ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Trojan horse resistant discretionary access control
Full text PdfPdf (438 KB)
Source
Symposium on Access Control Models and Technologies archive
Proceedings of the 14th ACM symposium on Access control models and technologies table of contents
Stresa, Italy
SESSION: Trust and access control in systems table of contents
Pages 237-246  
Year of Publication: 2009
ISBN:978-1-60558-537-6
Authors
Ziqing Mao  Purdue University, West Lafayette, IN, USA
Ninghui Li  Purdue University, West Lafayette, IN, USA
Hong Chen  Purdue University, West Lafayette, IN, USA
Xuxian Jiang  North Carolina State University, Raleigh, NC, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 22,   Downloads (12 Months): 110,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1542207.1542244
What is a DOI?

ABSTRACT

Modern operating systems primarily use Discretionary Access Control (DAC) to protect files and other operating system resources. DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to attacks that use trojan horses or exploit buggy software. We show that it is possible to have the best of both worlds: DAC's easy-to-use discretionary policy and MAC's defense against trojan horses and buggy programs. This is made possible by a key new insight that DAC has weaknesses not because it uses the discretionary principle, but because existing DAC enforcement mechanisms assume that a single principal is responsible for any request, whereas in reality a request may be influenced by multiple principals; thus these mechanisms cannot correctly identify the true origin(s) of a request and fall prey to trojan horses. We propose to solve this problem by combining DAC's policy specification with new enforcement techniques that use ideas from MAC's information flow tracking. Our model, called Information Flow Enhanced DAC (IFEDAC), significantly strengthens end host security, while preserving to a large degree DAC's ease of use. In this paper, we present the IFEDAC model, analyze its security properties, and discuss our implementation for Linux.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
The advantages of running applications on Windows Vista. http://msdn2.microsoft.com/en-us/library/bb188739.aspx.
 
2
Apparmor application security for Linux. http://www.novell.com/linux/security/apparmor/.
3
Martín Abadi , Michael Burrows , Butler Lampson , Gordon Plotkin, A calculus for access control in distributed systems, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.4, p.706-734, Sept. 1993  [doi>10.1145/155183.155225]
 
4
D. E. Bell and L. J. LaPadula. Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation, Mar. 1976.
 
5
K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE, April 1977.
 
6
Hao Chen , David Wagner , Drew Dean, Setuid Demystified, Proceedings of the 11th USENIX Security Symposium, p.171-190, August 05-09, 2002
 
7
D. D. Clark and D. R. Wilson. A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184--194. IEEE Computer Society Press, May 1987.
 
8
Crispin Cowan , Steve Beattie , Greg Kroah-Hartman , Calton Pu , Perry Wagle , Virgil Gligor, SubDomain: Parsimonious Server Security, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
9
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
 
10
DOD. Trusted Computer System Evaluation Criteria. Department of Defense 5200.28--STD, Dec. 1985.
 
11
D. D. Downs, J. R. Rub, K. C. Kung, and C. S. Jordan. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 208--218, Apr. 1985.
12
Petros Efstathopoulos , Maxwell Krohn , Steve VanDeBogart , Cliff Frey , David Ziegler , Eddie Kohler , David Mazières , Frans Kaashoek , Robert Morris, Labels and event processes in the asbestos operating system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
 
13
Timothy Fraser, LOMAC: Low Water-Mark Integrity Protection for COTS Environments, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.230, May 14-17, 2000
 
14
Boniface Hicks , Sandra Rueda , Trent Jaeger , Patrick McDaniel, From trusted to secure: building and executing applications that enforce system security, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
 
15
Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy, Proceedings of the 12th conference on USENIX Security Symposium, p.5-5, August 04-08, 2003, Washington, DC
 
16
P. A. Karger. Implementing commercial data integrity with secure capabilities. In Proc. IEEE Symposium on Security and Privacy, pages 130--139, 1988.
17
Maxwell Krohn , Alexander Yip , Micah Brodsky , Natan Cliffer , M. Frans Kaashoek , Eddie Kohler , Robert Morris, Information flow control for standard OS abstractions, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
18
T. M. P. Lee. Using mandatory integrity to enforce commercial security. In Proc. IEEE Symposium on Security and Privacy, pages 140--146, 1988.
 
19
Ninghui Li , Ziqing Mao , Hong Chen, Usable Mandatory Integrity Protection for Operating Systems, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.164-178, May 20-23, 2007  [doi>10.1109/SP.2007.37]
 
20
LIDS: Linux intrusion detection system. http://www.lids.org/.
 
21
Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
 
22
M. D. McIlroy , J. A. Reeds, Multilevel security in the UNIX tradition, Software—Practice & Experience, v.22 n.8, p.673-694, Aug. 1992  [doi>10.1002/spe.4380220805]
23
Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States  [doi>10.1145/292540.292561]
24
Andrew C. Myers , Barbara Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Software Engineering and Methodology (TOSEM), v.9 n.4, p.410-442, Oct. 2000  [doi>10.1145/363516.363526]
 
25
NCSC. National computer security center: A guide to understanding discretionary access control in trusted systems, Sept. 1987. NCSC-TG-003.
 
26
NSA. Security Enhanced Linux. http://www.nsa.gov/selinux/. N. Provos. Improving host security with system call policies. In Proceedings of the 2003 USENIX Security Symposium, pages 252--272, August 2003.
 
27
U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the 2006 ISOC Networked and Distributed Systems Security Symposium, February 2006.
 
28
D. R. Wichers, D. M. Cook, R. A. Olsson, J. Crossley, P. Kerchen, K. N. Levitt, and R. Lo. Pacl's: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference, pages 340--349, Oct. 1990.
 
29
Chris Wright , Crispin Cowan , Stephen Smalley , James Morris , Greg Kroah-Hartman, Linux Security Modules: General Security Support for the Linux Kernel, Proceedings of the 11th USENIX Security Symposium, p.17-31, August 05-09, 2002
 
30
Nickolai Zeldovich , Silas Boyd-Wickizer , Eddie Kohler , David Mazières, Making information flow explicit in HiStar, Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p.19-19, November 06-08, 2006, Seattle, WA

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses)


General Terms:
Design, Security


Keywords:
access control, information flow, operating system

Collaborative Colleagues:
Ziqing Mao: colleagues
Ninghui Li: colleagues
Hong Chen: colleagues
Xuxian Jiang: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player