Improving multi-tier security using redundant authentication

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Improving multi-tier security using redundant authentication

Full text

Pdf (499 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2007 ACM workshop on Computer security architecture table of contents

Fairfax, Virginia, USA

SESSION: Technical paper session 2: authorization and authentication table of contents

Pages: 54 - 62

Year of Publication: 2007

ISBN:978-1-59593-890-9

Authors

Jodie P. Boyer	University of Illinois, Urbana, IL
Ragib Hasan	University of Illinois, Urbana, IL
Lars E. Olson	University of Illinois, Urbana, IL
Nikita Borisov	University of Illinois, Urbana, IL
Carl A. Gunter	University of Illinois, Urbana, IL
David Raila	University of Illinois, Urbana, IL

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 68, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1314466.1314475 What is a DOI?

ABSTRACT

Multi-tier web server systems are used in many important contexts and their security is a major cause of concern. Such systems can exploit strategies like least privilege to make lower tiers more secure in the presence of compromised higher tiers. In this paper, we investigate an extension of this technique in which higher tiers are required to provide evidence of the authentication of principals when they make requests of lower tiers. This concept, which we call redundant authentication, enables lower tiers to provide security guarantees that improve significantly over current least privilege strategies. We validate this technique by applying it to a practical Building Automation System (BAS) application, where we explore the use of redundant authentication in conjunction with an authentication proxy to enable interoperation with existing enterprise authentication services.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anurag Acharya , Mandar Raje, MAPbox: using parameterized behavior classes to confine untrusted applications, Proceedings of the 9th conference on USENIX Security Symposium, p.1-1, August 14-17, 2000, Denver, Colorado
	2	David Brumley , Dawn Song, Privtrans: automatically partitioning programs for privilege separation, Proceedings of the 13th conference on USENIX Security Symposium, p.5-5, August 09-13, 2004, San Diego, CA
	3	Petros Efstathopoulos , Maxwell Krohn , Steve VanDeBogart , Cliff Frey , David Ziegler , Eddie Kohler , David Mazières , Frans Kaashoek , Robert Morris, Labels and event processes in the asbestos operating system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	4	P. Ehrlich and T. Considine (Chairs). Open Building Information Exchange (oBIX) version 1.0. OASIS Committee Speci.cation, December 2006. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=obix.
	5	T. Garfinkel, B. Pfa., and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Network and Distributed System Security Symposium, 2004.
	6	Ian Goldberg , David Wagner , Randi Thomas , Eric A. Brewer, A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.1-1, July 22-25, 1996, San Jose, California
	7	Patricia P. Griffiths , Bradford W. Wade, An authorization mechanism for a relational database system, ACM Transactions on Database Systems (TODS), v.1 n.3, p.242-255, Sept. 1976 [doi>10.1145/320473.320482]
	8	Java. http://java.sun.com/.
	9	E. Kubaitis. Bluestem overview. Web Page, August 2000. https://www-s4.uiuc.edu/bluestem-notes/.
	10	K. Lawrence and C. Kaler (Chairs). Web Services Security (WS-Security) X.509 Certificate Token profile 1.1. OASIS Standard Speci.cation, February 2006. http://docs.oasis-open.org/wss/v1.1/ wss-v1.1-spec-os-x509TokenProfile.pdf.
	11	Microsoft. Active directory overview. Web Page, Janurary 2005. http://technet2.microsoft.com/windowsserver/en/library/7c981583-cf41-4e6c-b1f6-5b8863475ede1033.mspx?mfr=true.
	12	OPC Task Force. OPC overview. OPC White Paper, October 1998. http://www.opcfoundation.org/DownloadFile.aspx/General/OPC\%20Overview\%201.00.pdf?RI=1.
	13	David S. Peterson , Matt Bishop , Raju Pandey, A Flexible Containment Mechanism for Executing Untrusted Code, Proceedings of the 11th USENIX Security Symposium, p.207-225, August 05-09, 2002
	14	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	15	Niels Provos , Markus Friedl , Peter Honeyman, Preventing privilege escalation, Proceedings of the 12th conference on USENIX Security Symposium, p.16-16, August 04-08, 2003, Washington, DC
	16	RSA Laboratories. Public-key cryptography standards (PKCS) #7: Cryptographic message syntax standard version 1.6. RSA Laboratories Technical Note, May 1997. http://www.rsa.com/rsalabs/node.asp?id=2129.
	17	Jonathan S. Shapiro , Jonathan M. Smith , David J. Farber, EROS: a fast capability system, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.170-185, December 12-15, 1999, Charleston, South Carolina, United States
	18	T. Wason, S. Cantor, J. Hodges, J. Kemp, and P. Thompson. Liberty ID-FF architecture overview, 2005.