Abstract
The main focus of Trusted Operating System (TOS) research these days is on the enhanced access control of reference monitors which, in turn, control the individual operations on a given access instance. However, many real-life runtime attacks involve behavioral semantics. It is desirable, therefore, to enforce an integrated security policy that includes both behavioral security and access control policies. We have proposed an extended reference monitor to support both access and behavior controls. This results in a sequence of operations which is also of concern in security enforcement. This paper presents the design of the extended reference monitor for integrated policy enforcement and describes its implementation in Linux operating systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alphe One. Smashing the stack for fun and profit. Phrack Magazine 7 (49), File 14 of 16 (1996)
Kim, H.C., Shin, W., Ramakrishna, R.S., Sakurai, K.: Design and implementation of an extended reference monitor for trusted operating systems. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 235–247. Springer, Heidelberg (2006)
Shin, W., Park, J.Y., Lee, D.I.: Extended role based access control with procedural constraints for trusted operating systems. IEICE Trans. Inf. & Syst. E88-D(3), 619–627 (2005)
Lowery, J.C.: A Tour of TOCTTOUs. SANS GSEC practical v.1.4b (August 2002)
Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: A domain and type enforcement unix prototype. In: Proc. of the 5th USENIX UNIX Security Symposium (1995)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Chandramouli, R.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)
Miller, R., Shanahan, M.: Some Alternative Formulations of the Event Calculus. In: Kakas, A.C., Sadri, F. (eds.) Computational Logic: Logic Programming and Beyond. LNCS (LNAI), vol. 2408, pp. 452–490. Springer, Heidelberg (2002)
Kim, H.C., et al.: On the privilege transitional attack in secure operating systems. In: CSS 2004. Proc. of Computer Security Symposium 2004, vol. II, pp. 559–564 (2004)
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: USENIX Annual Tech. Conf. (2001)
Abrams, M.D., LaPadula, L.J., Eggers, K.W., Olson, I.M.: A generalized framework for access control: An informal description. In: Proc. of the 13th Nat’l Comput. Sec. Conf. pp. 135–143 (1990)
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proc. of The 8th USENIX Sec. Symp. pp. 123–139 (1999)
Wright, C., Cowan, C., Morris, J., Smalley, S., KroahHartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: Proc. of USENIX Security Symposium (2002)
Ott, A.: The rule set based access control linux kernel security extension. In: Int’l Linux Kongress 2001 (2001), http://www.rsbac.org
Spengler, B.: Increasing performance and granularity in role-based access control systems (A case study in Grsecurity), http://www.grsecurity.net/
Bernaschi, M., Gabrielli, E., Mancini, L.V.: REMUS: A security-enhanced operating system. ACM Trans. on Inf. & Syst. Sec. 5(1), 36–61 (2002)
Schneider, F.B.: Enforceable security policies. ACM Trans. on Inf. & Syst. Sec. 3(1), 30–50 (2000)
Zimmermann, J., Mé, L., Bidan, C.: An improved reference flow control model for policy-based intrusion detection. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 291–308. Springer, Heidelberg (2003)
Linux intrusion detection system, http://www.lids.org/
Chari, S.N., Cheng, P.: BlueBox: A policy-driven, host-based intrusion detection system. ACM Trans. on Inf. & Syst. Sec. 6(2), 173–200 (2003)
Sekar, R., Bowen, T., Segal, M.: On preventing intrusions by process behavior monitoring. In: Proc. of Workshop on Intrusion Detection and Network Monitoring, pp. 29–40 (1999)
Erlingsson, U., Schenider, F.B.: SASI enforcement of security policies: a retrospective. In: Proc. of the New Security Paradigm Workshop, pp. 87–95 (1999)
Baker, S.: Data protection by logic programming. In: Palamidessi, C., Moniz Pereira, L., Lloyd, J.W., Dahl, V., Furbach, U., Kerber, M., Lau, K.-K., Sagiv, Y., Stuckey, P.J. (eds.) CL 2000. LNCS (LNAI), vol. 1861, pp. 1300–1314. Springer, Heidelberg (2000)
Efstratiou, C., Friday, A., Davies, N., Cheverst, K.: Utilising the event calculus for policy driven adaptation on mobile systems. In:(Policy 2002) Proc. of the 3rd Int’l Workshop on Policies for Distributed Systems and Networks (2002)
Bandara, A.K., Lupu, E.C., Russo, A.: Using event calculus to formalise policy specification and analysis. In:(Policy 2003). Proc. of the 4th Int’l Workshop on Policies for Distributed Systems and Networks (2003)
Tishkov, A., Kotenko, I., Sidelnikova, E.: Security checker architecture for policy-based security management. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds.) MMM-ACNS 2005. LNCS, vol. 3685, pp. 460–465. Springer, Heidelberg (2005)
Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the linux security modules framework. ACM Trans. on Info. and Syst. Sec. 7(2), 175–205 (2004)
UnixBench, http://www.tux.org/pub/tux/benchmarks/System/unixbench/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, H.C., Ramakrishna, R.S., Shin, W., Sakurai, K. (2007). Enforcement of Integrated Security Policy in Trusted Operating Systems. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds) Advances in Information and Computer Security. IWSEC 2007. Lecture Notes in Computer Science, vol 4752. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75651-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-75651-4_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75650-7
Online ISBN: 978-3-540-75651-4
eBook Packages: Computer ScienceComputer Science (R0)