CMCAP: Ephemeral Sandboxes for Adaptive Access Control
Pages 207 - 212
Abstract
We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enforcing adaptive access control policies for resource-centric security. Policies in CMCAP express runtime constraints defined as containment domains with context-mapped capabilities, and ephemeral sandboxes for dynamically enforcing desired information flow properties while preserving functional correctness for the sandboxed programs. CMCAP is designed to remediate DAC's weakness and address the inflexibility that makes current MAC frameworks impractical to the common user. We use a Linux-based implementation of CMCAP to demonstrate how a program's dynamic profile is used for access control and intrusion prevention.
References
[1]
Steve Barker and Peter J. Stuckey. 2003. Flexible Access Control Policy Specification with Constraint Logic Programming. ACM Trans. Inf. Syst. Secur., Vol. 6, 4 (Nov. 2003), 501--546.
[2]
Mick Bauer. 2006. Paranoid Penguin: An Introduction to Novell AppArmor. Linux J., Vol. 2006, 148 (Aug. 2006), 13--. http://dl.acm.org/citation.cfm?id=1149826.1149839
[3]
Avik Chaudhuri, Prasad Naldurg, Sriram K. Rajamani, G. Ramalingam, and Lakshmisubrahmanyam Velaga. 2008. EON: Modeling and Analyzing Dynamic Access Control Systems with Logic Programs. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 381--390.
[4]
Laurent George, Valérie Viet Triem Tong, and Ludovic Mé. 2009. Blare Tools: A Policy-Based Intrusion Detection System Automatically Set by the Security Policy. In Recent Advances in Intrusion Detection, Engin Kirda, Somesh Jha, and Davide Balzarotti (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 355--356.
[5]
Laurent Georget, Mathieu Jaume, Guillaume Piolle, Frédéric Tronel, and Valérie Viet Triem Tong. 2017. Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory. In Software Engineering and Formal Methods, Alessandro Cimatti and Marjan Sirjani (Eds.). Springer International Publishing, Cham, 1--16.
[6]
Laurent Georget, Mathieu Jaume, Frédéric Tronel, Guillaume Piolle, and Valérie Viet Triem Tong. 2017. Verifying the Reliability of Operating System-Level Information Flow Control Systems in Linux. In 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE). 10--16.
[7]
William R. Harris, Somesh Jha, Thomas Reps, Jonathan Anderson, and Robert N. M. Watson. 2013. Declarative, Temporal, and Practical Programming with Capabilities. In 2013 IEEE Symposium on Security and Privacy. 18--32.
[8]
Frédéric Cuppens Nora Cuppens-Boulahia Hervé Debar, Yohann Thomas. 2008. Response: bridging the link between intrusion detection alerts and security policies. Advances in Information Security, Vol. 38. Springer-Verlag, New York, NY.
[9]
Boniface Hicks, Sandra Rueda, Luke St.Clair, Trent Jaeger, and Patrick McDaniel. 2010. A Logical Specification and Analysis for SELinux MLS Policy. ACM Trans. Inf. Syst. Secur., Vol. 13, 3, Article 26 (July 2010), bibinfonumpages31 pages.
[10]
Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information Flow Control for Standard OS Abstractions. SIGOPS Oper. Syst. Rev., Vol. 41, 6 (Oct. 2007), 321--334.
[11]
Prasad Naldurg and Raghavendra K.R. 2011. SEAL: A Logic Programming Framework for Specifying and Verifying Access Control Models. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT '11). ACM, New York, NY, USA, 83--92.
[12]
Prasad Naldurg, Stefan Schwoon, Sriram Rajamani, and John Lambert. 2006. NETRA:: Seeing Through Access Control. In Proceedings of the Fourth ACM Workshop on Formal Methods in Security (FMSE '06). ACM, New York, NY, USA, 55--66.
[13]
Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, and Emmett Witchel. 2009. Laminar: Practical Fine-grained Decentralized Information Flow Control. SIGPLAN Not., Vol. 44, 6 (June 2009), 63--74.
[14]
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium . http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf
[15]
Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. 2002. Linux Security Modules: General Security Support for the Linux Kernel. In Proceedings of the 11th USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 17--31. http://dl.acm.org/citation.cfm?id=647253.720287
Index Terms
- CMCAP: Ephemeral Sandboxes for Adaptive Access Control
Recommendations
NIDS: A Network Based Approach to Intrusion Detection and Prevention
IACSIT-SC '09: Proceedings of the 2009 International Association of Computer Science and Information Technology - Spring ConferenceComputer networks have added new dimensions to the global communication. But intrusions and misuses have always threatened the secured data communication over networks. Consequently, network security has come into issue. Now-a-days intrusion detection ...
Using Infection Markers as a Vaccine against Malware Attacks
GREENCOM '12: Proceedings of the 2012 IEEE International Conference on Green Computing and CommunicationsMalware is used by criminals for financial gains, espionage and sabotage, and their code and evasion techniques become increasingly complex and sophisticated. This means it takes longer for security researchers to analyse a malware and develop detection ...
Comments
Information & Contributors
Information
Published In
May 2019
243 pages
ISBN:9781450367530
DOI:10.1145/3322431
- General Chair:
- Florian Kerschbaum,
- Program Chairs:
- Atefeh Mashatan,
- Jianwei Niu,
- Adam J. Lee
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 May 2019
Check for updates
Author Tags
Qualifiers
- Short-paper
Funding Sources
Conference
SACMAT '19
Sponsor:
SACMAT '19: The 24th ACM Symposium on Access Control Models and Technologies
June 3 - 6, 2019
Toronto ON, Canada
Acceptance Rates
SACMAT '19 Paper Acceptance Rate 12 of 52 submissions, 23%;
Overall Acceptance Rate 177 of 597 submissions, 30%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 363Total Downloads
- Downloads (Last 12 months)96
- Downloads (Last 6 weeks)31
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in