Skip to main content
Springer Nature Link
Log in

Hardware-Assisted Application-Level Access Control

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

Applications typically rely on the operating system to enforce access control policies such as MAC, DAC, or other policies. However, in the face of a compromised operating system, such protection mechanisms may be ineffective. Since security-sensitive applications are most motivated to maintain access control to their secret or sensitive information, and have no control over the operating system, it is desirable to provide mechanisms to enable applications to protect information with application-specific policies, in spite of a compromised operating system. In this paper, we enable application-level access control and information sharing with direct hardware support and protection, bypassing the dependency on the operating system. We analyze an originator-controlled information sharing policy (ORCON), where the content creator specifies who has access to the file created and maintains this control after the file has been distributed. We show that this policy can be enforced by the software-hardware mechanisms provided by the Secret Protection (SP) architecture, where a Trusted Software Module (TSM) is directly protected by SP’s hardware features. We develop a proof-of-concept text editor application which contains such a TSM. This TSM can implement many different policies, not just the originator-controlled policy that we have defined. We also propose a general methodology for trust-partitioning an application into security-critical and non-critical parts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Graubart, R.: On The Need for A Third Form of Access Control. In: 12th National Computer Security Conference Proceedings, October 1989, pp. 296–303 (1989)

    Google Scholar 

  2. McCollum, C.J., Messing, J.R., Notargiacomo, L.: Beyond the Pale of MAC and DAC – Defining New Forms of Access Control. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 190–200 (1990)

    Google Scholar 

  3. Advanced Access Content System (AACS), http://www.aacsla.com/home

  4. Content Scramble System (CSS), http://www.dvdcca.org/css/

  5. Leyden, J.: Blu-ray DRM Defeated: Copy-protection Cracked Again (January 23, 2007), http://www.theregister.co.uk/2007/01/23/blu-ray_drm_cracked/

  6. Trusted Computing Group: Trusted Platform Module, https://www.trustedcomputinggroup.org/home

  7. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. In: SS 2008: Proceedings of the 17th Conference on Security Symposium, Berkeley, CA, USA, pp. 45–60. USENIX Association (2008)

    Google Scholar 

  8. Kumar, A.: Discovering Passwords in the Memory, White Paper, Paladion Networks (November 2003)

    Google Scholar 

  9. Dwoskin, J.S., Lee, R.B.: Hardware-rooted Trust for Secure Key Management and Transient Trust. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS 2007), October 2007, pp. 389–400 (2007)

    Google Scholar 

  10. Lee, R.B., Kwan, P.C.S., McGregor, J.P., Dwoskin, J., Wang, Z.: Architecture for Protecting Critical Secrets in Microprocessors. In: ISCA 2005: Proceedings of the 32nd Intl. Symposium on Computer Architecture, pp. 2–13 (2005)

    Google Scholar 

  11. Challener, D., Yoder, K., Catherman, R., Safford, D.: 15. In: A Practical Guide to Trusted Computing, pp. 271–276. IBM Press (2008)

    Google Scholar 

  12. Epstein, J.: Fifteen Years after TX: A Look Back at High Assurance Multi-Level Secure Windowing. In: ACSAC 2006, pp. 301–320 (2006)

    Google Scholar 

  13. Ocheltree, K., Millman, S., Hobbs, D., Mcdonnell, M., Nieh, J., Baratto, R.: Net2Display: A Proposed VESA Standard for Remoting Displays and I/O Devices over Networks. In: Proceedings of the 2006 Americas Display Engineering and Applications Conference (ADEAC 2006) (October 2006)

    Google Scholar 

  14. Kiayias, A., Tsiounis, Y., Yung, M.: Group Encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Camenisch, J., Stadler, M.: Efficient Group Signature Schemes for Large Groups (Extended Abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  16. Chaum, D., van Heyst, E.: Group Signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

    Chapter  Google Scholar 

  17. Chen, L., Pedersen, T.P.: New Group Signature Schemes. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 171–181. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  18. The Traditional vi, http://ex-vi.sourceforge.net/

  19. Kohl, U., Lotspiech, J., Nusser, S.: Security for the Digital Library - Protectiong Documents Rather Than Channels. In: DEXA 1998: Proceedings of the 9th International Workshop on Database and Expert Systems Applications, p. 316 (1998)

    Google Scholar 

  20. Adobe Acrobat Family, http://www.adobe.com/products/acrobat

  21. Secure Information Sharing Architecture (SISA) Alliance (2007), http://www.sisaalliance.com/

  22. Lie, D., Thekkath, C.A., Horowitz, M.: Implementing an Untrusted Operating System on Trusted Hardware. In: SOSP 2003: Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 178–192 (2003)

    Google Scholar 

  23. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: Eurosys 2008: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pp. 315–328. ACM, New York (2008)

    Chapter  Google Scholar 

  24. Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: ASPLOS XIII, pp. 2–13 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Princeton University, Princeton, NJ, 08544, USA

    Yu-Yuan Chen & Ruby B. Lee

Authors
  1. Yu-Yuan Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruby B. Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chen, YY., Lee, R.B. (2009). Hardware-Assisted Application-Level Access Control. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_29

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics