skip to main content
10.1145/1542207.1542244acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Trojan horse resistant discretionary access control

Published: 03 June 2009 Publication History

Abstract

Modern operating systems primarily use Discretionary Access Control (DAC) to protect files and other operating system resources. DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to attacks that use trojan horses or exploit buggy software. We show that it is possible to have the best of both worlds: DAC's easy-to-use discretionary policy and MAC's defense against trojan horses and buggy programs. This is made possible by a key new insight that DAC has weaknesses not because it uses the discretionary principle, but because existing DAC enforcement mechanisms assume that a single principal is responsible for any request, whereas in reality a request may be influenced by multiple principals; thus these mechanisms cannot correctly identify the true origin(s) of a request and fall prey to trojan horses. We propose to solve this problem by combining DAC's policy specification with new enforcement techniques that use ideas from MAC's information flow tracking. Our model, called Information Flow Enhanced DAC (IFEDAC), significantly strengthens end host security, while preserving to a large degree DAC's ease of use. In this paper, we present the IFEDAC model, analyze its security properties, and discuss our implementation for Linux.

References

[1]
The advantages of running applications on Windows Vista. http://msdn2.microsoft.com/en-us/library/bb188739.aspx.
[2]
Apparmor application security for Linux. http://www.novell.com/linux/security/apparmor/.
[3]
M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706--734, Oct. 1993.
[4]
D. E. Bell and L. J. LaPadula. Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation, Mar. 1976.
[5]
K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE, April 1977.
[6]
H. Chen, D. Dean, and D. Wagner. Setuid demystified. In Proc. USENIX Security Symposium, pages 171--190, Aug. 2002.
[7]
D. D. Clark and D. R. Wilson. A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184--194. IEEE Computer Society Press, May 1987.
[8]
C. Cowan, S. Beattie, G. Kroah-Hartman, C. Pu, P. Wagle, and V. D. Gligor. Subdomain: Parsimonious server security. In Proceedings of the 14th Conference on Systems Administration (LISA 2000), pages 355--368, Dec. 2000.
[9]
D. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--242, 1976.
[10]
DOD. Trusted Computer System Evaluation Criteria. Department of Defense 5200.28--STD, Dec. 1985.
[11]
D. D. Downs, J. R. Rub, K. C. Kung, and C. S. Jordan. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 208--218, Apr. 1985.
[12]
P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazieres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proceedings of the 2005 ACM Symposium on Operating System Principles, October 2005.
[13]
T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proc. IEEE Symposium on Security and Privacy, May 2000.
[14]
B. Hicks, S. Rueda, T. Jaeger, and P. McDaniel. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference, June 2007.
[15]
T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th USENIX Security Symposium, pages 59--74, August 2003.
[16]
P. A. Karger. Implementing commercial data integrity with secure capabilities. In Proc. IEEE Symposium on Security and Privacy, pages 130--139, 1988.
[17]
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard os abstractions. In ACM Symposium on Operating Systems Principles (SOSP), Oct. 2007.
[18]
T. M. P. Lee. Using mandatory integrity to enforce commercial security. In Proc. IEEE Symposium on Security and Privacy, pages 140--146, 1988.
[19]
N. Li, Z. Mao, and H. Chen. Usable mandatory integrity protection for operating systems. In Proc. IEEE Symposium on Security and Privacy, May 2007.
[20]
LIDS: Linux intrusion detection system. http://www.lids.org/.
[21]
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the FREENIX track: USENIX Annual Technical Conference, pages 29--42, June 2001.
[22]
M. D. Mcllroy and J. A. Reeds. Multilevel security in the Unix tradition. Software--Practice and Experience, 22(8):673--694, Aug. 1992.
[23]
A. C. Myers. Jflow: Practical mostly-static information-flow control. In Proceedings of the 1999 Symposium on Principles of Programming Languages, January 1999.
[24]
A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4):410--442, October 2000.
[25]
NCSC. National computer security center: A guide to understanding discretionary access control in trusted systems, Sept. 1987. NCSC-TG-003.
[26]
NSA. Security Enhanced Linux. http://www.nsa.gov/selinux/. N. Provos. Improving host security with system call policies. In Proceedings of the 2003 USENIX Security Symposium, pages 252--272, August 2003.
[27]
U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the 2006 ISOC Networked and Distributed Systems Security Symposium, February 2006.
[28]
D. R. Wichers, D. M. Cook, R. A. Olsson, J. Crossley, P. Kerchen, K. N. Levitt, and R. Lo. Pacl's: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference, pages 340--349, Oct. 1990.
[29]
C. Wright, C. Cowan, J. Morris, S. Smalley, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proc. USENIX Security Symposium, pages 17--31, 2002.
[30]
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. MaziRres. Making information flow explicit in histar. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), Nov. 2006.

Cited By

View all
  • (2021)A Noninterference Model for Mobile OS Information Flow Control and Its Policy VerificationSecurity and Communication Networks10.1155/2021/24818182021Online publication date: 1-Jan-2021
  • (2020)A Clark-Wilson and ANSI role-based access control modelInformation & Computer Security10.1108/ICS-08-2019-0100ahead-of-print:ahead-of-printOnline publication date: 14-Jun-2020
  • (2017)Preventing Unauthorized Data FlowsData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_3(41-62)Online publication date: 22-Jun-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies
June 2009
258 pages
ISBN:9781605585376
DOI:10.1145/1542207
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 June 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. information flow
  3. operating system

Qualifiers

  • Research-article

Conference

SACMAT '09
Sponsor:

Acceptance Rates

SACMAT '09 Paper Acceptance Rate 24 of 75 submissions, 32%;
Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)A Noninterference Model for Mobile OS Information Flow Control and Its Policy VerificationSecurity and Communication Networks10.1155/2021/24818182021Online publication date: 1-Jan-2021
  • (2020)A Clark-Wilson and ANSI role-based access control modelInformation & Computer Security10.1108/ICS-08-2019-0100ahead-of-print:ahead-of-printOnline publication date: 14-Jun-2020
  • (2017)Preventing Unauthorized Data FlowsData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_3(41-62)Online publication date: 22-Jun-2017
  • (2012)Towards achieving scalability and interoperability in a triple-domain grid-based environment (3DGBE)2012 Information Security for South Africa10.1109/ISSA.2012.6320440(1-10)Online publication date: Aug-2012
  • (2012)Foundations of Dynamic Access ControlInformation Systems Security10.1007/978-3-642-35130-3_4(44-58)Online publication date: 2012
  • (2012)Tracking and constraining authorization provenanceProceedings of the 25th international conference on Industrial Engineering and Other Applications of Applied Intelligent Systems: advanced research in applied artificial intelligence10.1007/978-3-642-31087-4_68(669-678)Online publication date: 9-Jun-2012
  • (2011)Private and Continual Release of StatisticsACM Transactions on Information and System Security10.1145/2043621.204362614:3(1-24)Online publication date: 1-Nov-2011
  • (2011)Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data FederationsACM Transactions on Information and System Security10.1145/2043621.204362514:3(1-28)Online publication date: 1-Nov-2011
  • (2011)Combining Discretionary Policy with Mandatory Information Flow in Operating SystemsACM Transactions on Information and System Security10.1145/2043621.204362414:3(1-27)Online publication date: 1-Nov-2011
  • (2011)SEALProceedings of the 16th ACM symposium on Access control models and technologies10.1145/1998441.1998454(83-92)Online publication date: 15-Jun-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media