skip to main content
research-article

Combining Discretionary Policy with Mandatory Information Flow in Operating Systems

Published: 01 November 2011 Publication History

Abstract

Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC’s easy-to-use discretionary policy specification and MAC’s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.

References

[1]
Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995a. A domain and type enforcement UNIX prototype. In Proceedings of the USENIX Security Symposium. USENIX.
[2]
Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995b. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77.
[3]
Bell, D. E. and LaPadula, L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306, MITRE Corporation.
[4]
Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. MTR-3153, MITRE.
[5]
Brumley, D. and Song, D. 2004. PrivTrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium.
[6]
Chen, H., Dean, D., and Wagner, D. 2002. Setuid demystified. In Proceedings of the USENIX Security Symposium. 171--190.
[7]
Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194.
[8]
Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., and Gligor, V. D. 2000. Subdomain: Parsimonious server security. In Proceedings of the 14th Conference on Systems Administration (LISA’00). USENIX, 355--368.
[9]
Denning, D. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--242.
[10]
DOD. 1985. Trusted computer system evaluation criteria. Department of Defense 5200.28-STD, Washington DC.
[11]
Downs, D. D., Rub, J. R., Kung, K. C., and Jordan, C. S. 1985. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, 208--218.
[12]
Ench, W., McDaniel, P., and Jaeger, T. 2008. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society.
[13]
Fraser, T. 2000. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.
[14]
Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20.
[15]
Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the USENIX Security Symposium. USENIX, 1--13.
[16]
Hicks, B., Rueda, S., Jaeger, T., and McDaniel, P. 2007. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX.
[17]
Karger, P. A. 1988. Implementing commercial data integrity with secure capabilities. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 130--139.
[18]
Krohn, M. and Tromer, E. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the 30th IEEE Symposium on Security and Privacy (SP’09). IEEE Computer Society, Washington, DC, 61--76.
[19]
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard OS abstractions. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 321--334.
[20]
Lee, T. M. P. 1988. Using mandatory integrity to enforce “commercial” security. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 140--146.
[21]
Li, N., Mao, Z., and Chen, H. 2007. Usable mandatory integrity protection for operating systems. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 164--178.
[22]
Loscocco, P. and Smalley, S. 2001a. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42.
[23]
Loscocco, P. and Smalley, S. 2001b. Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX.
[24]
Mao, Z., Li, N., Chen, H., and Jiang, X. 2009. Trojan horse resistant discretionary access control. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 237--246.
[25]
Mcllroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Softw. Pract. Exper. 22, 8, 673--694.
[26]
Microsoft.com. 2007. The advantages of running applications on Windows Vista. http://msdn2.microsoft.com/en-us/library/bb188739.aspx.
[27]
Myers, A. C. 1999. JFlow: Practical mostly-static information-flow control. In Proceedings of the Symposium on Principles of Programming Languages. ACM.
[28]
Myers, A. C. and Liskov, B. 1997. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating System Principles. ACM Press.
[29]
Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Engin. Methodol. 9, 4, 410--442.
[30]
NCSC. 1987. National computer security center: A guide to understanding discretionary access control in trusted systems. NCSC-TG-003.
[31]
Newsome, J. and Song, D. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium. ACM.
[32]
Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX. 252--272.
[33]
Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing privilege escalation. In Proceedings of the USENIX Security Symposium. USENIX, 231--242.
[34]
Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.
[35]
Shankar, U., Jaeger, T., and Sailer, R. 2006. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM.
[36]
Sun, W., Sekar, R., Liang, Z., and Venkatakrishnan, V. 2008. Expanding malware defenses by securing software installations. In Proceeding of the Conference on Detection and Intrusions and Malware & Vulnerability Accessment (DIMVA). Springer, Berlin, Germany.
[37]
Sun, W., Sekar, R., Poothia, G., and Karandikar, T. 2008. Practical proactive integrity preservation: A basis for malware defense. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 248--262.
[38]
Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., and Mazières, D. 2007. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25, 4, 11.
[39]
Wichers, D. R., Cook, D. M., Olsson, R. A., Crossley, J., Kerchen, P., Levitt, K. N., and Lo, R. 1990. PACL’s: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference. National Computer Security Center, Washington, DC, 340--349.
[40]
Wright, C., Cowan, C., Morris, J., Smalley, S., and Kroah-Hartman, G. 2002. Linux security modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium. USENIX, 17--31.
[41]
Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. USENIX.
[42]
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazires, D. 2006. Making information flow explicit in HiStar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX.

Cited By

View all
  • (2018)Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack PathsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.282109513:10(2506-2521)Online publication date: Oct-2018
  • (2017)Security importance assessment for system objects and malware detectionComputers and Security10.1016/j.cose.2017.02.00968:C(47-68)Online publication date: 1-Jul-2017
  • (2017)Preventing Unauthorized Data FlowsData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_3(41-62)Online publication date: 22-Jun-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 14, Issue 3
November 2011
133 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2043621
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2011
Accepted: 01 April 2011
Revised: 01 October 2010
Received: 01 February 2010
Published in TISSEC Volume 14, Issue 3

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Operating system
  2. discretionary access control
  3. information flow
  4. mandatory access control

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack PathsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.282109513:10(2506-2521)Online publication date: Oct-2018
  • (2017)Security importance assessment for system objects and malware detectionComputers and Security10.1016/j.cose.2017.02.00968:C(47-68)Online publication date: 1-Jul-2017
  • (2017)Preventing Unauthorized Data FlowsData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_3(41-62)Online publication date: 22-Jun-2017
  • (2015)Provenance-based Integrity Protection for WindowsProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818011(211-220)Online publication date: 7-Dec-2015
  • (2015)Probabilistic Inference on Integrity for Access Behavior Based Malware DetectionProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_8(155-176)Online publication date: 2-Nov-2015
  • (2014)Comprehensive integrity protection for desktop linuxProceedings of the 19th ACM symposium on Access control models and technologies10.1145/2613087.2613112(89-92)Online publication date: 25-Jun-2014
  • (2014)Towards more usable information flow policies for contemporary operating systemsProceedings of the 19th ACM symposium on Access control models and technologies10.1145/2613087.2613110(75-84)Online publication date: 25-Jun-2014
  • (2014)Dynamic combination of authentication factors based on quantified risk and benefitSecurity and Communication Networks10.1002/sec.7297:2(385-396)Online publication date: 1-Feb-2014
  • (2013)A portable user-level approach for system-wide integrity protectionProceedings of the 29th Annual Computer Security Applications Conference10.1145/2523649.2523655(219-228)Online publication date: 9-Dec-2013
  • (2013)Design of information flow in Collaborative-VMM2013 IEEE 4th International Conference on Software Engineering and Service Science10.1109/ICSESS.2013.6615270(124-129)Online publication date: May-2013

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media