Policy models to protect resource retrieval
Pages 211 - 222
Abstract
Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.
References
[1]
RBAC '98: Proceedings of the Third ACM Workshop on Role-based Access Control, New York, NY, USA, 1998. ACM. Chairman-Youman, Charles and Chairman-Jaeger, Trent.
[2]
Solaris Trusted Extensions Developer's Guide. http://docs.sun.com/app/docs/doc/819--7312, 2008.
[3]
A. Acharya and M. Raje. MAPbox: Using parameterized behavior classes to confine untrusted applications. In Proceedings of the 9th USENIX Security Symposium, August 2000.
[4]
D. Balzarotti et al. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy, 2008.
[5]
A. Berman et al. TRON: Process-specific file protection for the UNIX operating system. In USENIX TC '95, 1995.
[6]
E. Bertino, P. A. Bonatti, and E. Ferrari. Trbac: A temporal role-based access control model. ACM Transactions on Information and System Security (TISSEC), 4(3):191--233, 2001.
[7]
K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE, April 1977.
[8]
M. Bishop, M. Dilger, et al. Checking for race conditions in file accesses. Computing systems, 2(2):131--152, 1996.
[9]
BitBlaze. BitBlaze binary analysis project. http://bitblaze.cs.berkeley.edu, 2014.
[10]
N. Borisov et al. Fixing races for fun and profit: How to abuse atime. In USENIX Security '06, 2005.
[11]
D. F. C. Brewer and M. J. Nash. The Chinese Wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy, 1989.
[12]
X. Cai et al. Exploiting Unix File-System Races via Algorithmic Complexity Attacks. In IEEE SSP '09, 2009.
[13]
S. Chari, S. Halevi, and W. Venema. Where do you want to go today? escalating privileges by pathname manipulation. In NDSS, 2010.
[14]
E. Chin et al. Analyzing Inter-Application Communication in Android. In MobiSys, 2011.
[15]
C. Cowan, S. Beattie, C. Wright, and G. Kroah-Hartman. Raceguard: Kernel protection from temporary file race vulnerabilities. In USENIX Security Symposium, pages 165--176, 2001.
[16]
CWE. CWE-426: Untrusted Search Path. http://cwe.mitre.org/data/definitions/426.html.
[17]
CWE. CWE-59: Improper Link Resolution Before File Access. http://cwe.mitre.org/data/definitions/59.html.
[18]
D. Dean and A. J. Hu. Fixing races for fun and profit: How to use access (2). In USENIX Security Symposium, pages 195--206, 2004.
[19]
D. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--242, 1976.
[20]
J. B. Dennis and E. C. V. Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143--155, 1966.
[21]
Domain Names - Implementation and Specification. http://http://www.ietf.org/rfc/rfc1035.txt.
[22]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information- ow tracking system for realtime privacy monitoring on smartphones. In OSDI, volume 10, pages 1--6, 2010.
[23]
T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000.
[24]
Mandatory Access Control - FreeBSD. http://www.freebsd.org/handbook/mac.html.
[25]
T. Garfinkel et al. Ostia: A delegating architecture for secure system call interposition. In NDSS '04, 2004.
[26]
Goldberg et al. A secure environment for untrusted helper applications. In USENIX Security '96, 1996.
[27]
L. Gong, R. Schemers, and S. Microsystems. Implementing protection domains in the java development kit 1.2, 1988.
[28]
N. Hardy. The confused deputy:(or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22(4):36--38, 1988.
[29]
B. Hicks, K. Ahmadizadeh, and P. McDaniel. From Languages to Systems: Understanding Practical Application Development in Security-typed Languages. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), December 2006.
[30]
B. Hicks, S. Rueda, T. Jaeger, and P. McDaniel. From trusted to secure: building and executing applications that enforce system security. In USENIX Annual Technical Conference, June 2007.
[31]
M. Howard, J. Pincus, and J. Wing. Measuring Relative Attack Surfaces. In Proceedings of Workshop on Advanced Developments in Software and Systems Security, December 2003.
[32]
T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th USENIX Security Symposium, Aug. 2003.
[33]
J. B. D. Joshi, E. Bertino, U. Latif, and A. Ghafoor. A generalized temporal role-based access control model. IEEE Trans. on Knowl. and Data Eng., 17(1):4--23, Jan. 2005.
[34]
M. N. Krohn, A. Yip, M. Brodsky, N. Cliffier, M. F. Kaashoek, E. Kohler, and R. Morris. Information ow control for standard OS abstractions. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), October 2007.
[35]
B. W. Lampson. Protection. ACM SIGOPS Operating Systems Review, 8(1):18--24, 1974.
[36]
H. M. Levy. Capability-based Computer Systems. Digital Press, 1984. Available at http://www.cs.washington.edu/homes/levy/capabook/.
[37]
T. A. Linden. Operating system structures to support security and reliable software. ACM Computing Surveys, 8(4):409--445, Dec. 1976.
[38]
R. Marmorstein and P. Kearns. A Tool for Automated iptables Firewall Analysis. In Proceedings of the USENIX Annual Technical Conference, 2005.
[39]
D. McIlroy and J. Reeds. Multilevel windows on a single-level terminal. In Proceedings of the (First) USENIX Security Workshop, Aug. 1988.
[40]
W. S. McPhee. Operating system integrity in OS/VS2. IBM Syst. J., 13:230--252, September 1974.
[41]
MSDN. Mandatory Integrity Control (Windows). http://msdn.microsoft.com/en-us/library/bb648648%28VS.85%29.aspx.
[42]
A. C. Myers. J ow: Practical mostly-static information ow control. In In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 228--241, 1999.
[43]
A. C. Myers and B. Liskov. A decentralized model for information ow control. In Proceedings of the 16th ACM Symposium on Operating System Principles, October 1997.
[44]
A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol., 9:410--442, October 2000.
[45]
R. Needham. Chapter: Names. In S. Mullender (Ed): Distributed Systems. Addison-Wesley, 1989.
[46]
J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In Proceedings of the 2005 Network and Distributed System Security Symposium, 2005.
[47]
AppArmor Linux application security. http://www.novell.com/linux/security/apparmor/, 2008.
[48]
Security-enhanced linux targeted policy. http://www.centos.org/docs/5/html/Deployment_ Guide-en-US/rhlcommon-chapter-0001.html.
[49]
OpenWall Project - Information security software for open environments. http://www.openwall.com/, 2008.
[50]
J. Park, G. Lee, S. Lee, and D.-K. Kim. Rps: An extension of reference monitor to prevent race-attacks. In PCM (1) 04, 2004.
[51]
J. Park and R. Sandhu. Towards usage control models: Beyond traditional access control. In Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT '02, pages 57--64, New York, NY, USA, 2002. ACM.
[52]
J. Park and R. Sandhu. The UCONABC usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128--174, Feb. 2004.
[53]
C. Pu and J. Wei. A Methodical Defense against TOCTTOU Attacks: The EDGI Approach. In ISSSE, 2006.
[54]
K. suk Lhee and S. J. Chapin. Detection of file-based race conditions. Int. J. Inf. Sec., 2005.
[55]
Reference Policy. http://oss.tresys.com/projects/refpolicy, 2008.
[56]
D. Tsafrir, T. Hertz, D. Wagner, and D. Da Silva. Portably solving file tocttou races with hardness amplification. In FAST, volume 8, pages 1--18, 2008.
[57]
E. Tsyrklevich and B. Yee. Dynamic detection and prevention of race conditions in file accesses. In Proceedings of the 12th USENIX Security Symposium, pages 243--255, 2003.
[58]
P. Uppuluri, U. Joshi, and A. Ray. Preventing race condition attacks on file-systems. In SAC-05, 2005.
[59]
C. Vance, T. Miller, R. Dekelbaum, and A. Reisse. Security-enhanced darwin: Porting selinux to mac osx. In Proceedings of the Third Annual Security Enhanced Linux Symposium, Baltimore, MD, USA, 2007.
[60]
H. Vijayakumar, G. Jakka, S. Rueda, J. Schiffman, and T. Jaeger. Integrity walls: Finding attack surfaces from mandatory access control policies. In Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), May 2012.
[61]
H. Vijayakumar, J. Schiffman, and T. Jaeger. Process firewalls: protecting processes during resource access. In Proceedings of the 8th ACM European Conference on Computer Systems, pages 57--70. ACM, 2013.
[62]
D. S. Wallach, A. W. Appel, and E. W. Felten. Safkasi: A security mechanism for language-based systems. ACM Trans. Softw. Eng. Methodol., 9(4):341--378, Oct. 2000.
[63]
R. Watson, J. Anderson, and B. Laurie. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, 2010.
[64]
R. N. M. Watson. TrustedBSD: Adding trusted operating system features to FreeBSD. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 15--28, 2001.
[65]
J. Wei et al. A methodical defense against TOCTTOU attacks: the EDGI approach. In IEEE International Symp. on Secure Software Engineering (ISSSE), 2006.
[66]
C. Weissman. Security controls in the adept-50 time-sharing system. In Proceedings of the November 18--20, 1969, Fall Joint Computer Conference, AFIPS '69 (Fall), pages 119--133, New York, NY, USA, 1969. ACM.
[67]
C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. In Proceedings of the 11th USENIX Security Symposium, pages 17--31, August 2002.
[68]
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information ow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 116--127, New York, NY, USA, 2007. ACM.
[69]
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Maziéres. Making information ow explicit in HiStar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), November 2006.
Index Terms
- Policy models to protect resource retrieval
Recommendations
Process firewalls: protecting processes during resource access
EuroSys '13: Proceedings of the 8th ACM European Conference on Computer SystemsProcesses retrieve a variety of resources from the operating system in order to execute properly, but adversaries have several ways to trick processes into retrieving resources of the adversaries' choosing. Such resource access attacks use name ...
Blue versus Red: Towards a Model of Distributed Security Attacks
Financial Cryptography and Data SecurityWe develop a two-sided multiplayer model of security in which attackers aim to deny service and defenders strategize to secure their assets. Attackers benefit from the successful compromise of target systems, however, may suffer penalties for increased ...
Protecting information infrastructure from DDoS attacks by MADF
Distributed Denial of Service (DDoS) attacks have become one of the most serious threats to the information infrastructure. In this paper, we propose a new approach, Mark-Aided Distributed Filtering (MADF), to find the network anomalies by using a back-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
June 2014
234 pages
ISBN:9781450329392
DOI:10.1145/2613087
- General Chair:
- Sylvia Osborn,
- Program Chairs:
- Mahesh V. Tripunitara,
- Ian M. Molloy
Copyright © 2014 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 June 2014
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SACMAT '14
Sponsor:
SACMAT '14: 19th ACM Symposium on Access Control Models and Technologies
June 25 - 27, 2014
Ontario, London, Canada
Acceptance Rates
SACMAT '14 Paper Acceptance Rate 17 of 58 submissions, 29%;
Overall Acceptance Rate 177 of 597 submissions, 30%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 165Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)1
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in