Abstract
Traditional research about file access control does not distinguish between user layer and application layer. This paper points out that file access control should include two layers, the first layer specifies file access rights the user has, and the second layer specifies file access rights of a program at current moment. Mainstream file access control policies can’t meet the second layer requirements, and this is the very reason why current computer systems failed to against file attacking. At the same time, this paper proposes a quantitative risk assessment method, which is used to evaluate the mainstream policies, and the results show that there is no essential difference between these policies in terms of risk.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
NCSC-TG-003: A guide to understanding discretionary access control in trusted systems, National Computer Security Center, 30 September 1987
Bell, D.E., LaPadula, L.J.: Secure computer systems: a mathematical model. Technical report, ESD-TR-73-278, vol. 2, ESD/AFSC (1973)
Ferraiolo, D., Kuhn, R.: Role-based access control. In: Proceedings of 15th NIST–NCSC National Computer Security Conference, Baltimore, MD, pp. 554–563, October 1992
Saltzer, J.H.: Protection and the control of information sharing in multics. Comm. ACM 17(7), 388–402 (1974)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
DOD: Trusted Computer System Evaluation Criteria. DOD: DOD-5200.21-STD, December 1985
Sandhu, R.S., Samarati, P.: Access control: principles and practice. IEEE Comm. Mag. 32(9), 40–48 (1994)
Denning, D.E.: A lattice model of secure information flow. Comm. ACM 19(5), 236–243 (1976)
Ferraiolo, D.F., Barkley, J.F., Kuhn, R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. 2(1), 34–64 (1999)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Sandhu, R., Coynek, E.J.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)
Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.H.: Toward formal verification of role-based access control policies. IEEE Trans. Dependable Secure Comput. 5(4), 242–255 (2008)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)
Wei, Q., Crampton, J., Holloway, R., Beznosov, K., Ripeanu, M.: Authorization recycling in hierarchical RBAC systems. ACM Trans. Inf. Syst. Secur. 14(1), 3–29 (2011)
Sun, Y., Wang, Q., Li, N., Bertino, E., Atallah, M.J.: On the complexity of authorization in RBAC under qualification and security constraints. IEEE Trans. Dependable Secure Comput. 8(6), 883–897 (2011)
Shan, Z., Wang, X., Chiueh, T.: Enforcing mandatory access control in commodity OS to disable malware. IEEE Trans. Dependable Secure Comput. 9(4), 541–555 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Luo, L., He, H., Zhu, J. (2016). Defect Analysis and Risk Assessment of Mainstream File Access Control Policies. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10066. Springer, Cham. https://doi.org/10.1007/978-3-319-49148-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-49148-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49147-9
Online ISBN: 978-3-319-49148-6
eBook Packages: Computer ScienceComputer Science (R0)