Ulrich Lang
University of Cambridge
United Kingdom
Dieter Gollmann
Microsoft Research
United Kingdom
Rudolf Schreiner
ObjectSecurity Ltd.
United Kingdom
This paper discusses the difficulties of describing an appropriate notion of the security attributes "caller" and "target" in object-oriented middleware systems such as CORBA. Middleware security needs such security attributes in order to be able to express middleware layer security policies. Our analysis points out that, whilst there is no information available on the ORB layer to describe the caller and target, it is possible in practice to use descriptors from other layers. In CORBA security, the mechanism-specific identifiers on the caller side and the information from the object reference on the target side turn out to be most appropriate and trustworthy for describing caller and target application objects at the right granularity. As a proof of concept we mention our MICOSec CORBA Security implementation which demonstrates the feasibility of our approach. Our paper shows that it is unrealistic to expect a security service layer to be able to abstract fully from the underlying security mechanisms without implications on granularity and semantic mismatches.