifies a collection of access rights for object B: if the i-th bit of AR is asserted, R grants access right AR <sub>i</sub> on B.</p><p>From now on, we shall use an underline to denote a ciphertext. Let k<sub>B </sub>be the encryption key associated with object B, and k<sub>D</sub> be the encryption key associated with the domain D of p-reference R = . <xref ref-type="fig" rid="fig1">Figure 1</xref> shows the transformation of R into ciphertext quantity R. The transformation proceeds as follows. Let B be the result of encrypting quantity B by using a symmetric-key cipher with key k <sub>D</sub>, and let AR be the result of encrypting pair by using a symmetric-key cipher with key k <sub>B</sub>. Quantity R is given by relation R = .</p><p><xref ref-type="fig" rid="fig2">Figure 2</xref> shows the reverse transformation of ciphertext quantity R = into the corresponding plaintext p-reference R. The transformation proceeds as follows. Domain encryption key k <sub>D</sub> is used to decrypt quantity B into object name B. Then, the object key k <sub>B</sub> associated with object B is used to decrypt quantity AR. Let be the result of the decryption. Quantity B* is compared with B to validate AR; if a match is found, validation is successful and p-reference R is given by pair .</p></sec></sec></body><back><ref-list><title>References</title><ref id="scirp.18779-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">L. Lopriore, “Access Control Mechanisms in a Distributed, Persistent Memory System,” IEEE Transactions on Parallel and Distributed Systems, Vol. 13, No. 10, 2002, pp. 1066-1083. doi:10.1109/TPDS.2002.1041883</mixed-citation></ref><ref id="scirp.18779-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">R. S. Sandhu and P. Samarati, “Access Control: Principle and Practice,” IEEE Communications Magazine, Vol. 32, No. 9, 1994, pp. 40-48. doi:10.1109/35.312842</mixed-citation></ref><ref id="scirp.18779-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">H. M. Levy, “Capability-Based Computer Systems,” Butterworth-Heinemann, Oxford, 1984.</mixed-citation></ref><ref id="scirp.18779-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">I. Kuz, G. Klein, C. Lewis and A. Walker, “CapDL: A Language for Describing Capability-Based Systems,” Proceedings of the 1st ACM Asia-Pacific Workshop on Systems, New Delhi, 30 August-3 September August 2010, pp. 31-36. doi:10.1145/1851276.1851284</mixed-citation></ref><ref id="scirp.18779-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">M. de Vivo, G. O. de Vivo and L. Gonzalez, “A Brief Essay on Capabilities,” SIGPLAN Notices, Vol. 30, No. 7, 1995, pp. 29-36. doi:10.1145/208639.208641</mixed-citation></ref><ref id="scirp.18779-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">G. Klein et al., “seL4: Formal Verification of an OS Kernel,” Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, 11-14 October 2009, pp. 207-220. doi:10.1145/1629575.1629596</mixed-citation></ref><ref id="scirp.18779-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">E. I. Organick, “A Programmer’s View of the Intel 432 System,” McGraw-Hill, New York, 1983.</mixed-citation></ref><ref id="scirp.18779-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">P. G. Neumann and R. J. Feiertag, “PSOS Revisited,” Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, 8-12 December 2003, pp. 208-216. doi:10.1109/CSAC.2003.1254326</mixed-citation></ref><ref id="scirp.18779-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">L. Lopriore, “Capability Based Tagged Architectures,” IEEE Transactions on Computers, Vol. C-33, No. 9, 1984, pp. 786-803. doi:10.1109/TC.1984.1676495</mixed-citation></ref><ref id="scirp.18779-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">M. D. Castro, R. D. Pose and C. Kopp, “Password-Capabilities and the Walnut Kernel,” The Computer Journal, Vol. 51, No. 5, 2008, pp. 595-607. 
doi:10.1093/comjnl/bxm124</mixed-citation></ref><ref id="scirp.18779-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">G. Heiser, K. Elphinstone, J. Vochteloo, S. Russell and J. Liedtke, “The Mungi Single-Address-Space Operating System,” Software: Practice and Experience, Vol. 28, No. 9, 1998, pp. 901-928.  
doi:10.1002/(SICI)1097-024X(19980725)28:9&lt;901::AID-SPE181&gt;3.0.CO;2-7</mixed-citation></ref><ref id="scirp.18779-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">M. Stamp, “Information Security: Principles and Practice,” 2nd Edition, Wiley, Hoboken, 2011.  
doi:10.1002/9781118027974</mixed-citation></ref><ref id="scirp.18779-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">J. Burke, J. McDonald and T. Austin, “Architectural Support for Fast Symmetric-Key Cryptography,” Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems, Cambridge, 12-15 November 2000, pp. 178-189. 
doi:10.1145/378993.379238</mixed-citation></ref><ref id="scirp.18779-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">N. Tuck, B. Calder and G. Varghese, “Hardware and Binary Modification Support for Code Pointer Protection from Buffer Overflow,” Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, Portland, 4-8 December 2004, pp. 209-220. 
doi:10.1109/MICRO.2004.20</mixed-citation></ref><ref id="scirp.18779-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Y. Younan, F. Piessens and W. Joosen, “Protecting Global and Static Variables from Buffer Overflow Attacks,” Proceedings of the 4th International Conference on Availability, Reliability and Security, Fukuoka, 16-19 March 2009, pp. 798-803. doi:10.1109/ARES.2009.126</mixed-citation></ref><ref id="scirp.18779-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">M. Anderson, R. D. Pose and C. S. Wallace, “A PasswordCapability System,” The Computer Journal, Vol. 29, No. 1, 1986, pp. 1-8. doi:10.1093/comjnl/29.1.1</mixed-citation></ref><ref id="scirp.18779-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">P. Gazi and U. Maurer, “Cascade Encryption Revisited,” Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, 6-10 December 2009, pp. 37-51.  
doi:10.1007/978-3-642-10366-7_3</mixed-citation></ref></ref-list></back></article>