Abstract
Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC’s easy-to-use discretionary policy specification and MAC’s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.
- Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995a. A domain and type enforcement UNIX prototype. In Proceedings of the USENIX Security Symposium. USENIX. Google ScholarDigital Library
- Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995b. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77. Google ScholarDigital Library
- Bell, D. E. and LaPadula, L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306, MITRE Corporation.Google Scholar
- Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. MTR-3153, MITRE.Google Scholar
- Brumley, D. and Song, D. 2004. PrivTrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Chen, H., Dean, D., and Wagner, D. 2002. Setuid demystified. In Proceedings of the USENIX Security Symposium. 171--190. Google ScholarDigital Library
- Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194.Google Scholar
- Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., and Gligor, V. D. 2000. Subdomain: Parsimonious server security. In Proceedings of the 14th Conference on Systems Administration (LISA’00). USENIX, 355--368. Google ScholarDigital Library
- Denning, D. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--242. Google ScholarDigital Library
- DOD. 1985. Trusted computer system evaluation criteria. Department of Defense 5200.28-STD, Washington DC.Google Scholar
- Downs, D. D., Rub, J. R., Kung, K. C., and Jordan, C. S. 1985. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, 208--218.Google Scholar
- Ench, W., McDaniel, P., and Jaeger, T. 2008. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society. Google ScholarDigital Library
- Fraser, T. 2000. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society. Google ScholarDigital Library
- Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20.Google Scholar
- Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the USENIX Security Symposium. USENIX, 1--13. Google ScholarDigital Library
- Hicks, B., Rueda, S., Jaeger, T., and McDaniel, P. 2007. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX. Google ScholarDigital Library
- Karger, P. A. 1988. Implementing commercial data integrity with secure capabilities. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 130--139. Google ScholarDigital Library
- Krohn, M. and Tromer, E. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the 30th IEEE Symposium on Security and Privacy (SP’09). IEEE Computer Society, Washington, DC, 61--76. Google ScholarDigital Library
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard OS abstractions. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 321--334. Google ScholarDigital Library
- Lee, T. M. P. 1988. Using mandatory integrity to enforce “commercial” security. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 140--146. Google ScholarDigital Library
- Li, N., Mao, Z., and Chen, H. 2007. Usable mandatory integrity protection for operating systems. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 164--178. Google ScholarDigital Library
- Loscocco, P. and Smalley, S. 2001a. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42. Google ScholarDigital Library
- Loscocco, P. and Smalley, S. 2001b. Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX.Google Scholar
- Mao, Z., Li, N., Chen, H., and Jiang, X. 2009. Trojan horse resistant discretionary access control. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 237--246. Google ScholarDigital Library
- Mcllroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Softw. Pract. Exper. 22, 8, 673--694. Google ScholarDigital Library
- Microsoft.com. 2007. The advantages of running applications on Windows Vista. http://msdn2.microsoft.com/en-us/library/bb188739.aspx.Google Scholar
- Myers, A. C. 1999. JFlow: Practical mostly-static information-flow control. In Proceedings of the Symposium on Principles of Programming Languages. ACM. Google ScholarDigital Library
- Myers, A. C. and Liskov, B. 1997. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating System Principles. ACM Press. Google ScholarDigital Library
- Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Engin. Methodol. 9, 4, 410--442. Google ScholarDigital Library
- NCSC. 1987. National computer security center: A guide to understanding discretionary access control in trusted systems. NCSC-TG-003.Google Scholar
- Newsome, J. and Song, D. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium. ACM.Google Scholar
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX. 252--272. Google ScholarDigital Library
- Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing privilege escalation. In Proceedings of the USENIX Security Symposium. USENIX, 231--242. Google ScholarDigital Library
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google ScholarCross Ref
- Shankar, U., Jaeger, T., and Sailer, R. 2006. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM.Google Scholar
- Sun, W., Sekar, R., Liang, Z., and Venkatakrishnan, V. 2008. Expanding malware defenses by securing software installations. In Proceeding of the Conference on Detection and Intrusions and Malware & Vulnerability Accessment (DIMVA). Springer, Berlin, Germany. Google ScholarDigital Library
- Sun, W., Sekar, R., Poothia, G., and Karandikar, T. 2008. Practical proactive integrity preservation: A basis for malware defense. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 248--262. Google ScholarDigital Library
- Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., and Mazières, D. 2007. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25, 4, 11. Google ScholarDigital Library
- Wichers, D. R., Cook, D. M., Olsson, R. A., Crossley, J., Kerchen, P., Levitt, K. N., and Lo, R. 1990. PACL’s: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference. National Computer Security Center, Washington, DC, 340--349.Google Scholar
- Wright, C., Cowan, C., Morris, J., Smalley, S., and Kroah-Hartman, G. 2002. Linux security modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium. USENIX, 17--31. Google ScholarDigital Library
- Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. USENIX. Google ScholarDigital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazires, D. 2006. Making information flow explicit in HiStar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX. Google ScholarDigital Library
Index Terms
- Combining Discretionary Policy with Mandatory Information Flow in Operating Systems
Recommendations
Trojan horse resistant discretionary access control
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologiesModern operating systems primarily use Discretionary Access Control (DAC) to protect files and other operating system resources. DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to attacks that use ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Practical Role-Based Access Control
This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Comments