ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Working set-based access control for network file systems
Full text PdfPdf (705 KB)
Source
Symposium on Access Control Models and Technologies archive
Proceedings of the 14th ACM symposium on Access control models and technologies table of contents
Stresa, Italy
SESSION: Trust and access control in systems table of contents
Pages 207-216  
Year of Publication: 2009
ISBN:978-1-60558-537-6
Authors
Stephen Smaldone  Rutgers, The State University of New Jersey, Piscataway, NJ, USA
Vinod Ganapathy  Rutgers, The State University of New Jersey, Piscataway, NJ, USA
Liviu Iftode  Rutgers, The State University of New Jersey, Piscataway, NJ, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 16,   Downloads (12 Months): 91,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1542207.1542241
What is a DOI?

ABSTRACT

Securing access to files is an important and growing concern in corporate environments. Employees are increasingly accessing files from untrusted devices, including personal home computers and mobile devices, such as smart phones, which are not under the control of the corporation, and may be infected with viruses, worms, and other malware. In such cases, it is crucial to protect the confidentiality and integrity of corporate data from malicious accesses.

This paper proposes a novel scheme called Working Set-Based Access Control (WSBAC) to restrict network file system accesses from untrusted devices. The key idea is to continuously observe and extract working sets for users when they access files from trusted devices and use the working sets to restrict user file accesses from untrusted devices. This paper reports on the design and implementation of tools to automatically extract working sets, and transparently enforce WSBAC without requiring changes to the file system. Our experiments with realistic network file system traces lead us to conclude that WSBAC offers a flexible yet secure way to restrict access from untrusted devices, and that the runtime overheads of WSBAC enforcement are negligible.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Simple Distributed Security Infrastructure (SDSI) web page. http://groups.csail.mit.edu/cis/sdsi.html.
 
2
American Management Association. 2007 Electronic Monitoring and Surveillance Survey. AMA Press Release - http://press.amanet.org/press-releases/177/2007-electronic-monitoring--surveillance-survey/, February 2008.
 
3
A. Anderson. XACML Profile for Role Based Access Control (RBAC). OASIS Access Control TC Committee Draft, 1:13, 2004.
4
Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, Information and control in gray-box systems, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
 
5
Rafae Bhatti , Elisa Bertino , Arif Ghafoor, A Trust-Based Context-Aware Access Control Model for Web-Services, Distributed and Parallel Databases, v.18 n.1, p.83-105, July 2005  [doi>10.1007/s10619-005-1075-7]
 
6
A. Bohra, S. Smaldone, and L. Iftode. FRAC: Role Based Access Control for Network File Systems. In NCA'07, 2007.
 
7
B. Callaghan , B. Pawlowski , P. Staubach, NFS Version 3 Protocol Specification, RFC Editor, 1995
 
8
Antonio Corradi , Rebecca Montanari , Daniela Tibaldi, Context-Based Access Control for Ubiquitous Service Provisioning, Proceedings of the 28th Annual International Computer Software and Applications Conference, p.444-451, September 28-30, 2004
 
9
Daniel Ellard , Jonathan Ledlie , Pia Malkani , Margo Seltzer, Passive NFS Tracing of Email and Research Workloads, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
 
10
C. Ellison, SPKI Requirements, RFC Editor, 1999
11
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
 
12
K. Golnabi, R. K. Min, L. Khan, and E. Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques. In NOMS'06, 2006.
13
John H. Howard , Michael L. Kazar , Sherri G. Menees , David A. Nichols , M. Satyanarayanan , Robert N. Sidebotham , Michael J. West, Scale and performance in a distributed file system, ACM Transactions on Computer Systems (TOCS), v.6 n.1, p.51-81, Feb. 1988  [doi>10.1145/35037.35059]
 
14
R. S. Inc. RSA SecurID Authenticators web page. http://www.rsasecurity.com.
 
15
International Committee for Information Technology. Role-based access control. ANSI/INCITS 359-2004, Feb. 2004.
 
16
T. Jaeger, D. King, K. Butler, S. Hallyn, J. Latten, and X. Zhang. Leveraging ipsec for mandatory per-packet access control. In SecureComm'06, 2006.
 
17
V. Kapsalis, L. Hadellis, D. Karelis, and S. Koubias. A Dynamic Context-Aware Access Control Architecture for e-Services. Computers and Security, 25(7), October 2006.
 
18
Minkyong Kim , Landon P. Cox , Brian Noble, Safety, Visibility, and Performance in a Wide-Area File System, Proceedings of the Conference on File and Storage Technologies, p.131-144, January 28-30, 2002
19
James J. Kistler , M. Satyanarayanan, Disconnected operation in the Coda File System, ACM Transactions on Computer Systems (TOCS), v.10 n.1, p.3-25, Feb. 1992  [doi>10.1145/146941.146942]
20
Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775435]
 
21
Evan Martin , Tao Xie, Inferring Access-Control Policy Properties via Machine Learning, Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks, p.235-238, June 05-07, 2006  [doi>10.1109/POLICY.2006.19]
 
22
B. Petersen. Employee Monitoring: It's Not Paranoia You Really Are Being Watched! PC Magazine - http://www.pcmag.com/article2/0,1759,2308369,00.asp, May 2008.
 
23
Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
 
24
T. Pullar-Strecker. NZ bank Adds Security Online. http://www.smh.com.au, November 2004.
 
25
Ayda Saidane, Adaptive Context-Aware Access Control Policy in Ad-Hoc Networks, Proceedings of the Third International Conference on Autonomic and Autonomous Systems, p.13, June 19-25, 2007  [doi>10.1109/CONIELECOMP.2007.50]
26
Reiner Sailer , Trent Jaeger , Xiaolan Zhang , Leendert van Doorn, Attestation-based policy enforcement for remote access, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030125]
 
27
M. Schulman. LittleBrother is Watching You. Santa Clara University - http: //www.scu.edu/ethics/publications/iie/v9n2/brother.html.
 
28
Stephen Smaldone , Aniruddha Bohra , Liviu Iftode, FileWall: A Firewall for Network File Systems, Proceedings of the Third IEEE International Symposium on Dependable, Autonomic and Secure Computing, p.153-162, September 25-26, 2007  [doi>10.1109/DASC.2007.10]
 
29
B. T. Sniffen, D. R. Harris, and J. D. Ramsdell. Guided Policy Generation for Application Authors. Technical report, The MITRE Corporation, 2006.
30
Craig A. N. Soules , Gregory R. Ganger, Connections: using context to enhance file search, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
31
Mirjana Spasojevic , M. Satyanarayanan, An empirical study of a wide-area distributed file system, ACM Transactions on Computer Systems (TOCS), v.14 n.2, p.200-222, May 1996  [doi>10.1145/227695.227698]
 
32
Alok Tongaonkar , Niranjan Inamdar , R. Sekar, Inferring higher level policies from firewall rules, Proceedings of the 21st conference on Large Installation System Administration Conference, p.1-10, November 11-16, 2007, Dallas
 
33
A. Toninelli, R. Montanari, L. Kagal, and O. Lassila. A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments. In ISWC'06, 2006.
 
34
Shigetoshi Yokoyama , Eiji Kamioka , Shigeki Yamada, An Anonymous Context Aware Access Control Architecture For Ubiquitous Services, Proceedings of the 7th International Conference on Mobile Data Management, p.74, May 10-12, 2006  [doi>10.1109/MDM.2006.31]

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.3 File Systems Management
          Subjects: Distributed file systems


General Terms:
Design, Experimentation, Security


Keywords:
access control, network file system

Collaborative Colleagues:
Stephen Smaldone: colleagues
Vinod Ganapathy: colleagues
Liviu Iftode: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player