ABSTRACT
We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enforcing adaptive access control policies for resource-centric security. Policies in CMCAP express runtime constraints defined as containment domains with context-mapped capabilities, and ephemeral sandboxes for dynamically enforcing desired information flow properties while preserving functional correctness for the sandboxed programs. CMCAP is designed to remediate DAC's weakness and address the inflexibility that makes current MAC frameworks impractical to the common user. We use a Linux-based implementation of CMCAP to demonstrate how a program's dynamic profile is used for access control and intrusion prevention.
- Steve Barker and Peter J. Stuckey. 2003. Flexible Access Control Policy Specification with Constraint Logic Programming. ACM Trans. Inf. Syst. Secur. , Vol. 6, 4 (Nov. 2003), 501--546. Google ScholarDigital Library
- Mick Bauer. 2006. Paranoid Penguin: An Introduction to Novell AppArmor. Linux J. , Vol. 2006, 148 (Aug. 2006), 13--. http://dl.acm.org/citation.cfm?id=1149826.1149839 Google ScholarDigital Library
- Avik Chaudhuri, Prasad Naldurg, Sriram K. Rajamani, G. Ramalingam, and Lakshmisubrahmanyam Velaga. 2008. EON: Modeling and Analyzing Dynamic Access Control Systems with Logic Programs. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 381--390. Google ScholarDigital Library
- Laurent George, Valérie Viet Triem Tong, and Ludovic Mé. 2009. Blare Tools: A Policy-Based Intrusion Detection System Automatically Set by the Security Policy. In Recent Advances in Intrusion Detection , , Engin Kirda, Somesh Jha, and Davide Balzarotti (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 355--356. Google ScholarDigital Library
- Laurent Georget, Mathieu Jaume, Guillaume Piolle, Frédéric Tronel, and Valérie Viet Triem Tong. 2017. Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory. In Software Engineering and Formal Methods , , Alessandro Cimatti and Marjan Sirjani (Eds.). Springer International Publishing, Cham, 1--16.Google Scholar
- Laurent Georget, Mathieu Jaume, Frédéric Tronel, Guillaume Piolle, and Valérie Viet Triem Tong. 2017. Verifying the Reliability of Operating System-Level Information Flow Control Systems in Linux. In 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE). 10--16. Google ScholarDigital Library
- William R. Harris , Somesh Jha, Thomas Reps , Jonathan Anderson, and Robert N. M. Watson. 2013. Declarative, Temporal, and Practical Programming with Capabilities. In 2013 IEEE Symposium on Security and Privacy. 18--32. Google ScholarDigital Library
- Frédéric Cuppens Nora Cuppens-Boulahia Hervé Debar, Yohann Thomas. 2008. Response: bridging the link between intrusion detection alerts and security policies. Advances in Information Security, Vol. 38. Springer-Verlag, New York, NY.Google Scholar
- Boniface Hicks, Sandra Rueda, Luke St.Clair, Trent Jaeger, and Patrick McDaniel. 2010. A Logical Specification and Analysis for SELinux MLS Policy. ACM Trans. Inf. Syst. Secur. , Vol. 13, 3, Article 26 (July 2010), bibinfonumpages31 pages. Google ScholarDigital Library
- Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information Flow Control for Standard OS Abstractions. SIGOPS Oper. Syst. Rev. , Vol. 41, 6 (Oct. 2007), 321--334. Google ScholarDigital Library
- Prasad Naldurg and Raghavendra K.R. 2011. SEAL: A Logic Programming Framework for Specifying and Verifying Access Control Models. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT '11). ACM, New York, NY, USA, 83--92. Google ScholarDigital Library
- Prasad Naldurg, Stefan Schwoon, Sriram Rajamani, and John Lambert. 2006. NETRA:: Seeing Through Access Control. In Proceedings of the Fourth ACM Workshop on Formal Methods in Security (FMSE '06). ACM, New York, NY, USA, 55--66. Google ScholarDigital Library
- Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, and Emmett Witchel. 2009. Laminar: Practical Fine-grained Decentralized Information Flow Control. SIGPLAN Not. , Vol. 44, 6 (June 2009), 63--74. Google ScholarDigital Library
- Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium . http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf Google ScholarDigital Library
- Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. 2002. Linux Security Modules: General Security Support for the Linux Kernel. In Proceedings of the 11th USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 17--31. http://dl.acm.org/citation.cfm?id=647253.720287 Google ScholarDigital Library
Index Terms
- CMCAP: Ephemeral Sandboxes for Adaptive Access Control
Recommendations
NIDS: A Network Based Approach to Intrusion Detection and Prevention
IACSIT-SC '09: Proceedings of the 2009 International Association of Computer Science and Information Technology - Spring ConferenceComputer networks have added new dimensions to the global communication. But intrusions and misuses have always threatened the secured data communication over networks. Consequently, network security has come into issue. Now-a-days intrusion detection ...
Hunting Trojan Horses
ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependabilityHTH (Hunting Trojan Horses) is a security framework developed for detecting difficult types of intrusions. HTH is intended as a complement to anti-virus software in that it targets unknown and zero-day Trojan Horses and Backdoors. In order to accurately ...
Comments