More Web Proxy on the site http://driver.im/

Article

Sub-operating systems: a new approach to application security

Authors:

Sotiris Ioannidis,

Steven M. Bellovin,

Jonathan M. SmithAuthors Info & Claims

EW 10: Proceedings of the 10th workshop on ACM SIGOPS European workshop

Pages 108 - 115

https://doi.org/10.1145/1133373.1133394

Published: 01 July 2002 Publication History

Abstract

Users regularly exchange apparently innocuous data files using email and ftp. While the users view these data as passive, there are situations when they are interpreted as code by some system application. In that case the data become "active". Some examples of such data are Java, JavaScript and Microsoft Word attachments, each of which are executed within the security context of the user, allowing potentially arbitrary machine access. The structure of current operating systems and user applications makes solving this problem challenging.We propose a new protection mechanism to address active content, which applies fine-grained access controls at the level of individual data objects. All data objects arriving from remote sources are tagged with a non-removable identifier. This identifier dictates its permissions and privileges rather than the file owner's user ID. Since users possess many objects, the system provides far more precise access control policies to be enforced, and at a far finer granularity than previous designs.

References

[1]

CERT Advisories, http://www.cert.org/advisories/.]]

[2]

The OpenBSD Operating System, http://www.openbsd.org/.]]

[3]

A. Acharya and M. Raje. Mapbox: Using parameterized behavior classes to confine applications. In Proceedings of the 2000 USENIX Security Symposium, pages 1--17, Denver, CO, August 2000.]]

Digital Library

[4]

A. Alexandrov, P. Kmiec, and K. Schauser. Consh: A confined execution environment for internet computations, December 1998.]]

[5]

R. Balzer and N. Goldman. Mediating connectors: A non-bypassable process wrapping technology. In Proceeding of the 19th IEEE International Conference on Distributed Computing Systems, June 1999.]]

[6]

A. Berman, V. Bourassa, and E. Selberg. TRON: Process-Specific File Protection for the UNIX Operating System. In Proceedings of the USENIX 1995 Technical Conference, New Orleans, Louisiana, January 1995.]]

Digital Library

[7]

C. Cowan, S. Beattie, C. Pu, P. Wagle, and V. Gligor. SubDomain: Parsimonious Security for Server Appliances. In Proceedings of the 14th USENIX System Administration Conference (LISA 2000), Mar. 2000.]]

Digital Library

[8]

H. Custer. Inside Windows NT. Microsoft Press, 1993.]]

Digital Library

[9]

H. Custer. Inside the Windows NT File System. Microsoft Press, 1994.]]

Digital Library

[10]

T. Fraser, L. Badger, and M. Feldman. Hardening COTS Software with Generic Software Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.]]

[11]

D. P. Ghormley, D. Petrou, S. H. Rodrigues, and T. E. Anderson. SLIC: An Extensibility System for Commodity Operating Systems. In Proceedings of the 1998 USENIX Annual Technical Conference, pages 39--52, June 1998.]]

Digital Library

[12]

I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications. In Procedings of the 1996 USENIX Annual Technical Conference, 1996.]]

Digital Library

[13]

L. Gong. Inside Java 2 Platform Security. Addison-Wesley, 1999.]]

Digital Library

[14]

J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison Wesley, Reading, 1996.]]

Digital Library

[15]

M. Hicks, P. Kakkar, J. T. Moore, C. A. Gunter, and S. Nettles. PLAN: A Programming Language for Active Networks. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, February 1998.]]

[16]

S. Ioannidis and S. M. Bellovin. Building a Secure Browser. In Proceedings of the Annual USENIX Technical Conference, Freenix Track, June 2001.]]

Digital Library

[17]

T. Jaeger, A. D. Rubin, and A. Prakash. Building systems that flexibly control downloaded executable content. In Proceedings of the 1996 USENIX Security Symposium, pages 131--148, San Jose, Ca., 1996.]]

Digital Library

[18]

R. Kaplan. SUID and SGID Based Attacks on UNIX: a Look at One Form of the Use and Abuse of Privileges. Computer Security Journal, 9(1):73--7, 1993.]]

[19]

X. Leroy. Le système Caml Special Light: modules et compilation efficace en Caml. Research report 2721, INRIA, November 1995.]]

[20]

J. Y. Levy, L. Demailly, J. K. Ousterhout, and B. B. Welch. The Safe-Tcl Security Model. In USENIX 1998 Annual Technical Conference, New Orleans, Louisiana, June 1998.]]

Digital Library

[21]

D. Mazieres and M. F. Kaashoek. Secure Applications Need Flexible Operating Systems. In The 6th Workshop on Hot Topics in Operating Systems, May 1997.]]

Digital Library

[22]

G. McGraw and E. W. Felten. Java Security: hostile applets, holes and antidotes. Wiley, New York, NY, 1997.]]

Digital Library

[23]

M. D. McIlroy and J. A. Reeds. Multilevel security in the unix tradition. Software Practice and Experience, 22(8):673--694, 1992.]]

Digital Library

[24]

T. Mitchem, R. Lu, and R. O'Brien. Using Kernel Hypervisors to Secure Applications. In Proceedings of the Annual Computer Security Applications Conference, Dec. 1997.]]

Digital Library

[25]

G. C. Necula and P. Lee. Safe, Untrusted Agents using Proof-Carrying Code. In Lecture Notes in Computer Science, Special Issue on Mobile Agents, October 1997.]]

Digital Library

[26]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Anderson, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the 2000 USENIX Security Symposium, pages 123--139, Denver, CO, August 2000.]]

Digital Library

[27]

J. Tardo and L. Valente. Mobile Agent Security and Telescript. In Proceedings of the 41st IEEE Computer Society Conference (COMPCON), pages 58--63, February 1996.]]

Digital Library

[28]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software--Based Fault Isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles, pages 203--216, December 1993.]]

Digital Library

[29]

K. M. Walker, D. F. Stern. L. Badger, K. A. Oosendorp, M. J. Petkac, and D. L. Sherman. Confining root programs with domain and type enforcement. In Proceedings of the 1996 USENIX Security Symposium, pages 21--36, July 1996.]]

Digital Library

[30]

D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, October 1997.]]

Digital Library

Cited By

Reis CMoshchuk AOskov NHeninger NTraynor P(2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361454
Cable PSchear N(2015)SpyglassProceedings of the 29th Usenix Conference on Large Installation System Administration10.5555/2907890.2907894(37-48)Online publication date: 8-Nov-2015
https://dl.acm.org/doi/10.5555/2907890.2907894
Sun MTan GSiefers JZeng BMorrisett G(2013)Bringing java's wild native world under controlACM Transactions on Information and System Security10.1145/253550516:3(1-28)Online publication date: 6-Dec-2013
https://dl.acm.org/doi/10.1145/2535505
Show More Cited By

Sub-operating systems: a new approach to application security

Recommendations

Combining Discretionary Policy with Mandatory Information Flow in Operating Systems

Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in ...
A Policy Language for the Extended Reference Monitor in Trusted Operating Systems
ARES '07: Proceedings of the The Second International Conference on Availability, Reliability and Security

The main focus of current research in Trusted Operating Systems (TOS) is on the enhanced access control of reference monitors which, in turn, control the individual operations on a given access instance. However, many real-life runtime attacks involve ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EW 10: Proceedings of the 10th workshop on ACM SIGOPS European workshop

July 2002

258 pages

ISBN:9781450378062

DOI:10.1145/1133373

General Chair:
Gilles Muller,
Program Chair:
Eric Jul

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 37 of 37 submissions, 100%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
642
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Reis CMoshchuk AOskov NHeninger NTraynor P(2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361454
Cable PSchear N(2015)SpyglassProceedings of the 29th Usenix Conference on Large Installation System Administration10.5555/2907890.2907894(37-48)Online publication date: 8-Nov-2015
https://dl.acm.org/doi/10.5555/2907890.2907894
Sun MTan GSiefers JZeng BMorrisett G(2013)Bringing java's wild native world under controlACM Transactions on Information and System Security10.1145/253550516:3(1-28)Online publication date: 6-Dec-2013
https://dl.acm.org/doi/10.1145/2535505
Moshchuk AWang HLiu YSadeghi AGligor VYung M(2013)Content-based isolationProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516722(1167-1180)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516722
Nadkarni AEnck WSadeghi AGligor VYung M(2013)Preventing accidental data disclosure in modern operating systemsProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516677(1029-1042)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516677
Giuffrida CCavallaro LTanenbaum A(2013)Practical automated vulnerability monitoring using program state invariantsProceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2013.6575318(1-12)Online publication date: 24-Jun-2013
https://dl.acm.org/doi/10.1109/DSN.2013.6575318
Schreuders ZMcGill TPayne C(2013)The state of the art of application restrictions and sandboxesComputers and Security10.1016/j.cose.2012.09.00732:C(219-241)Online publication date: 1-Feb-2013
https://dl.acm.org/doi/10.1016/j.cose.2012.09.007
Dietz MShekhar SPisetsky YShu AWallach DWagner D(2011)QuireProceedings of the 20th USENIX conference on Security10.5555/2028067.2028090(23-23)Online publication date: 8-Aug-2011
https://dl.acm.org/doi/10.5555/2028067.2028090
Zeng BTan GMorrisett GChen YDanezis GShmatikov V(2011)Combining control-flow integrity and static analysis for efficient and validated data sandboxingProceedings of the 18th ACM conference on Computer and communications security10.1145/2046707.2046713(29-40)Online publication date: 17-Oct-2011
https://dl.acm.org/doi/10.1145/2046707.2046713
Tang SMai HKing SArpaci-Dusseau RChen B(2010)Trust and protection in the Illinois browser operating systemProceedings of the 9th USENIX conference on Operating systems design and implementation10.5555/1924943.1924945(17-31)Online publication date: 4-Oct-2010
https://dl.acm.org/doi/10.5555/1924943.1924945
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten