Chinese-wall process confinement for practical distributed coalitions

A distributed coalition supports distributed mandatory access controls for resources whose security policies differ for each group of components over nodes, and provides secure information operations and exchanges with nodes that handle information over which conflicts of interest may occur. Many projects have proposed distributed coalitions using a virtual machine monitor, but this approach for strong confinement tends to hinder successful deployments in real world scenarios that involve complicated operations and management for applications because such access control is coarse-grained for the resources. In this paper, we propose a Chinese-Wall Process Confinement (CWPC) for practical application-level distributed coalitions that provide fine-grained access controls for resources and that emphasize minimizing the impact on the usability, using a program-transparent reference monitor. We implemented a prototype system named ALDC for standard office applications on Microsoft Windows that are used on a daily basis for business purposes and that may involve conflicts of interests, evaluated its performance and influence on usability, and show that our approach is practical.

[1]  Trent Jaeger,et al.  Runtime verification of authorization hook placement for the linux security modules framework , 2002, CCS '02.

[2]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[3]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[4]  Stefan Berger,et al.  Shamon: A System for Distributed Mandatory Access Control , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[5]  Hiroshi Maruyama,et al.  Bridging the Gap Between Inter-communication Boundary and Internal Trusted Components , 2006, ESORICS.

[6]  Ahmad-Reza Sadeghi,et al.  Towards Multilateral Security On DRM Platforms , 2005 .

[7]  Vijayalakshmi Atluri,et al.  A Chinese wall security model for decentralized workflow systems , 2001, CCS '01.

[8]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[9]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  Trent Jaeger,et al.  Trusted virtual domains: toward secure distributed services , 2005 .

[11]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[12]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[13]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[14]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[15]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[16]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[17]  Michiharu Kudo,et al.  Towards Multi – Layer Trusted Virtual Domains , 2006 .

[18]  Michiharu Kudo,et al.  Layering negotiations for flexible attestation , 2006, STC '06.

[19]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[20]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[21]  Naftaly H. Minsky,et al.  Flexible Regulation of Distributed Coalitions , 2003, ESORICS.

[22]  Naftaly H. Minsky A decentralized treatment of a highly distributed Chinese-Wall policy , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[23]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[24]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[25]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[26]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[27]  Trent Jaeger,et al.  Leveraging IPsec for Mandatory Per-Packet Access Control , 2006, 2006 Securecomm and Workshops.