Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls

Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use. This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls. An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model

Protecting sensible data trough arbitrary process isolation on Linux based operating system

Orientadores: Paulo Lício de Geus, André Ricardo Abed GrégioDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Muitos problemas de segurança em sistemas Linux decorrem da forma como a segurança é gerenciada, delegando-se todas as decisões de segurança aos proprietários dos objetos (e.g., arquivos ou páginas de memória). Há uma série mecanismos de segurança que visam corrigir estas lacunas no Linux ao restringir o acesso a objetos, mesmo aos seus proprietários, ou substituindo código do kernel por um mais seguro. Embora esses mecanismos de segurança possam evitar um grande conjunto de ataques conhecidos, eles não são destinados a evitar vazamento de privacidade de processos especiais, principalmente aquele que abusam da confiança do sistema operacional. Esta dissertação descreve a criação de um módulo do kernel Linux, com o objetivo de garantir que algumas regras sejam aplicadas em processos especias, nos quais a confiança atribuída entre os processos, pelo sistema operacional não é suficiente, e violar tais regras não é sinalizado como um ataque ou conflito de MAC(Mandatory Access Control). Para alcançar o objetivo proposto, interferiu-se no controle de alguns subsistemas do kernel utilizando-se de técnicas syscall table hooking e do LSM(Linux Security Modules) framework. Também implantou-se um simples sistema de MAC e comportamento suplementar para algumas chamadas de sistemas, ampliando-se assim a funcionalidade de outras abordagens (e.g., AppArmor, SELinux) e principalmente o GrsecurityAbstract: Many issues in Linux arise from the way security is managed, by delegating security decisions to object owners( e.g. files or memory pages). Existing frameworks aim to remediate these issues by restricting access to kernel objects (files etc.), or by replacing the kernel code for a more secure version. Although those security frameworks may prevent a broad set of knew attacks, they do not mitigate privacy leaks, mainly those that abuse the operating system trust base. This dissertation propose a novel Linux kernel module to ensure that predefined rules are applied on sensitive processes for which the OS trust level is not enough, and neither rule breaks raise alerts or MAC(Mandatory Access Control) conflict warnings. To do so, the module takes control of a set kernel subsystems, using hooking techniques and the LSM (Linux Security Module) framework. Also it uses a simple MAC rules with an alternative syscall behavior, thus extending the functionality of other approaches (e.g. AppArmor, SELinux,) and especially GrsecurityMestradoCiência da ComputaçãoMestre em Ciência da Computação2013/119746-2, 2014/140688-2CAPE

The functionality-based application confinement model

This paper presents the functionality-based application confinement (FBAC) access control model. FBAC is an application-oriented access control model, intended to restrict processes to the behaviour that is authorised by end users, administrators, and processes, in order to limit the damage that can be caused by malicious code, due to software vulnerabilities or malware. FBAC is unique in its ability to limit applications to finely grained access control rules based on high-level easy-to-understand reusable policy abstractions, its ability to simultaneously enforce application-oriented security goals of administrators, programs, and end users, its ability to perform dynamic activation and deactivation of logically grouped portions of a process's authority, its approach to process invocation history and intersection-based privilege propagation, its suitability to policy automation techniques, and in the resulting usability benefits. Central to the model are 'functionalities', hierarchical and parameterised policy abstractions, which can represent features that applications provide; 'confinements', which can model simultaneous enforcement of multiple sets of policies to enforce a diverse range of types of application restrictions; and 'applications', which represent the processes to be confined. The paper defines the model in terms of structure (which is described in five components) and function, and serves as a culmination of our work thus far, reviewing the evaluation of the model that has been conducted to date