Evaluating the Use of Security Tags in Security Policy Enforcement Mechanisms

Security tagging schemes are known as promising mechanisms for providing security features in computer systems. Tags carry information about the tagged data throughout the system to be used in access control and other security mechanisms. This paper discusses several different uses of security tags related to different security policies, highlighting appropriate uses of the tags. The evaluation of the use of tags is presented in the summary of three security tagging application domains. One domain, using hardware-based tagging to prevent high-level attacks, was not found to be feasible. A project to use hardware-based tagging for OS security enhancement and a project that uses software-based tagging for multi-level secure document management were successful.

[1]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[2]  Jim Alves-Foss,et al.  Security Tagging for a Zero-Kernel Operating System , 2013, 2013 46th Hawaii International Conference on System Sciences.

[3]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[4]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[5]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[6]  Bruce Schneier,et al.  Inside risks: semantic network attacks , 2000, CACM.

[7]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[8]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[9]  Christoforos E. Kozyrakis,et al.  Hardware Enforcement of Application Security Policies Using Tagged Memory , 2008, OSDI.

[10]  Jim Alves-Foss,et al.  MAINTAINING CONFIDENTIALITY IN MULTILEVEL XML , 2013 .

[11]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[12]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[13]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[14]  Kevin R. Kosar Classified Information Policy and Executive Order 13526 , 2010 .

[15]  Sandhya Dwarkadas,et al.  Sentry: light-weight auxiliary memory access control , 2010, ISCA.

[16]  Shuichi Sakai,et al.  Low-Overhead Architecture for Security Tag , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[17]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[18]  Howard Shrobe,et al.  TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture , 2007 .

[19]  Christoforos E. Kozyrakis,et al.  Decoupling Dynamic Information Flow Tracking with a dedicated coprocessor , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[20]  Jia Song,et al.  HARDWARE SECURITY TAGS FOR ENHANCED OPERATING SYSTEM SECURITY , 2013 .

[21]  Thomas F. Knight,et al.  Trust-Management, Intrusion-Tolerance, Accountability, and Reconstitution Architecture (TIARA) , 2009 .