Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Efficient Implementation of ACLS for Object-Oriented Systems

IP.com Disclosure Number: IPCOM000104157D
Original Publication Date: 1993-Mar-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 4 page(s) / 182K

Publishing Venue

IBM

Related People

Luniewski, AW: AUTHOR

Abstract

Disclosed is a system that permits space efficient and time efficient implementation of an Access Control List (ACL) based protection on a conventional memory mapped computer system. The approach is novel in permitting very fine grained access control at the level of individual methods on individual objects while retaining good space and time performance for executing programs.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 29% of the total text.

Efficient Implementation of ACLS for Object-Oriented Systems

      Disclosed is a system that permits space efficient and time
efficient implementation of an Access Control List (ACL) based
protection on a conventional memory mapped computer system.  The
approach is novel in permitting very fine grained access control at
the level of individual methods on individual objects while retaining
good space and time performance for executing programs.

      The protection model assigns an ACL to each method of each
object.  The number of ACLs is typically less than the number of
methods since an ACL may be associated with many different methods.
An ACL maps a principal, that is the entity currently responsible for
a computation, into a boolean.  In a protection context, a TRUE
answer indicates that the principal has permission to access the
resource protected by the ACL or, rather, to invoke the method while
FALSE indicates that an invocation is not permitted.

      The described implementation uses a combination of two
indirections through memory to achieve efficiency.  First, an object
reference refers to a "local" object rather than to the "real"
object.  The "real" object contains the object's state and a pointer
to the object's method dispatch vector which, in turn, has pointers
to the object's implementation code.  The object's state is accessed
and manipulated by the object's implementation code.  The local
object refers to the real object.  Second, the local object has a
pointer to a local implementation which is a vector of pointers that
allows the holder of a reference to an object to invoke a method on
that object.  The local implementations for a given principal are
gathered into a remappable object segment which is at the same
location in memory for all principals.  When the current principal
changes, the object segment is remapped to be the object segment for
the new current principal.  The local object referring to any given
real object is at the same offset within the object segment for all
principals.

      In the present context, an object consists of three components:
state, implementation, and methods.  The state is the variables that
reflect the current "value" of an object.  The implementation is the
code associated with an object that implements the object's behavior.
Only the implementation may access the state of an object.  The
methods are the programming manifestation of the behavior of an
object.  Methods may result in the return of information about the
current state of the object and may alter the object's state.
Methods are implemented by the object's implementation.

      Method invocation proceeds as follows.  The object reference
permits the code to find the local object.  The local object permits
the local implementation to be found.  Since the object segment is
remapped on change of current principal, the pointers in the local
implementation are correct for the current pr...