The functionality-based application confinement model

Article English OPEN
Schreuders, ZC ; Payne, C ; McGill, T (2013)

This paper presents the functionality-based application confinement (FBAC) access control model. FBAC is an application-oriented access control model, intended to restrict processes to the behaviour that is authorised by end users, administrators, and processes, in order to limit the damage that can be caused by malicious code, due to software vulnerabilities or malware. FBAC is unique in its ability to limit applications to finely grained access control rules based on high-level easy-to-understand reusable policy abstractions, its ability to simultaneously enforce application-oriented security goals of administrators, programs, and end users, its ability to perform dynamic activation and deactivation of logically grouped portions of a process's authority, its approach to process invocation history and intersection-based privilege propagation, its suitability to policy automation techniques, and in the resulting usability benefits. Central to the model are 'functionalities', hierarchical and parameterised policy abstractions, which can represent features that applications provide; 'confinements', which can model simultaneous enforcement of multiple sets of policies to enforce a diverse range of types of application restrictions; and 'applications', which represent the processes to be confined. The paper defines the model in terms of structure (which is described in five components) and function, and serves as a culmination of our work thus far, reviewing the evaluation of the model that has been conducted to date. © 2013 Springer-Verlag Berlin Heidelberg.
  • References (48)
    48 references, page 1 of 5

    1. Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Communications of the ACM 53(1), 91-99 (2010)

    2. Gong, L., Mueller, M., Prafullchandra, H., Schemers, R.: Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In: USENIX Symposium on Internet Technologies and Systems, Monterey, CA, USA 1997. Prentice Hall PTR

    3. Whitaker, A., Shaw, M., Gribble, S.D.: Denali: Lightweight Virtual Machines for Distributed and Networked Applications. In: 5th USENIX Symposium on Operating Systems Design and Implementation, Boston, MA, USA 2002. USENIX Association

    4. Madnick, S.E., Donovan, J.J.: Application and Analysis of the Virtual Machine Approach to Information Security. In: ACM Workshop on Virtual Computer Systems, Cambridge, MA, USA 1973. Harvard University

    5. Kamp, P.-H., Watson, R.: Jails: Con ning the Omnipotent Root. In: 2nd International System Administration and Networking Conference (SANE 2000), Maastricht, The Netherlands 2000

    6. Tucker, A., Comay, D.: Solaris Zones: Operating System Support for Server Consolidation. In: 3rd Virtual Machine Research and Technology Symposium Worksin-Progress, San Jose, CA, USA 2004

    7. Boebert, W.E., Kain, R.Y.: A Practical Alternative to Hierarchical Integrity Policies. In: 8th National Computer Security Conference, Gaithersburg, MD, USA 1985. NIST

    8. Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A Secure Environment for Untrusted Helper Applications: Con ning the Wily Hacker. In: 6th USENIX Security Symposium, San Jose, CA, USA 1996. USENIX Association

    9. Provos, N.: Improving Host Security with System Call Policies. In: 12th USENIX Security Symposium, Washington, DC, USA, August 2002. USENIX Association

    10. Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., Gligor, V.: SubDomain: Parsimonious Server Security. In: USENIX 14th Systems Administration Conference, New Orleans, LA, USA 2000. USENIX Association

  • Similar Research Results (1)
  • Metrics
    views in OpenAIRE
    views in local repository
    downloads in local repository

    The information is available from the following content providers:

    From Number Of Views Number Of Downloads
    Leeds Beckett University Repository - IRUS-UK 0 27
Share - Bookmark