Abstract
The FlexFS approach provides an effective credential-based access control mechanism while ensuring file access performance equivalent to that of the normal file system. This is achieved by decoupling the file system naming and access control layer from the block I/O layer. By intercepting and redefining file system API calls in libc (e.g. open(2)), we allow any existing executable to use FlexFS while keeping FlexFS as a user-level system without any changes to the kernel. This allows for rapid experimentation without impacting system stability.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Ancillary library. https://www.normalesup.org/~george/comp/libancillary/. Accessed 18 July 2018
Blaze, M.: A cryptographic file system for UNIX. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 9–16. ACM (1993)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote trust-management system version 2. Technical report (1999)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173. IEEE (1996)
Corp, M.: CWE-367: Time-of-check time-of-use (TOCTOU) race condition. https://cwe.mitre.org/data/definitions/367.html. Accessed 29 Mar 2018
Dyer, S.P.: The Hesiod name server. In: USENIX Winter, pp. 183–189 (1988)
Gunter, C.A., Jim, T.: Policy-directed certificate retrieval. Softw.: Pract. Exp. 30(15), 1609–1640 (2000)
Nichols, D.A., et al.: Scale and performance in a distributed file system. ACM Trans. Comput. Syst. (TOCS) 6(1), 51–81 (1988)
Kohl, J., Neuman, C.: The Kerberos network authentication service (V5). Technical report (1993)
Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory (1999)
Mazieres, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. ACM SIGOPS Oper. Syst. Rev. 33, 124–139 (1999)
Miltchev, S., Prevelakis, V., Ioannidis, S., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Secure and flexible global file sharing. In: USENIX Annual Technical Conference, FREENIX Track, pp. 165–178 (2003)
Regan, J.T., Jensen, C.D.: Capability file names: separating authorisation from user management in an internet file system. In: USENIX Security Symposium (2001)
Rodeh, O.: B-trees, shadowing, and clones. ACM Trans. Storage (TOS) 3(4), 2 (2008)
Rodeh, O., Bacik, J., Mason, C.: BTRFS: the Linux B-tree filesystem. ACM Trans. Storage (TOS) 9(3), 9 (2013)
Rodeh, O., Teperman, A.: zFS-a scalable distributed file system using object disks. In: Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies, MSST 2003, pp. 207–218. IEEE (2003)
Rosenstein, M.A., Geer Jr., D.E., Levine, P.J.: The Athena service management system. In: USENIX Winter, pp. 203–211 (1988)
Sandberg, R., Goldberg, D., Kleiman, S., Walsh, D., Lyon, B.: Design and implementation of the sun network filesystem. In: Proceedings of the Summer USENIX Conference, pp. 119–130 (1985)
Schönwälder, J., Langendörfer, H.: Administration of large distributed UNIX LANs with BONES. In: Proceedings of the World Conference On Tools and Techniques for System Administration, Networking, and Security. Citeseer (1993)
Sweeney, A., Doucette, D., Hu, W., Anderson, C., Nishimoto, M., Peck, G.: Scalability in the XFS file system. In: USENIX Annual Technical Conference, vol. 15 (1996)
Tsantekidis, M., Prevelakis, V.: Library-level policy enforcement
Ubale Swapnaja, A., Modani Dattatray, G., Apte Sulabha, S.: Analysis of DAC MAC RBAC access control based models for security. Analysis 104(5) (2014)
Vahdat, M.A., Anderson, T.E., Kubiatowicz, J.D.: Operating System Services for Wide-Area Applications. Citeseer, Princeton (1998)
Acknowledgement
This work was supported by the European Commission Horizon 2020 through project H2020-DS-SC7-2017 “THREAT-ARREST” under Grant Agreement No. 786890.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Najar, J., Prevelakis, V. (2019). A Secure and Efficient File System Access Control Mechanism (FlexFS). In: Fournaris, A., Lampropoulos, K., Marín Tordera, E. (eds) Information and Operational Technology Security Systems. IOSec 2018. Lecture Notes in Computer Science(), vol 11398. Springer, Cham. https://doi.org/10.1007/978-3-030-12085-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-12085-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12084-9
Online ISBN: 978-3-030-12085-6
eBook Packages: Computer ScienceComputer Science (R0)