R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau, The Flask Security Architecture: System Support for Diverse Security Policies, in Proceedings of the Eighth USENIX Security Symposium, pp. 123139, August 1999. http://www.cs.utah.edu/flux/flask/.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Linux provides a language for specifying Linux security policies that cover all aspects of the system, including process control, file management, and network communications. The SE Linux release includes an example policy specification. Policy enforcement uses the method in the Flask architecture [13], where a security This work is funded by DARPA. server makes policy decisions concerning whether to grant user requests to the operating system. To make decisions, the security server refers to an internal form of the policy compiled from the policy specification. Since the most convenient ....

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In Proc. of the Eighth USENIX Sec. Symp., pages 123--139, Aug. 1999.

....an operating system for em 8 bedding security mechanisms; the main drawback here is that the concept requires explicit labeling and cooperation in a networked environment; the DTE firewall concept is an all or nothing approach. The latter aspect is dealt with in an extension to the Flask Fluke [20] architecture [21] This mechanism also permits the use of a fine grained access control policy at the level of individual calls but requires the infrastructure from the Flask Fluke environment and is therefore di#cult to adapt to a COTS environment. The approach of clearly segregating policy and ....

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau, "The Flask security architecture: System support for diverse security policies," in 8th USENIX Security Symposium, Washington, D.C., USA, Aug. 1999, USENIX, pp. 123--139.

.... or file system security have mainly been pur sued as implementations of entire operating environments with security as their focus [13] While this is desirable for a number of reasons, particularly a high degree of assurance that can be achieved with such an architecture such as the Flask Fluke [16] architecture, such an approach is limited in its immediate appeal since a migration of hosts and especially application programs to the new environment would be required. It is, however, imperative that security mechanims are implemented at the operating system level to be meaningful [5] In the ....

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In 8th USENIX Security Symposium, pages 123--139, Washington, D.C., USA, Aug. 1999. USENIX.

....The environment we examine in this paper is one of heterogeneous systems, multiple layers of security mechanisms, and great complexity; in that sense, it differs from research focused on single nodes, homogeneous nodes making up a distributed system, or single protocols. The Flask system [20] extends the idea of capabilities and access control lists with the more general notion of a security policy. Flask relies on a security server for policy decisions and on an object server for enforcement. Every object in the system has an associated security identifier. Requests coming from ....

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Anderson, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the USENIX Security Symposium, pages 123--139, Denver, CO, August 2000.

....create a simple system that also addresses policy generation, audit trails, intrusion detection, etc. The security architecture for the Flask microkernel emphasizes policy exibility and rejects the system call interception mechanism claiming inherent limitations that restrict policy exibility [31]. Instead, the Flask system assigns security identi ers to every object and employs a security server for policy decisions and an object server for policy enforcement. However, Flask does not consider application con nement and provides no support for auditing or intrusion detection. SubOS [22] ....

....systems based on system call interposition. 6. 1 Security Analysis To enforce security policies e ectively by system call interposition, we need to resolve the following challenges: incorrectly replicating OS semantics, resource aliasing, lack of atomicity, and side e ects of denying system calls [17, 31, 33]. We brie y explain their nature and discuss how we address them. The sandboxing tool needs to track operating system state in order to reach policy decisions. Systrace, for example, has to keep track of process uids and the lename of the program binary the monitored process is executing. In ....

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the 8th Usenix Security Symposium, pages 123-139, August 1999.

....server domain up to a certain per call quota. These objects are not immediately available to the server domain, but are first checked by the security manager. When the security manager approves the call the normal portal invocation sequence proceeds. 3. 4 Making an access decision Spencer et al. [58] argue that basing an access decision only on the intercepted IPC between servers forces the security server to duplicate part of the object server s state or functionality. We found two examples of this problem. In UNIX like systems access to files in a file system is checked when the file is ....

....a different interface that simplifies the access decision. Approach (1) may be too late, especially in cases where the call modified the state of the server. Approach (2) is the most flexible solution. It is used in Flask with the intention of separating security policy and enforcement mechanism [58]. The main problem of this solution is, that it pollutes the server implementation with calls to the security manager. The Flask security architecture was implemented in SELinux [40] In SELinux, the list of permissions for file and directory objects have a nearly one to one correspondence to an ....

[Article contains additional citation context not shown here]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Anderson, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proc. of the 8th USENIX Security Symposium , Aug. 1999.

....that are available for use by employees, could then be required to be controlled by a role based or RBAC [FCK95, SCFY96] policy. Most existing commercial technologies used to provide security to systems are restricted to a single policy model, rather than permitting a variety of models to be used [Spencer et al..99] For instance, Linux applies a DAC [NCSC87] policy, and it is difficult to implement RBAC policy (among others) in such a system. Further, if an organization decides to change from one policy model to another, it is quite likely that the new policy model will have to be implemented above the ....

Spencer R., Smalley S., Loscocco P., Hibler M., Andersen D., and Lepreau J., "The Flask Security Architecture: System Support for Diverse Security Policies", http://www.cs.utah.edu/fluz/flask, July 1999.

....component, and a multilevel security (MLS) component. It is hoped by NSA that open source software developers will accompany their software with policies that ensure that their applications meet appropriate security goals. To provide for policy enforcement in SE Linux, the Flask architecture [10] is superimposed upon the Linux kernel. In this architecture, a security server determines from the definition of a policy whether any given request by a process for a particular permission to a particular object may be granted. A policy described in the SE Linux policy language is compiled by a ....

....role of the security policy beyond determining access control decisions is to define the permissible transitions. Therefore, the state transitions in the state machine model must reflect both access control decisions and possible modifications to security contexts. In the Flask architecture (see [10]) transitions of the system are triggered by actions called user requests . These requests are made to the object manager , which consults the security server before handling them. It seems clear that the transitions in the state machine model must correspond to the user requests. However, the ....

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In Proc. of the Eighth USENIX Security Symposium, pages 123--139, Aug. 1999.

....more complex than traditional systems since security functions are distributed throughout the system. Only those distributed systems that support exible and manageable security policies can meet real world needs. However, existing systems claiming to provide this support have failed in two ways[29]: they either lack su cient control over the propagation of the access rights, or they fail to provide enforcement mechanisms to support ne grained control and dynamic security policies. This thesis attempts to address these problems in software structure e ectively and transparently. We use the ....

....occurs. However, permissions in the Active Capability or new Active Capability are changed infrequently, as in daily system administration. The frequency of policy changes is obviously policy dependent, but the usual examples of policy changes are externally driven and therefore will be infrequent[29]. Moreover, performance loss in a system with frequent policy changes should not be unexpected as it is fundamentally a new feature provided by the system. We designed the Cache as a hash table. The addition of the Cache alone is su cient to amortize the measurable impact of the permission checks. ....

[Article contains additional citation context not shown here]

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike hibler, David Anderson, Jay Lepreau, The Flask Security Architecture: System Support for Diverse Security Policies Univ. of Utah Technical Report UUCS-98-014, August, 1998.

No context found.

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask security architecture: System support for diverse security policies. In Proceedings of the Eighth USENIX Security Symposium, Washington, DC, August 1999.

.... has been wellunderstood for over thirty years, yet the access control mechanisms of existing mainstream operating systems are still inadequate to provide strong security [2, 39, 28, 17, 26, 6, 30] Although many enhanced access control models and frameworks have been proposed and implemented [9, 1, 4, 41, 23, 10, 29, 37], mainstream operating systems typically still lack support for these enhancements. In part, the absence of such enhancements is due to a lack of agreement within the security community on the right general solution. Like many other general purpose operating systems, the Linux kernel only ....

....since the kernel does not provide any infrastructure to allow kernel modules to mediate access to kernel objects. As a result, kernel modules typically resort to system call interposition to control kernel operations [18, 20] which has serious limitations as a method for providing access control [41]. Furthermore, these kernel modules often require reimplementing selected kernel functionality [18, 20] or require a patch to the kernel to support the module [10, 3, 15] reducing much of the value of modular composition. Hence, many projects have implemented enhanced access control frameworks or ....

[Article contains additional citation context not shown here]

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the Eighth USENIX Security Symposium, pages 123--139, August 1999.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau, The Flask Security Architecture: System Support for Diverse Security Policies, in Proceedings of the Eighth USENIX Security Symposium, pp. 123139, August 1999. http://www.cs.utah.edu/flux/flask/.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Ansersen, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings USENIX Security Symposium, 1999.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the 8th USENIX Security Symposium, pages 123--139, Washington, DC, August 1999.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the 8th USENIX Security Symposium, pages 123--139, Washington, DC, August 1999.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proc. of the Eighth USENIX Security Symposium, Aug. 1999.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Anderson, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the 2000.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Anderson, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the 2000.

No context found.

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the 8th Usenix Security Symposium, pages 123--139, August 1999. 2, 8

No context found.

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask security architecture: System support for diverse security policies. In Proceedings of the Eighth USENIX Security Symposium, pages 123--139, August 1999.

No context found.

Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Anderson, D., and Lepreau, J. (2000). The flask security architecture: System support for diverse security policies. In Proceedings of the USENIX Security Symposium, pages 123--139.

No context found.

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In Proc. of the Eighth USENIX Sec. Symp., pages 123-- 139, Aug. 1999.

No context found.

Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Anderson , D., Lepreau, J., "The Flask Security Architecture: System Support for Diverse Security Policies". Technical Report UUCS-98-014, University of Utah, U.S.A, August 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC