Improving real-world access control systems by identifying the true origins of a request

Access control is the traditional center of gravity of computer security. In order to make correct access control decisions, a critical step is to identify the origins of an access request. The origins of a request are the principals who cause the request to be issued and the principals who affect the content of the request. Therefore, the origins are responsible for the request. The access control decision should be based on the permissions of the origins. In this dissertation, we examined two real-world access control systems, operating system access control and browser access control. They are vulnerable to certain attacks because of their limitations in identifying the origins of a request. In particular, the discretionary access control (DAC) in the operating system is vulnerable to Trojan horses and vulnerability exploits, while the same origin policy (SoP) in the browser is vulnerable to the malicious proxy adversary against HTTPS and the cross-site request forgery attack. We proposed enhancements of both systems by identifying the true origins of a request. We discussed the design details, the prototype implementations, and the experimental evaluations of the enhancements.

[1]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[2]  Mark Handley,et al.  The final nail in WEP's coffin , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[4]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[5]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[6]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[7]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[8]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[9]  Theodore M. P. Lee,et al.  Using mandatory integrity to enforce 'commercial' security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  Paul A. Karger,et al.  Implementing commercial data integrity with secure capabilities , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[11]  Eric S. Raymond,et al.  The Art of Unix Programming , 2003 .

[12]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[13]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[14]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[15]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[16]  Ravi S. Sandhu Good-Enough Security: Toward a Pragmatic Business-Driven Discipline , 2003, IEEE Internet Comput..

[17]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[18]  David A. Wagner,et al.  Dynamic pharming attacks and locked same-origin policies for web browsers , 2007, CCS '07.

[19]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[20]  A. Pashalidis A Cautionary Note on Automatic Proxy Configuration , 2003 .

[21]  Trent Jaeger,et al.  From Trusted to Secure: Building and Executing Applications That Enforce System Security , 2007, USENIX Annual Technical Conference.

[22]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[23]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[25]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[26]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[27]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[28]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[29]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[30]  Martin Johns,et al.  RequestRodeo: Client Side Protection against Session Riding , 2006 .

[31]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[32]  Deborah Downs,et al.  Issues in Discretionary Access Control , 1985, 1985 IEEE Symposium on Security and Privacy.

[33]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[34]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[35]  David M. Kristol,et al.  HTTP State Management Mechanism , 2000, RFC.

[36]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[37]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[38]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .