TY - GEN
T1 - Support for the file system security requirements of computational e-mail systems
AU - Jaeger, Trent
AU - Prakash, Atul
N1 - Publisher Copyright:
© 1994 ACM.
PY - 1994/11/2
Y1 - 1994/11/2
N2 - Computational e-mail systems, which allow mail messages to contain command scripts that automatically execute upon receipt, can be used as a basis for building a variety of collaborative applications. However, their use also presents a serious security problem because a command script from a sender may access/modify receiver's private files or execute applications on receiver's behalf. Existing solutions to the problem either severely restrict I/O capability of scripts, limiting the range of applications that can be supported over computational e-mail, or permit all I/O to scripts, potentially compromising the security of the receiver's files. Our model, called the intersection model of security, permits I/O for e-mail from trusted senders but without compromising the security of private files. We describe two implementations of our security model: an interpreter-level implementation and an operating systems-level implementation. We discuss the tradeoffs between the two implementations and suggest directions for future work.
AB - Computational e-mail systems, which allow mail messages to contain command scripts that automatically execute upon receipt, can be used as a basis for building a variety of collaborative applications. However, their use also presents a serious security problem because a command script from a sender may access/modify receiver's private files or execute applications on receiver's behalf. Existing solutions to the problem either severely restrict I/O capability of scripts, limiting the range of applications that can be supported over computational e-mail, or permit all I/O to scripts, potentially compromising the security of the receiver's files. Our model, called the intersection model of security, permits I/O for e-mail from trusted senders but without compromising the security of private files. We describe two implementations of our security model: an interpreter-level implementation and an operating systems-level implementation. We discuss the tradeoffs between the two implementations and suggest directions for future work.
UR - http://www.scopus.com/inward/record.url?scp=84897398755&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84897398755&partnerID=8YFLogxK
U2 - 10.1145/191177.191179
DO - 10.1145/191177.191179
M3 - Conference contribution
AN - SCOPUS:84897398755
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1
EP - 9
BT - Proceedings of the 2nd ACM Conference on Computer and Communications Security, CCS 1994
PB - Association for Computing Machinery
T2 - 2nd ACM Conference on Computer and Communications Security, CCS 1994
Y2 - 2 November 1994 through 4 November 1994
ER -