Recall, that an access matrix may be implemented by access control lists or capabilities. These traditional implementation approaches must must be extended in many ways to implement the access-control properties of distributed applications mentioned above:
Network-wide capabilities: A capability no longer references a local object; thus a scheme for addressing a remote object must be implemented. To address this problem, Amoeba stores in a capability an encryption of the access rights to and a network-wide id of a protected object.
Replicated access lists: A way must be found to replicate access control lists of replicas. Both Suite and Lotus Notes use the mechanisms provided by the replication system for replicating objects to also replicate access control lists of these objects.
Application-Defined Objects: Traditional operating systems do not support user-defined objects, thereby restricting themselves to protecting predefined rights such as file rights. As we saw above, distributed systems must protect application-defined operations such as connect. Two approaches have been used to protect application-defined objects. One approach, used in Hydra, is to develop a kernel that manages application- defined objects, intercepting, and thereby guarding, all operations on these objects. An alternative approach is to provide access control in user- space. X servers, Suite dialogue managers and Web browsers [Wallach et al 97] are examples of user-level code implementing access control. The advantage of the second approach is that it can be used with existing, non object-oriented, operating systems and access checks do not require context switches to the operating system. However, some form of authentication facility is required to verify a subject's identity.
Access Proxies: A general technique for implementing access-control in user-space is to implement for each protected class a proxy class that has the same interface as the protected class, performs access checks, and forwards operations to the protected class if these checks succeed.
Stack Check/Modified Name Space: Access control for a process that allows code to be dynamically downloaded into it needs to distinguish between local and downloaded code and provide restricted rights to downloaded code to ensure, for instance, that it does not destroy or leak the contents of local data. Java-enabled Web browsers illustrate how such a mechanism can be supported. Two approaches have been used by them to restrict access of dowloaded Java applets. One approach relies on the fact that separate class loader objects are used to load local and remote code and that the stack frame of each method points to the object that loaded it. As a result, when a protected method is called, the browser can provide restricted access if the stack contains a method that was called (directly or indirectly) by downloaded code.
The other approach relines on the fact that the loader can determine the name space of downloaded code. It creates restrictive proxy classes for the protected classes, and makes sure that downloaded code sees the proxy classes instead of the protected classes.
Summary
The following table summarizes the differences between access control for single-site systems and distributed systems.
