Abstract
Protection should fundamentally be flexible for devices roaming in Beyond 3G networks. In this federation of heterogeneous access networks, each sub-network comes with its own security requirements, policies, and protocols. Foundational element of device security, the embedded OS itself, should become adaptable to make it possible to tune its protection mechanisms to the current security context, notably to support multiple authorization policies. We show how flexibility can be applied to the kernel authorization architecture by adopting a component-based OS design, the component serving as single abstraction for reconfiguration and security. We present a policy-neutral access control architecture called CRACKER (Component-based Reconfigurable Access Control for KERnels) for component-based operating systems. CRACKER supports a wide range of authorization policies, and permits policy reconfiguration, in the same or in different security models. Specified in the Fractal component model, and implemented in the Think OS, CRACKER illustrates how flexible kernel authorization can be realized while maintaining acceptable system performance.
Similar content being viewed by others
References
Abrams M, Eggers K, La Padula L, Olson I (1990) A generalized framework for access control: an informal description. Proceedings of the National Computer Security Conference
Badger L, Sterne D, Sherman D, Walker K, Haghinghat S (1995) Practical domain and type enforcement for UNIX. Proceedings of the IEEE Symposium on Security and Privacy, pp 66–77
Bell D, La Padula L (1975) Secure computer system: unified exposition and Multics interpretation. Technical report no MTR-2997. MITRE Corporation, Bedford, MA
Bernaschi M, Gabrielli E, Mancini L (2002) REMUS: a security-enhanced operating system. ACM Trans Inf Syst Secur 5(1):36–61
Bershad B, Savage S, Pardyak P, Sirer E, Fiuczinski M, Becker D, Eggers S, Chambers C (1995) Extensibility, safety and performance in the SPIN operating system. Proceedings of the ACM Symposium on Operating System Principles (SOSP), pp 267–283
Bertino E, Catania B, Ferrari E, Perlasca P (2003) A logical framework for reasoning about access control models. ACM Trans Inf Syst Secur 6(1):71–127
Biba K (1977) Integrity considerations for secure computer systems. Technical Report no. MTR-3153. MITRE Corporation, Bedford, MA
Boebert W, Kain R (1985) A practical alternative to hierarchical integrity policies. Proceedings of the National Computer Security Conference, pp 18–27
Brewer D, Nash M (1989) The Chinese wall security policy. Proceedings of the IEEE Symposium on Security and Privacy, pp 206–214
Bruneton E, Coupaye T, Leclerc M, Quema V, Stefani J-B (2006) The Fractal component model and its support in Java. Software—practice and experience (SP&E). Special issue on Experiences with Auto-adaptive and Reconfigurable Systems 36(11–12):1257–1284
Chess D, Palmer C, White S (2003) Security in an autonomic computing environment. IBM Syst J 42(1):107–118
Claudel B, De Palma N, Lachaize R, Hagimont D (2006) Self-protection for distributed component-based applications. International Symposium on Stabilization, Safety, and Security of Distributed Systems, formerly Symposium on Self-stabilizing Systems (SSS), pp 184–198
Damiani M, Bertino E, Catania B, Perlasca P (2007) GEO-RBAC: a spatially-aware RBAC. ACM Trans Inf Syst Secur 10(1):3–42
David PC, Ledoux T (2005) WildCAT: a generic framework for context-aware applications. Proceedings of the International Workshop on Middleware for Pervasive and Ad-Hoc Computing (MPAC)
De Capitani Di Vimercati S, Samarati P, Jajodia S (2005) Policies, models, and languages for access control. Proceedings of the International Workshop on Databases in Networked Information Systems (DNIS), pp. 225–237
Dennis JB, Van Horn E (1966) Programming semantics for multi-programmed computations. Commun ACM 9(3):143–154
Edwards A, Jaeger T, Zhang X (2002) Runtime verification of authorization hook placement for the Linux security modules framework. Proceedings of the ACM Conference on Computer and Communications Security (CCS) pp 225–234
Engler D, Kaashoek M, O’Toole J (1995) Exokernel: an operating system architecture for application-level resource management. Proceedings of the ACM Symposium on Operating System Principles (SOSP) pp 251–266
Fassino J-P, Jarboui T, Lacoste M (2008) An access control system and method, a component-based kernel including it, and its use. US Patent Application no. 11,792,900
Fassino J-P, Stefani J-B, Lawall J, Muller G (2002) Think: a software framework for component-based operating system kernels. Proceedings of the USENIX Annual Technical Conference, pp 73–86
Ferraiolo D, Sandhu R, Gavrila S, Kuhn D, Chandramouli R (2001) Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur 4(3):224–274
Ganek A, Corbi T (2003) The dawning of the autonomic computing era. IBM Syst J 42(1):5–18
Georganopoulos N, Farnham T, Burgess R, Scholer T, Sessler J, Warr P, Golubicic Z, Platbrood F, Souville B, Buljore S (2004) Terminal-centric view of software reconfigurable system architecture and enabling components and technologies. IEEE Commun Mag 42(5):100–110
Gligor V, Gavrila S, Ferraiolo D (1998) On the formal definition of separation-of-duty policies and their composition. Proceedings of the IEEE Symposium on Security and Privacy, pp 172–183
Grimm R, Bershad B (2001) Separating access control policy enforcement and functionality in extensible systems. ACM Trans Comput Syst 19(1):36–70
Halfhill T (2003) ARM Dons Armor: TrustZone security extensions strengthen ARMv6 Architecture. Microprocessor Report, August 25th
Hardy N (1985) The KeyKOS architecture. Oper Syst Rev 19(4):8–25
Hewlett-Packard. Jena: a semantic web framework for Java. http://jena.sourceforge.net/
Jaeger T, Liedtke J, Islam N (1998) Operating system protection for fine-grained programs. Proceedings of the USENIX Security Symposium, pp 143–157
Jajodia S, Samarati P, Subrahmanian V (1997) A logical language for expressing authorizations. Proceedings of the IEEE Symposium on Security and Privacy, pp 31–42
Jajodia S, Samarati P, Sapino M, Subrahmanian V (2001) Flexible support for multiple access control policies. ACM Trans Database Syst 26(2):214–260
Jarboui T, Lacoste M, Wadier P (2006) A component-based policy-neutral authorization architecture. Actes de la 5ème Conférence Française sur les Systèmes d’Exploitation (CFSE)
Kim A, Luo J, Kang M (2005) Security ontology for annotating resources. Proceedings of the International Conference on Ontologies, Databases, and Application of Semantics (ODBASE)
Kon F, Campbell R, Mickunas M, Nahrstedt K, Ballesteros F (2000) 2K: A distributed operating system for dynamic heterogeneous environments. IEEE International Symposium on High Performance Distributed Computing (HPDC), pp 201–210
Krieger O, Auslander M, Rosenburg B, Wisniewski R, Xenidis J, Da Silva D, Ostrowski M, Appavoo J, Butrico M, Mergen M, Waterland A, Uhlig V (2006) K42: building a complete operating system. Proceedings of the EUROSYS 2006 Conference, Operating Systems Review 40(4):133–146
Krohn M, Efstathopoulos P, Frey C, Kaashoek F, Kohler E, Mazieres D, Morris R, Osborne M, Vandebogart S, Ziegler D (2005) Make least privilege a right (not a privilege). Proceedings of the Hot Topics in Operating Systems Symposium (HotOS)
Kuz T, Liu Y, Gorton I, Heiser G (2007) CAmkES: a component model for secure microkernel-based embedded systems. J Syst Softw 80(5):687–699
Lacoste M, Privat G, Ramparany F (2007) Evaluating confidence in context for context-aware security. Proceedings of the European Conference on Ambient Intelligence (AmI)
Levy H (1984) Capability-based computer systems. Digital Press, Bedford, MA
Liedtke J (1995) On micro-kernel construction. Proceedings of the ACM Symposium on Operating System Principles (SOSP)
Lin Z, Wang C, Mao B, Xie L (2005) A policy flexible architecture for secure operating systems. Oper Syst Rev 39(3):24–33
Loscocco P, Smalley S (2001) Integrating flexible support for security policies into the Linux operating system. Proceedings of the USENIX Annual Technical Conference, pp 29–42
Loscocco P, Smalley S, Muckelbauer P, Taylor R, Turner S, Farrell J (1998) The inevitability of failure: the flawed assumption of security in modern computing environments. Proceedings of the National Information Systems Security Conference, pp 303–314
Minear S (1995) Providing policy control over object operations in a Mach-based system. Proceedings of the USENIX Security Symposium, pp 141–156
MOTOROLA LABS. IST E2R II Project, http://e2r2.motlabs.com/
Ott A (2001) The rule set based access control (RSBAC) Linux kernel security extension. Proceedings of the International Linux Kongress
Park J, Sandhu R (2004) The UCON ABC usage control model. ACM Trans Inf Syst Secur 7(1):128–174
Polakovic J, Mazare S, Stefani J-B, David PC (2007) Experience with implementing safe reconfigurations in component-based embedded systems. Proceedings of the International ACM Symposium on Component-Based Software Engineering (CBSE), pp 240–255
Polakovic J, Ozcan AE, Stefani J-B (2006) Building reconfigurable component-based OS with Think. Proceedings of the EUROMICRO Conference on Software Engineering and Advanced Applications, pp 178–185
Rippert C, Stefani J-B (2002) Think: a secure distributed systems architecture. Proceedings of the ACM SIGOPS European Workshop
Rozier M, Abrossimov V, Armand F, Boule I, Gien M, Guillemont M, Hermann F, Kaiser C, Langlois S, Leonard P, Neuhauser W (1988) Chorus distributed operating system. Comput Syst 1(4):305–370
Saltzer J, Schroeder M (1975) The protection of information in computer systems. Proceedings of the IEEE 63(9):1278–1308
Saxena A, Lacoste M, Jarboui T, Lucking U, Steinke B (2007) A software framework for autonomic security in pervasive environments. Proceedings of the International Conference on Information Systems Security (ICISS)
Schroeder M, Saltzer J (1971) A hardware architecture for implementing protection rings. Proceedings of the ACM Symposium on Operating System Principles (SOSP)
Seltzer M, Endo Y, Small C, Smith K (1996) Dealing with disaster: surviving misbehaved kernel extensions. Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp 213–228
Shapiro J, Hardy N (2002) EROS: a principle-driven operating system from the ground up. IEEE Softw 19(1):26–33
Shapiro J, Smith J, Farber D (1999) EROS: a fast capability system. Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), pp 170–185
Shapiro J, Weber S (2000) Verifying the EROS confinement mechanism. Proceedings of the IEEE Symposium on Security and Privacy, pp 166–176
Spencer R, Smalley S, Loscocco P, Hibler M, Andersen D, Lepreau J (1999) The Flask security architecture: system support for diverse security policies. Proceedings of the USENIX Security Symposium
Suh S (2007) Secure architecture and implementation of Xen on ARM for mobile devices. Xen Summit, April
Szyperski C (2002) Component software systems. Addison-Wesley, New York
Tanenbaum A, Mullender S, Van Renesse R (1986) Using sparse capabilities in a distributed operating system. Proceedings of the International Symposium on Distributed Computing Systems (ICDCS), pp 558–563
Trinpunitara M, Li N (2004) Comparing the expressive power of access control models. Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp 62–71
Vandebogart S, Efstathopoulos P, Kohler E, Krohn M, Frey C, Ziegler D, Kaashoek F, Morris R, Mazieres D (2007) Labels and event processes in the Asbestos operating system. ACM Trans Comput Syst 25(4):11.1–11.43
Wallach D, Balfanz D, Dean S, Felten E (1997) Extensible security architectures for Java. Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), pp 116–128
Watson R, Morrison W, Vance C, Feldman B (2003) The Trusted BSD MAC framework: extensible kernel access control for FreeBSD 5.0. Proceedings of the USENIX Annual Technical Conference, pp 285–296
Wright C, Cowan R, Smalley S, Morris J, Kroah-Hartman G (2002) Linux security modules: general security support for the Linux kernel. Proceedings of the USENIX Security Symposium
Zanin G, Mancini L (2004) Towards a formal model for security policies specification and validation in the SELinux System. Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp 136–145
Zeldovich N, Boyd-Wickizer S, Kohler E, Mazieres D (2006) Making information flow explicit in HiStar. Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI)
Zeldovich N, Boyd-Wickizer S, Mazieres D (2008) Securing distributed systems with information flow control. Proceedings of the Symposium on Networked Systems Design and Implementation (NSDI)
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was performed in project E2R II which has received research funding from the Community’s Sixth Framework program. This paper reflects only the authors’ views and the Community is not liable for any use that may be made of the information contained therein. The contributions of colleagues from the E2R II consortium are hereby acknowledged.
Rights and permissions
About this article
Cite this article
Lacoste, M., Jarboui, T. & He, R. A component-based policy-neutral architecture for kernel-level access control. Ann. Telecommun. 64, 121–146 (2009). https://doi.org/10.1007/s12243-008-0071-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-008-0071-0