Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Design and Implementation of an Extended Reference Monitor for Trusted Operating Systems

  • Conference paper
Information Security Practice and Experience (ISPEC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3903))

Abstract

Conventional access control schemes have supported confidentiality and integrity acknowledging the necessary organizational security policy in operating systems. However, many runtime attacks in operating systems involve behavioral semantics, indicating that attacks should be seen as a sequence of access operations. Ironically these attacks are legitimate under any access control policy. This is due to the lack of behavioral dimension in security enforcement. We propose an extended reference monitor to include this dimension. Our method is based on safety property specification on system call sequences. The reference monitor checks the trace at runtime for behavior control in Linux operating system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Amoroso, E.G.: Fundamentals of computer security technology, AT & T Bell Laboratories. Prentice-Hall PTR, Englewood Cliffs (1994)

    MATH  Google Scholar 

  2. Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations, MITRE Tech. Report 2547, Vol. I (1973)

    Google Scholar 

  3. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Chandramouli, R.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)

    Google Scholar 

  4. One, A.: Smashing the stack for fun and profit. Phrack Magazine 7(49), File 14 of 16 (1996)

    Google Scholar 

  5. Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Comput. Syst., 9(2), 131–152 (1996)

    Google Scholar 

  6. Schneider, F.B.: Enforceable security policies. ACM Trans. on Inf. & Syst. Sec. 3(1), 30–50 (2000)

    Article  Google Scholar 

  7. Saunders, G., Hitchens, M., Varadharajan, V.: Role-based access control and the access control matrix. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 145–157. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Dist. Comput. 2, 117–126 (1987)

    Article  MATH  Google Scholar 

  9. Naldurg, P., Campbell, R.H., Mickunas, M.D.: Developing dynamic security policies. In: Proc. of the DARPA Active Networks Conf. and Expo., pp. 204–215 (2002)

    Google Scholar 

  10. Simes, How to break out of a chroot() jail (2002), http://www.bpfh.net/computing/docs/chroot-break.html

  11. Schwarz, B., et al.: Model checking an entire linux distribution for security Violations, Reserach Report, Berkely University (2004), http://www.cs.berkeley.edu/~bschwarz/main.pdf

  12. Abrams, M.D., LaPadula, L.J., Eggers, K.W., Olson, I.M.: A generalized framework for access control: An informal description. In: Proc. of the 13th Nat’l Comput. Sec. Conf., pp. 135–143 (1990)

    Google Scholar 

  13. Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proc. of The 8th USENIX Sec. Symp., pp. 123–139 (1999)

    Google Scholar 

  14. Brown, A.: HBench-OS operating system benchmarks, http://www.eecs.harvard.edu/vino/perf/hbench/

  15. Shin, W., Park, J.Y., Lee, D.I.: Extended role based access control with procedural constraints for trusted operating systems. IEICE Trans. Inf. & Syst. E88-D(3), 619–627 (2005)

    Article  Google Scholar 

  16. Ott, A.: The rule set based access control linux kernel security extension. In: Int’l Linux Kongress 2001 (2001), http://www.rsbac.org

  17. Spengler, B.: Increasing performance and granularity in role-based access control systems (A case study in Grsecurity), http://www.grsecurity.net/

  18. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: 2001 USENIX Annual Tech. Conf. (2001), http://www.nsa.gov/selinux/index.html

  19. Bernaschi, M., Gabrielli, E., Mancini, L.V.: REMUS: A security-enhanced operating system. ACM Trans. on Inf. & Syst. Sec. 5(1), 36–61 (2002)

    Article  Google Scholar 

  20. Linux intrusion detection system, http://www.lids.org

  21. Chari, S.N., Cheng, P.: BlueBox: A policy-driven, host-based intrusion detection system. ACM Trans. on Inf. & Syst. Sec. 6(2), 173–200 (2003)

    Article  Google Scholar 

  22. Sekar, R., Bowen, T., Segal, M.: On preventing intrusions by process behavior monitoring. In: Proc. of Workshop on Intrusion Detection and Network Monitoring, pp. 29–40 (1999)

    Google Scholar 

  23. Erlingsson, U., Schenider, F.B.: SASI enforcement of security policies: A retrospective. In: Proc. of the New Security Paradigm Workshop, pp. 87–95 (1999)

    Google Scholar 

  24. Havelund, K., Roşu, G.: Monitoring java programs with java PathExplorer. Electr. Notes Theor. Comput. Sci. 55(2), 200–217 (2001)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communications, Gwangju Institute of Science and Technology, Gwangju, 500-712, Rep. of Korea

    Hyung Chan Kim & R. S. Ramakrishna

  2. Department of Computer Science, University of Illinois at Urbana-Champaign, IL, 61801, USA

    Wook Shin

  3. Faculty of Computer Science and Communication Engineering, Kyushu University, Fukuoka, 812-8581, Japan

    Kouichi Sakurai

Authors
  1. Hyung Chan Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wook Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. R. S. Ramakrishna
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kouichi Sakurai
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 200240, Shanghai, China

    Kefei Chen  & Xuejia Lai  & 

  2. Singapore Management University (SMU), 80 Stamford Road, 178902, Singapore

    Robert Deng

  3. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, H.C., Shin, W., Ramakrishna, R.S., Sakurai, K. (2006). Design and Implementation of an Extended Reference Monitor for Trusted Operating Systems. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2006. Lecture Notes in Computer Science, vol 3903. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11689522_22

Download citation

  • DOI: https://doi.org/10.1007/11689522_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-33052-3

  • Online ISBN: 978-3-540-33058-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation