Technical Report MSC-2007-22

Title: Decentralized Enforcement of Security Policies for Distributed Computational Systems
Authors: Arie Orlovsky
Supervisors: Danny Raz
Abstract: The shift from single server environments to globally distributed systems presents a great challenge in terms of defining and enforcing appropriate security policies. This is, among other things, due to the fact that the actual order of events in an asynchronous distributed environment is not always defined. In addition, security policies often depend on the actual information exchange among the distributed entities.

In this thesis we study the problem of adapting security policies to distributed environments such as grids and mobile code systems. We define what a global security policy is, and indicate some of the difficulties in translating local policies to the entire distributed environment. Then, we propose efficient and scalable security mechanisms for the enforcement of global security policies in distributed computational systems. These mechanisms are based on multiple instances of execution monitors (smart sandboxes) running on the distributed entities and on efficient security information sharing among them. We show that the subclasses of EM policies enforceable by these mechanisms, contain useful and real live security policies such as global information flow policies.

We provide prototype implementation of the security mechanism capable of defining and enforcing global security policies. This mechanism uses AspectJ to intercept security relevant events before they occur and terminates the execution if a target application is about to violate security policy.

CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2007
To the main CS technical reports page

Computer science department, Technion