23,883 research outputs found
Static Enforcement of Role-Based Access Control
We propose a new static approach to Role-Based Access Control (RBAC) policy
enforcement. The static approach we advocate includes a new design methodology,
for applications involving RBAC, which integrates the security requirements
into the system's architecture. We apply this new approach to policies
restricting calls to methods in Java applications. We present a language to
express RBAC policies on calls to methods in Java, a set of design patterns
which Java programs must adhere to for the policy to be enforced statically,
and a description of the checks made by our static verifier for static
enforcement.Comment: In Proceedings WWV 2014, arXiv:1409.229
KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels
Commodity OS kernels have broad attack surfaces due to the large code base
and the numerous features such as device drivers. For a real-world use case
(e.g., an Apache Server), many kernel services are unused and only a small
amount of kernel code is used. Within the used code, a certain part is invoked
only at runtime while the rest are executed at startup and/or shutdown phases
in the kernel's lifetime run. In this paper, we propose a reliable and
practical system, named KASR, which transparently reduces attack surfaces of
commodity OS kernels at runtime without requiring their source code. The KASR
system, residing in a trusted hypervisor, achieves the attack surface reduction
through a two-step approach: (1) reliably depriving unused code of executable
permissions, and (2) transparently segmenting used code and selectively
activating them. We implement a prototype of KASR on Xen-4.8.2 hypervisor and
evaluate its security effectiveness on Linux kernel-4.4.0-87-generic. Our
evaluation shows that KASR reduces the kernel attack surface by 64% and trims
off 40% of CVE vulnerabilities. Besides, KASR successfully detects and blocks
all 6 real-world kernel rootkits. We measure its performance overhead with
three benchmark tools (i.e., SPECINT, httperf and bonnie++). The experimental
results indicate that KASR imposes less than 1% performance overhead (compared
to an unmodified Xen hypervisor) on all the benchmarks.Comment: The work has been accepted at the 21st International Symposium on
Research in Attacks, Intrusions, and Defenses 201
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
Widespread use of memory unsafe programming languages (e.g., C and C++)
leaves many systems vulnerable to memory corruption attacks. A variety of
defenses have been proposed to mitigate attacks that exploit memory errors to
hijack the control flow of the code at run-time, e.g., (fine-grained)
randomization or Control Flow Integrity. However, recent work on data-oriented
programming (DOP) demonstrated highly expressive (Turing-complete) attacks,
even in the presence of these state-of-the-art defenses. Although multiple
real-world DOP attacks have been demonstrated, no efficient defenses are yet
available. We propose run-time scope enforcement (RSE), a novel approach
designed to efficiently mitigate all currently known DOP attacks by enforcing
compile-time memory safety constraints (e.g., variable visibility rules) at
run-time. We present HardScope, a proof-of-concept implementation of
hardware-assisted RSE for the new RISC-V open instruction set architecture. We
discuss our systematic empirical evaluation of HardScope which demonstrates
that it can mitigate all currently known DOP attacks, and has a real-world
performance overhead of 3.2% in embedded benchmarks
Alcohol, assault and licensed premises in inner-city areas
This report contains eight linked feasibility studies conducted in Cairns during 2010. These exploratory studies examine the complex challenges of compiling and sharing information about incidents of person-to-person violence in a late night entertainment precinct (LNEP). The challenges were methodological as well as logistical and ethical. The studies look at how information can be usefully shared, while preserving the confidentiality of those involved. They also examine how information can be compiled from routinely collected sources with little or no additional resources, and then shared by the agencies that are providing and using the information.Although the studies are linked, they are also stand-alone and so can be published in peer-reviewed literature. Some have already been published, or are ‘in press’ or have been submitted for review. Others require the NDLERF board’s permission to be published as they include data related more directly to policing, or they include information provided by police.The studies are incorporated into the document under section headings. In each section, they are introduced and then presented in their final draft form. The final published form of each paper, however, is likely to be different from the draft because of journal and reviewer requirements. The content, results and implications of each study are discussed in summaries included in each section.Funded by the National Drug Law Enforcement Research Fund, an initiative of the National Drug StrategyAlan R Clough (PhD) School of Public Health, Tropical Medicine and Rehabilitation Sciences James Cook UniversityCharmaine S Hayes-Jonkers (BPsy, BSocSci (Hon1)) James Cook University, Cairns.Edward S Pointing (BPsych) James Cook University, Cairns
- …