Policy models to protect resource retrieval

Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  Tomer Hertz,et al.  Portably Solving File TOCTTOU Races with Hardness Amplification , 2008, FAST.

[4]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[5]  Andrew Berman,et al.  TRON: Process-Specific File Protection for the UNIX Operating System , 1995, USENIX.

[6]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[7]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[8]  William S. McPhee Operating System Integrity in OS/VS2 , 1974, IBM Syst. J..

[9]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[10]  Todd C. Miller,et al.  Security-Enhanced Darwin: Porting SELinux to Mac OS X , 2007 .

[11]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[12]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[13]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[14]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[15]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[16]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[17]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[18]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[19]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[20]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[21]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[22]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[23]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[24]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[25]  Trent Jaeger,et al.  Integrity walls: finding attack surfaces from mandatory access control policies , 2012, ASIACCS '12.

[26]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[27]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[28]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[29]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[30]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[31]  Trent Jaeger,et al.  From Trusted to Secure: Building and Executing Applications That Enforce System Security , 2007, USENIX Annual Technical Conference.

[32]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[33]  Calton Pu,et al.  A Methodical Defense against TOCTTOU Attacks: The EDGI Approach , 2006 .

[34]  Trent Jaeger,et al.  Process firewalls: protecting processes during resource access , 2013, EuroSys '13.

[35]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[36]  Nikita Borisov,et al.  Fixing Races for Fun and Profit: How to Abuse atime , 2005, USENIX Security Symposium.

[37]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[38]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[39]  Arnab Ray,et al.  Preventing race condition attacks on file-systems , 2005, SAC '05.

[40]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[41]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[42]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[43]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[44]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[45]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[46]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[47]  G. F. G. O'Shea,et al.  Operating system integrity , 1991, Comput. Secur..

[48]  Jongwoon Park,et al.  RPS: An Extension of Reference Monitor to Prevent Race-Attacks , 2004, PCM.

[49]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[50]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[51]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[52]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[53]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[54]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[55]  Bhavani Thuraisingham Mandatory Access Control , 2009 .

[56]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[57]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[58]  Shai Halevi,et al.  Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation , 2010, NDSS.