Dynamic mandatory access control for multiple stakeholders

Vikhyath Rao, Trent Ray Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Citations (Scopus)

Abstract

In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a "soft" sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 μs performance overhead only when stakeholders need to be consulted, and new permissions are cached.

Original languageEnglish (US)
Title of host publicationSACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies
Pages53-62
Number of pages10
DOIs
StatePublished - Nov 30 2009
Event14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009 - Stresa, Italy
Duration: Jun 3 2009Jun 5 2009

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Other

Other14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009
CountryItaly
CityStresa
Period6/3/096/5/09

Fingerprint

Access control
Servers
Sand
Control systems

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Rao, V., & Jaeger, T. R. (2009). Dynamic mandatory access control for multiple stakeholders. In SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (pp. 53-62). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/1542207.1542217
Rao, Vikhyath ; Jaeger, Trent Ray. / Dynamic mandatory access control for multiple stakeholders. SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. 2009. pp. 53-62 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).
@inproceedings{d385afa8016d44f4b5fa9516ac13cb4e,
title = "Dynamic mandatory access control for multiple stakeholders",
abstract = "In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a {"}soft{"} sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 μs performance overhead only when stakeholders need to be consulted, and new permissions are cached.",
author = "Vikhyath Rao and Jaeger, {Trent Ray}",
year = "2009",
month = "11",
day = "30",
doi = "10.1145/1542207.1542217",
language = "English (US)",
isbn = "9781605585376",
series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",
pages = "53--62",
booktitle = "SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies",

}

Rao, V & Jaeger, TR 2009, Dynamic mandatory access control for multiple stakeholders. in SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, pp. 53-62, 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, Stresa, Italy, 6/3/09. https://doi.org/10.1145/1542207.1542217

Dynamic mandatory access control for multiple stakeholders. / Rao, Vikhyath; Jaeger, Trent Ray.

SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. 2009. p. 53-62 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Dynamic mandatory access control for multiple stakeholders

AU - Rao, Vikhyath

AU - Jaeger, Trent Ray

PY - 2009/11/30

Y1 - 2009/11/30

N2 - In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a "soft" sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 μs performance overhead only when stakeholders need to be consulted, and new permissions are cached.

AB - In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a "soft" sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 μs performance overhead only when stakeholders need to be consulted, and new permissions are cached.

UR - http://www.scopus.com/inward/record.url?scp=70450237083&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70450237083&partnerID=8YFLogxK

U2 - 10.1145/1542207.1542217

DO - 10.1145/1542207.1542217

M3 - Conference contribution

SN - 9781605585376

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 53

EP - 62

BT - SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

ER -

Rao V, Jaeger TR. Dynamic mandatory access control for multiple stakeholders. In SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. 2009. p. 53-62. (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/1542207.1542217