Protecting users from "themselves"

Computer usage and threat models have changed drastically since the advent of access control systems in the 1960s. Instead of multiple users sharing a single file system, each user has many devices with their own storage. Thus, a user's fear has shifted away from other users' impact on the same system to the threat of malice in the software they intentionally or even inadvertently run. As a result, we propose a new vision for access control: one where individual users are isolated by default and where the access of individual user applications is carefully managed. A key question is how much user administration effort would be required if a system implementing this vision were constructed. In this paper, we outline our work on just such a system, called PinUP, which manages file access on a per application basis for each user. We use historical data from our lab's users to explore how much user and system administration effort is required. Since administration is required for user sharing in PinUP, we find that sharing via mail and file repositories requires a modest amount of administrative effort, a system policy change every couple of days and a small number of user administrative operations a day. We are encouraged that practical administration on such a scale is possible given an appropriate and secure user approach.

[1]  Christian Friberg,et al.  Support for discretionary role based access control in ACL-oriented operating systems , 1997, RBAC '97.

[2]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[3]  Atul Prakash,et al.  Methods and limitations of security policy reconciliation , 2006, TSEC.

[4]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[5]  Protecting User Files by Reducing Application Access , 2007 .

[6]  Andrew Berman,et al.  TRON: Process-Specific File Protection for the UNIX Operating System , 1995, USENIX.

[7]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[8]  Michael D. Schroeder,et al.  FINAL REPORT OF THE MULTICS KERNEL DESIGN PROJECT , 1978 .

[9]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[10]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[11]  Atul Prakash,et al.  Methods and limitations of security policy reconciliation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Jasna Kuljis,et al.  Aligning usability and security: a usability study of Polaris , 2006, SOUPS '06.

[13]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[14]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[15]  K. Thompson,et al.  The UNIX time-sharing system , 1978 .