Techniques for Automating Policy Specification for Application-oriented Access Controls

By managing the authority assigned to each application, rule-based application-oriented access controls can significantly mitigate the threats posed by malicious code due to software vulnerabilities or malware. However, these policies are typically complex and difficult to develop. Learning modes can ease specification, however, they still require high levels of expertise to utilise correctly, and are most suited to confining non-malicious software. This paper presents a novel approach to automating policy specification for rule-based application-oriented access controls. The functionality-based application confinement (FBAC) model provides reusable parameterised abstractions. A number of straightforward yet effective techniques are presented that use these functionality-based abstractions to create application policies a priori, that is, without running programs before policies are specified. These techniques automate the specification of policy details by analysing program dependencies, program management information, and file system contents.

[1]  Andrew Tucker,et al.  Solaris Zones: Operating System Support for Server Consolidation , 2004, Virtual Machine Research and Technology Symposium.

[2]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Christian Payne,et al.  Functionality-based Application Confinement - Parameterised Hierarchical Application Restrictions , 2008, SECRYPT.

[5]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[6]  Marianne Shaw,et al.  Denali: a scalable isolation kernel , 2002, EW 10.

[7]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[8]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[9]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[10]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[11]  Marianne Shaw,et al.  Denali: Lightweight Virtual Machines for Distributed and Networked Applications , 2001 .

[12]  Christian Payne,et al.  Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM , 2011, TSEC.

[13]  Christian Payne,et al.  Reusability of Functionality-Based Application Confinement Policy Abstractions , 2008, ICICS.