Conceptually, the process of authenticating and authorizing execution of jobs on remote machines is similar to the process of remote file access. Currently, WebOS uses a UNIX command line program to request remote execution. This request results in a CRISIS library call, which contacts the local process manager with the identity of the principal. The protocol for process execution then proceeds similarly to the file access example described in the previous subsection.
Currently, the ACLs for remote process execution simply include the names of principals which have access to execute programs on a remote node. In the future, we plan to use transfer certificates and ACLs to contain information which specify the portion of the resources a certain role can consume. Another avenue for future work is building an interface to allow principals to reason about the set of privileges required by remote jobs. Clearly, remote jobs should run with the minimum set of privileges necessary to complete their task. However, determining this minimal set can be difficult. We plan to build an interface that allows users to run jobs locally to identify the minimal set of privileges that should be transferred to the job when it is run remotely.
Once a job execution request is authorized, CRISIS uses Janus [Goldberg et al. 1996] to set up a virtual machine to execute the process on the target machine, reducing the risk of violating system integrity. The Janus profile file describing the level of restriction imposed by the virtual machine is generated on the fly based on the identity of the requesting principal and the requirements of the job to be executed. Once set up, the virtual machine is associated with a CRISIS security domain, associating the virtual machine with the set of privileges specified by the principal requesting process execution. By both restricting jobs to originate from authorized users and placing running jobs in a sandbox, the local machine is protected from malicious or buggy programs even if the program's execution is requested from an authorized principal.