Abstract
Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC’s easy-to-use discretionary policy specification and MAC’s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.
- Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995a. A domain and type enforcement UNIX prototype. In Proceedings of the USENIX Security Symposium. USENIX. Google Scholar
Digital Library
- Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995b. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77. Google Scholar
Digital Library
- Bell, D. E. and LaPadula, L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306, MITRE Corporation.Google Scholar
- Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. MTR-3153, MITRE.Google Scholar
- Brumley, D. and Song, D. 2004. PrivTrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Chen, H., Dean, D., and Wagner, D. 2002. Setuid demystified. In Proceedings of the USENIX Security Symposium. 171--190. Google Scholar
Digital Library
- Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194.Google Scholar
- Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., and Gligor, V. D. 2000. Subdomain: Parsimonious server security. In Proceedings of the 14th Conference on Systems Administration (LISA’00). USENIX, 355--368. Google Scholar
Digital Library
- Denning, D. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--242. Google Scholar
Digital Library
- DOD. 1985. Trusted computer system evaluation criteria. Department of Defense 5200.28-STD, Washington DC.Google Scholar
- Downs, D. D., Rub, J. R., Kung, K. C., and Jordan, C. S. 1985. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, 208--218.Google Scholar
- Ench, W., McDaniel, P., and Jaeger, T. 2008. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society. Google Scholar
Digital Library
- Fraser, T. 2000. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society. Google Scholar
Digital Library
- Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20.Google Scholar
- Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the USENIX Security Symposium. USENIX, 1--13. Google Scholar
Digital Library
- Hicks, B., Rueda, S., Jaeger, T., and McDaniel, P. 2007. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX. Google Scholar
Digital Library
- Karger, P. A. 1988. Implementing commercial data integrity with secure capabilities. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 130--139. Google Scholar
Digital Library
- Krohn, M. and Tromer, E. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the 30th IEEE Symposium on Security and Privacy (SP’09). IEEE Computer Society, Washington, DC, 61--76. Google Scholar
Digital Library
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard OS abstractions. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 321--334. Google Scholar
Digital Library
- Lee, T. M. P. 1988. Using mandatory integrity to enforce “commercial” security. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 140--146. Google Scholar
Digital Library
- Li, N., Mao, Z., and Chen, H. 2007. Usable mandatory integrity protection for operating systems. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 164--178. Google Scholar
Digital Library
- Loscocco, P. and Smalley, S. 2001a. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42. Google Scholar
Digital Library
- Loscocco, P. and Smalley, S. 2001b. Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX.Google Scholar
- Mao, Z., Li, N., Chen, H., and Jiang, X. 2009. Trojan horse resistant discretionary access control. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 237--246. Google Scholar
Digital Library
- Mcllroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Softw. Pract. Exper. 22, 8, 673--694. Google Scholar
Digital Library
- Microsoft.com. 2007. The advantages of running applications on Windows Vista. http://msdn2.microsoft.com/en-us/library/bb188739.aspx.Google Scholar
- Myers, A. C. 1999. JFlow: Practical mostly-static information-flow control. In Proceedings of the Symposium on Principles of Programming Languages. ACM. Google Scholar
Digital Library
- Myers, A. C. and Liskov, B. 1997. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating System Principles. ACM Press. Google Scholar
Digital Library
- Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Engin. Methodol. 9, 4, 410--442. Google Scholar
Digital Library
- NCSC. 1987. National computer security center: A guide to understanding discretionary access control in trusted systems. NCSC-TG-003.Google Scholar
- Newsome, J. and Song, D. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium. ACM.Google Scholar
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX. 252--272. Google Scholar
Digital Library
- Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing privilege escalation. In Proceedings of the USENIX Security Symposium. USENIX, 231--242. Google Scholar
Digital Library
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google Scholar
Cross Ref
- Shankar, U., Jaeger, T., and Sailer, R. 2006. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM.Google Scholar
- Sun, W., Sekar, R., Liang, Z., and Venkatakrishnan, V. 2008. Expanding malware defenses by securing software installations. In Proceeding of the Conference on Detection and Intrusions and Malware & Vulnerability Accessment (DIMVA). Springer, Berlin, Germany. Google Scholar
Digital Library
- Sun, W., Sekar, R., Poothia, G., and Karandikar, T. 2008. Practical proactive integrity preservation: A basis for malware defense. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 248--262. Google Scholar
Digital Library
- Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., and Mazières, D. 2007. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25, 4, 11. Google Scholar
Digital Library
- Wichers, D. R., Cook, D. M., Olsson, R. A., Crossley, J., Kerchen, P., Levitt, K. N., and Lo, R. 1990. PACL’s: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference. National Computer Security Center, Washington, DC, 340--349.Google Scholar
- Wright, C., Cowan, C., Morris, J., Smalley, S., and Kroah-Hartman, G. 2002. Linux security modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium. USENIX, 17--31. Google Scholar
Digital Library
- Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. USENIX. Google Scholar
Digital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazires, D. 2006. Making information flow explicit in HiStar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX. Google Scholar
Digital Library
Index Terms
Combining Discretionary Policy with Mandatory Information Flow in Operating Systems
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Practical Role-Based Access Control
This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Reseach on Mandatory Access Control in LogicSQL Database System
ICEE '10: Proceedings of the 2010 International Conference on E-Business and E-GovernmentThe secure limitation in the database system only taking discretionary access control is discussed. This paper proposes a mandatory access control model for multilevel secure DBMS and discusses the problems of labeling object in tuples, security label, ...






Comments