Policy and permissions API

sascha

I have a bunch of shared libraries and would like to have fine-grained control over access to security-sensitive resources and code across DLL boundaries. For example, a DLL provides an API where certain methods should only be callable by DLLs which have specific permissions to so.

This is similar to the Java Policy and Permissions API, when running with a security manager:

http://download.oracle.com/javase/6/docs/technotes/guides/security/permissions.html

Has anyone done something similar using Qt, or using a third-party library?

Thanks,
Sascha

blex

Is this really possible in such language as C/C++?

tobias.hunger

You can not do that with DLLs. You can always go low-level and ask for a pointer to a symbol and call that instead of going through an mediator that does access control.

If you need that you need to have separate processes handling access to the secure resources. You can define much stricter communication flows that way.

blex

[quote author="Tobias Hunger" date="1291282825"]If you need that you need to have separate processes handling access to the secure resources[/quote]

If you really need that then, probably, you should select the right language. C++ is not for such kind of tasks

sascha

[quote author="Tobias Hunger" date="1291282825"]You can not do that with DLLs. You can always go low-level and ask for a pointer to a symbol and call that instead of going through an mediator that does access control.[/quote]
Agreed, but I was rather thinking about an API design which would allow to check if the caller has certain permissions. I don't need a general solution which can be bolted on top of existing libraries. For example, DLL A provides the method:

@void A::doSomethingPrivileged(CallerContext context, Parameter parameter);@

which DLL B calls, providing its own "Context" object, which might contain cryptographically secured tokens representing certain permissions.

I was just wondering if someone did something similar already.

[quote author="Tobias Hunger" date="1291282825"]If you need that you need to have separate processes handling access to the secure resources. You can define much stricter communication flows that way.[/quote]
Yes, separate processes would make some things easier and that is definitely on my mind too.

sascha

[quote author="blex" date="1291283108"]
If you really need that then, probably, you should select the right language. C++ is not for such kind of tasks
[/quote]
I am constrained to using C++ (personally, I don't think it is a constraint, though :-) )

I believe that such functionality is very well possible in C++, using the right tools and techniques.

DenisKormalev

sascha, I don't think so (maybe something like Tobias suggested will work). C++ will allow you to write low-level code that will avoid any of your restrictions.

blex

[quote author="sascha" date="1291256496"]For example, a DLL provides an API where certain methods should only be callable by DLLs which have specific permissions to so.[/quote]

If you want to protect against the programmer mistake it seems like possible. Just create a wrapper for your class that checks security token before call to function.

If you want to protect against the hacker then it is almost impossible.

This principle is the base for many parts of C++ itself and stated in the C++ author's book.

sascha

I agree that protection agains malicious code will be hard/impossible (that stands true for every language/platform, I guess).

In my case, protection against API misuse and permissions-based access-control is more important. This should be possible.

Thanks for your comments,

Sascha

blex

If you need protection only against API misuse and permissions-based access-control then I cannot imagine how to create such library. It should be coupled with the API that you use.

If you have control over sources of the used library then it may be simple to create tool that generates wrappers or changed function call signatures (for example, by adding optional security argument to the end of function argument list).

giesbert

So, in our departement, we have such sollutions. But we have additional security manager libraries, which hav encrypted passwords etc and where the source is not available. If both (client and server component) use this, you can do such "secured calls".

tobias.hunger

Gerolf: What threads are those libraries supposed to protect against?

sascha

[quote author="Gerolf Reinwardt" date="1291306983"]So, in our departement, we have such sollutions. But we have additional security manager libraries, which hav encrypted passwords etc and where the source is not available. If both (client and server component) use this, you can do such "secured calls".[/quote]
Yes, that is part of the "tools" I am looking for, some kind of security manager to manage/create/verify security tokens. I know of QCA as a general purpose cryptography library, but was looking for something more tailored to my needs.

Gerolf, if I understood you correctly, you are using some in-house developed libraries, right? Or is it something which is available to the public (maybe closed-source)?

giesbert

That is definitly closed source and not available, sorry, it's part of our industrial software. I was just describing the general idea. Its a library, that handles passwords, tokens etc which are stored in an encrypted way. An everything is also combined with the current system users etc.
But it should not be so complicated to create such components, if you have the crypto algorithms. Perhaps, depending on your problem and the code policies you have, you can use some GPL library for that (or for the crypto part).