TY - GEN
T1 - Policy models to protect resource retrieval
AU - Vijayakumar, Hayawardh
AU - Ge, Xinyang
AU - Jaeger, Trent
PY - 2014
Y1 - 2014
N2 - Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.
AB - Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.
UR - http://www.scopus.com/inward/record.url?scp=84904469079&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84904469079&partnerID=8YFLogxK
U2 - 10.1145/2613087.2613111
DO - 10.1145/2613087.2613111
M3 - Conference contribution
AN - SCOPUS:84904469079
SN - 9781450329392
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 211
EP - 222
BT - SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014
Y2 - 25 June 2014 through 27 June 2014
ER -