Suspicious-Taint-Based Access Control for Protecting OS from Network Attacks

Today, security threats to operating systems largely come from network. Traditional discretionary access control mechanism alone can hardly defeat them. Although traditional mandatory access control models can effectively protect the security of OS, they have problems of being incompatible with application software and complex in administration. In this paper, we propose a new model, Suspicious-Taint-Based Access Control (STBAC) model, for defeating network attacks while being compatible, simple and maintaining good system performance. STBAC regards the processes using Non-Trustable-Communications as the starting points of suspicious taint, traces the activities of the suspiciously tainted processes by taint rules, and forbids the suspiciously tainted processes to illegally access vital resources by protection rules. Even in the cases when some privileged processes are subverted, STBAC can still protect vital resources from being compromised by the intruder. We implemented the model in the Linux kernel and evaluated it through experiments. The evaluation showed that STBAC could protect vital resources effectively without significant impact on compatibility and performance.

[1]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[2]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[3]  Tzi-cker Chiueh,et al.  Tracer: enforcing mandatory access control in commodity OS with the support of light-weight intrusion detection and tracing , 2011, ASIACCS '11.

[4]  Soyeon Park,et al.  FTXen: Making hypervisor resilient to hardware faults on relaxed cores , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[5]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[7]  Zhiyong Shan,et al.  Implementing RBAC model in An Operating System Kernel , 2016, ArXiv.

[8]  Zhiyong Shan,et al.  Compatible and Usable Mandatory Access Control for Good-enough OS Security , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[9]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[10]  Noah Treuhaft,et al.  Recovery Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies , 2002 .

[11]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[12]  Zhiyong Shan,et al.  A Study on Altering PostgreSQL from Multi-Processes Structure to Multi-Threads Structure , 2016, ArXiv.

[13]  Xiaofeng Meng,et al.  Shuttle: Facilitating Inter-Application Interactions for OS-Level Virtualization , 2014, IEEE Transactions on Computers.

[14]  Shan Zhiyong and Shi Wenchang STBAC: A New Access Control Model for Operating System , 2008 .

[15]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[16]  ChiuehTzi-cker,et al.  Facilitating inter-application interactions for OS-level virtualization , 2012 .

[17]  Charles W. Flink,et al.  System V/MLS labeling and mandatory policy alternatives , 1988, AT&T Technical Journal.

[18]  Michael W. Shapiro Self-Healing in Modern Operating Systems , 2004, ACM Queue.

[19]  Shan Zhi-yong Design of an Architecture for Process Runtime Integrity Measurement , 2009 .

[20]  Tzi-cker Chiueh,et al.  Shuttle: Facilitating Inter-Application Interactions for OS-Level Virtualization , 2014, IEEE Trans. Computers.

[21]  Bin Liao,et al.  Design and Implementation of A Network Security Management System , 2016, ArXiv.

[22]  Hui Liu,et al.  Automatic detection of integer sign vulnerabilities , 2008, 2008 International Conference on Information and Automation.

[23]  Xin Wang,et al.  Duplication of Windows Services , 2016, ArXiv.

[24]  Iulian Neamtiu,et al.  Finding resume and restart errors in Android applications , 2016, OOPSLA.

[25]  Tzi-cker Chiueh,et al.  Enforcing Mandatory Access Control in Commodity OS to Disable Malware , 2012, IEEE Transactions on Dependable and Secure Computing.

[26]  Xiaofeng Meng,et al.  Safe side effects commitment for OS-level virtualization , 2011, ICAC '11.

[27]  Marshall D. Abrams,et al.  Extending the ISO Access Framework for Multiple Policies , 1993, SEC.

[28]  Shan Zhiyong Research on Framework for Multi-policy , 2007 .

[29]  Don J. Torrieri,et al.  Proactive restart as cyber maneuver for Android , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[30]  Xiaofeng Meng,et al.  An OS Security Protection Model for Defeating Attacks from Network , 2007, ICISS.

[31]  Tzi-cker Chiueh,et al.  Virtualizing system and ordinary services in Windows-based OS-level virtual machines , 2011, SAC '11.

[32]  Kai Rannenberg,et al.  Information Technology Security Evaluation Criteria (ITSEC) - a Contribution to Vulnerability? , 1992, IFIP Congress.

[33]  Meng Xiaofeng Access control model for enhancing survivability , 2008 .

[34]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[35]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[36]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[37]  Shan Zhi An Operating System Oriented RBAC Model and Its Implementation , 2004 .

[38]  Shan Zhi A STUDY OF SECURITY ATTRIBUTES IMMEDIATE REVOCATION IN SECURE OS , 2002 .

[39]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[40]  Tzi-cker Chiueh,et al.  Malware Clearance for Secure Commitment of OS-Level Virtual Machines , 2013, IEEE Transactions on Dependable and Secure Computing.

[41]  Virgil D. Gligor,et al.  On the Design and the Implementation of Secure Xenix Workstations , 1986, 1986 IEEE Symposium on Security and Privacy.

[42]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[43]  Timothy Fraser,et al.  LOMAC: MAC You Can Live With , 2001, USENIX Annual Technical Conference, FREENIX Track.

[44]  Xiao Li,et al.  Operating system mechanisms for TPM-based lifetime measurement of process integrity , 2009, 2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems.

[45]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[46]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[47]  Shan Zhi A Study of Extending Generalized Framework for Access Control , 2003 .

[48]  Yang Yu,et al.  Confining windows inter-process communications for OS-level virtual machine , 2009, VDTS '09.

[49]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[50]  Shan Zhi A Study of Generalized Environment-Adaptable Multi-Policies Supporting Framework , 2003 .

[51]  Phil Kearns,et al.  Domain and Type Enforcement for Linux , 2000, Annual Linux Showcase & Conference.

[52]  Shi Wen DESIGN AND IMPLEMENTATION OF SECURE LINUX KERNEL SECURITY FUNCTIONS , 2001 .

[53]  Xin Wang,et al.  Growing Grapes in Your Computer to Defend Against Malware , 2014, IEEE Transactions on Information Forensics and Security.

[54]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[55]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .