Skip to main content
SpringerLink
Log in

Enforcement of Integrated Security Policy in Trusted Operating Systems

  • Conference paper
Advances in Information and Computer Security (IWSEC 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4752))

Included in the following conference series:

  • 654 Accesses

Abstract

The main focus of Trusted Operating System (TOS) research these days is on the enhanced access control of reference monitors which, in turn, control the individual operations on a given access instance. However, many real-life runtime attacks involve behavioral semantics. It is desirable, therefore, to enforce an integrated security policy that includes both behavioral security and access control policies. We have proposed an extended reference monitor to support both access and behavior controls. This results in a sequence of operations which is also of concern in security enforcement. This paper presents the design of the extended reference monitor for integrated policy enforcement and describes its implementation in Linux operating systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alphe One. Smashing the stack for fun and profit. Phrack Magazine 7 (49), File 14 of 16 (1996)

    Google Scholar 

  2. Kim, H.C., Shin, W., Ramakrishna, R.S., Sakurai, K.: Design and implementation of an extended reference monitor for trusted operating systems. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 235–247. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Shin, W., Park, J.Y., Lee, D.I.: Extended role based access control with procedural constraints for trusted operating systems. IEICE Trans. Inf. & Syst. E88-D(3), 619–627 (2005)

    Article  Google Scholar 

  4. Lowery, J.C.: A Tour of TOCTTOUs. SANS GSEC practical v.1.4b (August 2002)

    Google Scholar 

  5. Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: A domain and type enforcement unix prototype. In: Proc. of the 5th USENIX UNIX Security Symposium (1995)

    Google Scholar 

  6. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Chandramouli, R.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)

    Google Scholar 

  7. Miller, R., Shanahan, M.: Some Alternative Formulations of the Event Calculus. In: Kakas, A.C., Sadri, F. (eds.) Computational Logic: Logic Programming and Beyond. LNCS (LNAI), vol. 2408, pp. 452–490. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  8. Kim, H.C., et al.: On the privilege transitional attack in secure operating systems. In: CSS 2004. Proc. of Computer Security Symposium 2004, vol. II, pp. 559–564 (2004)

    Google Scholar 

  9. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: USENIX Annual Tech. Conf. (2001)

    Google Scholar 

  10. Abrams, M.D., LaPadula, L.J., Eggers, K.W., Olson, I.M.: A generalized framework for access control: An informal description. In: Proc. of the 13th Nat’l Comput. Sec. Conf. pp. 135–143 (1990)

    Google Scholar 

  11. Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proc. of The 8th USENIX Sec. Symp. pp. 123–139 (1999)

    Google Scholar 

  12. Wright, C., Cowan, C., Morris, J., Smalley, S., KroahHartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: Proc. of USENIX Security Symposium (2002)

    Google Scholar 

  13. Ott, A.: The rule set based access control linux kernel security extension. In: Int’l Linux Kongress 2001 (2001), http://www.rsbac.org

  14. Spengler, B.: Increasing performance and granularity in role-based access control systems (A case study in Grsecurity), http://www.grsecurity.net/

  15. Bernaschi, M., Gabrielli, E., Mancini, L.V.: REMUS: A security-enhanced operating system. ACM Trans. on Inf. & Syst. Sec. 5(1), 36–61 (2002)

    Article  Google Scholar 

  16. Schneider, F.B.: Enforceable security policies. ACM Trans. on Inf. & Syst. Sec. 3(1), 30–50 (2000)

    Article  Google Scholar 

  17. Zimmermann, J., Mé, L., Bidan, C.: An improved reference flow control model for policy-based intrusion detection. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 291–308. Springer, Heidelberg (2003)

    Google Scholar 

  18. Linux intrusion detection system, http://www.lids.org/

  19. Chari, S.N., Cheng, P.: BlueBox: A policy-driven, host-based intrusion detection system. ACM Trans. on Inf. & Syst. Sec. 6(2), 173–200 (2003)

    Article  Google Scholar 

  20. Sekar, R., Bowen, T., Segal, M.: On preventing intrusions by process behavior monitoring. In: Proc. of Workshop on Intrusion Detection and Network Monitoring, pp. 29–40 (1999)

    Google Scholar 

  21. Erlingsson, U., Schenider, F.B.: SASI enforcement of security policies: a retrospective. In: Proc. of the New Security Paradigm Workshop, pp. 87–95 (1999)

    Google Scholar 

  22. Baker, S.: Data protection by logic programming. In: Palamidessi, C., Moniz Pereira, L., Lloyd, J.W., Dahl, V., Furbach, U., Kerber, M., Lau, K.-K., Sagiv, Y., Stuckey, P.J. (eds.) CL 2000. LNCS (LNAI), vol. 1861, pp. 1300–1314. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  23. Efstratiou, C., Friday, A., Davies, N., Cheverst, K.: Utilising the event calculus for policy driven adaptation on mobile systems. In:(Policy 2002) Proc. of the 3rd Int’l Workshop on Policies for Distributed Systems and Networks (2002)

    Google Scholar 

  24. Bandara, A.K., Lupu, E.C., Russo, A.: Using event calculus to formalise policy specification and analysis. In:(Policy 2003). Proc. of the 4th Int’l Workshop on Policies for Distributed Systems and Networks (2003)

    Google Scholar 

  25. Tishkov, A., Kotenko, I., Sidelnikova, E.: Security checker architecture for policy-based security management. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds.) MMM-ACNS 2005. LNCS, vol. 3685, pp. 460–465. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  26. Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the linux security modules framework. ACM Trans. on Info. and Syst. Sec. 7(2), 175–205 (2004)

    Article  Google Scholar 

  27. UnixBench, http://www.tux.org/pub/tux/benchmarks/System/unixbench/

  28. PLY, http://www.dabeaz.com/ply/

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communications, Gwangju Institute of Science and Technology, Gwangju 500-712, Rep. of Korea

    Hyung Chan Kim & R. S. Ramakrishna

  2. Department of Computer Science, University of Illinois at Urbana-Champaign, IL 61801, USA

    Wook Shin

  3. Faculty of Computer Science and Communication Engineering, Kyushu University, Fukuoka 819-0395, Japan

    Kouichi Sakurai

Authors
  1. Hyung Chan Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. S. Ramakrishna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wook Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kouichi Sakurai
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Atsuko Miyaji Hiroaki Kikuchi Kai Rannenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, H.C., Ramakrishna, R.S., Shin, W., Sakurai, K. (2007). Enforcement of Integrated Security Policy in Trusted Operating Systems. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds) Advances in Information and Computer Security. IWSEC 2007. Lecture Notes in Computer Science, vol 4752. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75651-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75651-4_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75650-7

  • Online ISBN: 978-3-540-75651-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation