Protection of Components Based on a Smart-Card Enhanced Security Module

We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator's identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator's actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.

[1]  Paco Hope,et al.  Using Jails in FreeBSD for Fun and Profit , 2002, Login: The Usenix Magazine.

[2]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[3]  Joan Borrell,et al.  ACAPS – An Access Control Mechanism to Protect the Components of an Attack Prevention System , 2006 .

[4]  Nahid Shahmehri,et al.  Using the Java sandbox for resource control , 2002 .

[5]  Carlos Maziero,et al.  An Architecture for On-the-Fly File Integrity Checking , 2003, LADC.

[6]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[7]  David Geer Will New Standards Help Curb Spam? , 2004, Computer.

[8]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[9]  Frédéric Cuppens,et al.  Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation , 2004, ICICS.

[10]  J. Borrell,et al.  Mechanisms for attack protection on a prevention framework , 2005, Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology.

[11]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[12]  David Geer Just How Secure Are Security Products? , 2004, Computer.