Abstract
We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator’s identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator’s actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Akkerman, W.: Strace, http://liacs.nl/~wichert/strace/
Borchardt, M., Maziero, C., Jamhour, E.: An architecture for on-the-fly file integrity checking. In: Latin American Symposium on Dependable Computing, Brazil, pp. 117–126 (2003)
García, J., Autrel, F., Borrell, J., Castillo, S., Cuppens, F., Navarro, G.: Decentralized publish/subscribe system to prevent coordinated attacks via alert correlation. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 223–235. Springer, Heidelberg (2004)
García, J., Castillo, S., Navarro, G., Borrell, J.: ACAPS: An Access Control Mechanism to Protect the Components of an Attack Prevention System. Journal of Computer Science and Network Security 5(11), 87–94 (2005)
García, J., Castillo, S., Navarro, G., Borrell, J.: Mechanisms for Attack Protection on a Prevention Framework. In: 39th Annual IEEE International Carnahan Conference on Security Technology, Spain, October 2005, pp. 137–140 (2005)
Geer, D.: Just How Secure Are Security Products? IEEE Computer 37(6), 14–16 (2004)
Herzog, A., Shahmehri, N.: Using the Java Sandbox for Resource Control. In: 7th Nordic Workshop on Secure IT Systems (NORDSEC 2002), Linköpings universitet, Linköping, Sweden (2002)
Hope, P.: Using Jails in FreeBSD for Fun and Profit. Login; The Magazine of Usenix & Sage 27(3), 48–55 (2002)
Loscocco, P., Smalley, S.: Integrating Flexible Support for Security Policies into the Linux Operating System. In: 11th FREENIX Track: 2001 USENIX Annual Technical Conference, USA (2001)
McVoy, L.: LMbench, Portable Tools for Performance Analysis. In: 1996 USENIX Annual Technical Conference, USA (1996)
Ott, A.: The Role Compatibility Security Model. In: 7th Nordic Workshop on Secure IT Systems, Sweden (November 2002)
Viega, J., McGraw, G.: Building Secure Software - How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)
Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: 11th USENIX Security Symposium, USA (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
García-Alfaro, J., Castillo, S., Castellà-Roca, J., Navarro, G., Borrell, J. (2006). Protection of Components Based on a Smart-Card Enhanced Security Module. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_11
Download citation
DOI: https://doi.org/10.1007/11962977_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69083-2
Online ISBN: 978-3-540-69084-9
eBook Packages: Computer ScienceComputer Science (R0)