Protecting kernel integrity is one of the fundamental security objectives in building a trustworthy operating system (OS). For this end, a variety of approaches and systems have been proposed and developed. However, access control models used in most of these systems are not expressive enough to capture important security requirements such as continuous policy enforcement and mutable process and object attributes. Even worse, most existing protection mechanisms in these systems reside in the same space as the running OS, which unfortunately can be disabled or subverted after an attacker successfully exploits kernel-level vulnerabilities (or features) to compromise the OS kernel. The increasing number of kernel-level rootkit attacks clearly demonstrates this threat. In this paper we present a simple but effective usage control model UCONKI with unique properties of decision continuity and attribute mutability for OS kernel integrity protection. Further, to enforce UCONKI security policies, we propose a virtual machine monitor (VMM) based architecture that is isolated and protected from other untrusted processes inside a virtual machine (VM). We have implemented a proof-of-concept prototype in Linux to demonstrate the feasibility of our approach. Our experiments with 18 realworld kernel rootkits show that our approach is able to successfully detect and prevent all kernel integrity violations from them. Beyond kernel integrity protection, we also explore additional opportunities for general OS security, such as the confinement of process activities as well as the protection of system utility programs at the VMM level.

In distributed applications, a group of multiple objects are cooperating to achieve some objectives. An object is modeled as a pair of data structure and operations. Each object is manipulated through an operation supported by the object and then the operation may further invoke operations of other objects, i.e. nested operations. The purpose-oriented access rules indicate what operation in each object can invoke operations of other objects. The information flow among the objects occur if the requests and responses of the operations carry some data. Only the purpose-oriented access rules which imply the legal information flow are allowed. In this paper, we discuss how to test the access rules if the information flow occurring in the nested invocation of the operations is legal. 1 Introduction In client-server systems, the application programs in the clients manipulate the resources in the servers by the remote procedure call. Units of the resources like databases are named objects. I...

While security is a critical component of information systems, at times it can be frustrating for end users. Security systems exist to minimise the risks of allowing users to access and modify data, but rarely do they consider the risks of not granting access.

This paper describes a new approach for security in open distributed systems. This approach is currently developed in the framework of the Delta 4 project. After a few reminders about two existing distributed security architectures, the proposed "intrusion-tolerant" approach is specified. It is based on a fragmentation-scattering technique applied to a security server running on several security sites. These sites are such that intrusions into a number of sites less than a given threshold have no consequence on the global security. The different security services provided are then presented together with a proposed multi-categories discretionary policy.

Pressures are increasing on organisations to take an early and more systematic approach to security. A key to enforcing security is to restrict access to valuable assets. We regard access policies as security requirements that specify such restrictions. Current requirements engineering methods are generally inadequate for eliciting and analysing these types of requirements, because they do not allow complex organisational structures and procedures that underlie policies to be represented adequately. This paper discusses roles and why they are important in the analysis of security. The paper relates roles to organisational theory and how they could be employed to define access policies. A framework is presented, based on these concepts, for analysing access policies.

Requirements engineering is one of the key activities in the software development process. The rapid expansion of e-commerce and internet applications increases the need for adequate application security. Yet, conventional requirements engineering methodologies rarely mention information security aspects. The information security community, on the other hand, has developed system security requirements specification methodologies. These methodologies, from the software architect's point of view, are often hard to understand and too general to be applied. By following conventional methodologies and failing to thoroughly understand the security consequences, architects end up with inadequate application security. This paper presents two commonly observed cases - antipatterns. In the first case, an old and well-known (perimeter security) model is applied in a new context without analysis of the security requirements. In the second case, the impact of lacking data sensitivity classification and threat analyses is considered.

RSBAC (“Rule Set Based Access Control”) is an open source security extension for Linux kernels based on the Generalized Framework for Access Control (GFAC). It is a kernel-based access control scheme, which can be configured with a set of security policies chosen from a provided set of options and which can be used to significantly enhance Linux system security. In this paper, we present the RSBAC system architecture, the RSBAC security policy components and outline the RSBAC implementation. Besides, we briefly compare RSBAC with other Linux kernel-based access control projects.

In such growing areas as remote applications in large public networks, electronic commerce, digital signature, intellectual property and copyright protection, and even operating system extensibility, the hardware security level offered by existing processors is insufficient. They lack protection mechanisms that prevent the user from tampering critical data owned by those applications. Some devices make exception, but have not enough processing power nor enough memory to stand up to such applications (e.g. smart cards). This paper proposes an architecture of secure processor, in which the classical memory management unit is extended into a new security management unit. It allows ciphered code execution and ciphered data processing. An internal permanent memory can store cipher keys and critical data for several client agents simultaneously. The ordinary supervisor privilege scheme is replaced by a privilege inheritance mechanism that is more suited to operating system extensibility. The result is a secure processor that has hardware support for extensible multitask operating systems, and can be used for both general applications and critical applications needing strong protection. The security management unit and the internal permanent memory can be added to an existing CPU core without loss of performance, and do not require it to be modified.

Abstract: Currently IP addresses are used both for node identifiers and topological location names in the Internet. The semantic overloading and non-cryptographic nature of IP addresses makes it impossible to use them as identifiers from the security point of view. The problem becomes even worse with multi-homed mobile nodes. Multi-homed mobile nodes have several interfaces bound to dynamically changing IP addresses. When a node changes its point of attachment to the network or it reroutes traffic fromone interface to another, the connection identifiers are changed. A peer node cannot verify the validity of the new identifiers without a naming trust relationship between the identifiers and the identity of the node. The peer must have evidence that an identifier belongs to a specific identity. Currently, there are no way for a node, using traditional IP addresses, to prove that it owns a specific address, i.e., an identifier. We present in this paper the philosophy behind separation of end-point identifiers from location names, which is an essential part in designing secure multi-homed mobility architectures.

Abstract. Geoscience analysis is currently limited by cumbersome access and manipulation of large datasets from remote sources. Due to their data-heavy and compute-light nature, these analysis workloads represent a class of applications unsuited to a computational grid optimized for compute-intensive applications. We present the Script Workflow Analysis for MultiProcessing (SWAMP) system, which relocates data-intensive workflows from scientists ’ workstations to the hosting datacenters in order to reduce data transfer and exploit locality. Our colocation of computation and data leverages the typically reductive characteristics of these workflows, allowing SWAMP to complete workflows in a fraction of the time and with much less data transfer. We describe SWAMP’s implementation and interface, which is designed to leverage scientists ’ existing script-based workflows. Tests with a production geoscience workflow show drastic improvements not only in overall execution time, but in computation time as well. SWAMP’s workflow analysis capability allows it to detect dependencies, optimize I/O, and dynamically parallelize execution. Benchmarks quantify the drastic reduction in transfer time, computation time, and end-to-end execution time. 1