论文信息 - BIFI: Architectural Support for Information Flow Integrity Measurement

BIFI: Architectural Support for Information Flow Integrity Measurement

Information flow security has been an important security requirement of existing operating systems, especially for distributed applications. We are interested in protecting information flow security with an eye to information flow integrity and trusted computing. Although people have studied these two aspects already, each alone is insufficient for system security. In this paper, we design an information flow integrity architecture called BIFI based on classical integrity model with trusted computing technology. Firstly, we define an extension to Biba integrity, called Biba-invoke, which has ameliorated the monotonic behavior of Biba. Secondly, in order to support our integrity model, modifications to the SELinux and kernel module of Linux is necessary. We prove that BIFI can protect information flow integrity with only a few changes to existing systems.

Dengguo Feng | Hao Hu

[1] K. J. Bma. Integrity considerations for secure computer systems , 1977 .

[2] Timothy Fraser,et al. LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[3] Joshua D. Guttman,et al. Information Flow in Operating Systems: Eager Formal Methods , 2003 .

[4] Sean W. Smith. Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.

[5] Guilherme Ottoni,et al. RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[6] David D. Clark,et al. A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[7] Trent Jaeger,et al. Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[8] Frederic T. Chong,et al. Minos: Architectural support for protecting control data , 2006, TACO.

[9] Dieter Gollmann,et al. Computer Security , 1979, Lecture Notes in Computer Science.

[10] Trent Jaeger,et al. Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[11] Trent Jaeger,et al. PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.