Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Systems Security

ICISS 2007: Information Systems Security pp 25–36Cite as

An OS Security Protection Model for Defeating Attacks from Network

  • Conference paper

  • 822 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4812))

Abstract

Security threats to operating systems today largely come from network. Traditional discretionary access control mechanism alone can hardly defeat them. Although traditional mandatory access control models can effectively protect the security of OS, they have problems of application incompatibility and administration complexity. In this paper, we propose a new model, Suspicious-Taint-Based Access Control (STBAC) model, for defeating network attacks while maintaining good compatibility, simplicity and system performance. STBAC regards processes using Non-Trustable-Communications as starting points of suspicious taint, traces activities of the suspiciously tainted processes by taint rules, and forbids the suspiciously tainted processes to illegally access vital resources by protection rules. Even in the cases when some privileged processes are subverted, STBAC can still protect vital resources from being compromised by the intruder. We implemented the model in the Linux kernel and evaluated it through experiments. The evaluation showed that STBAC could protect vital resources effectively without significant impact on compatibility and performance.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: A domain and type enforcement UNIX prototype. In: Proc. of the 5th USENIX UNIX Security Symposium (June 1995)

    Google Scholar 

  2. Fraser, T.: LOMAC: Low Water-Mark Integrity Protection for COTS Environments. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2000)

    Google Scholar 

  3. Fraser, T.: LOMAC:MAC You Can LiveWith. In: Proceedings of the FREENIX Track, USENIX Annual Technical Conference, Boston, MA (June 2001)

    Google Scholar 

  4. Huagang, X.: Build a secure system with LIDS (2000), Available online at http://www.lids.org/document/build_lids-0.2.html

  5. Bell, D.E., LaPadula, L.: Secure Computer Systems: Unified Exposition and Multics Interpretation, NTIS AD-A023 588, MTR 2997, ESD-TR-75-306, Mitre Corporation, Bedford MA (1976)

    Google Scholar 

  6. Biba, K.J.: Integrity considerations for secure computer systems. Technical Report MTR 3153, The Mitre Corporation (April 1977)

    Google Scholar 

  7. Sandhu, R.S., et al.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)

    Google Scholar 

  8. Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: Practical Domain and Type Enforcement for UNIX. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1995)

    Google Scholar 

  9. Hallyn, S., Kearns, P.: Domain and Type Enforcement for Linux. In: Proceedings of the 4th Annual Linux Showcase and Conference (October 2000)

    Google Scholar 

  10. King, S.T., Chen, P.M.: Backtracking intrusions. TOCS. ACM Transactions on Computer Systems (2005)

    Google Scholar 

  11. Zhu, N., Chiueh, T.: Design, implementation, and evaluation of repairable file service. In: DSN. Proceedings of the 2003 International Conference on Dependable Systems and Networks, pp. 217–226 (2003)

    Google Scholar 

  12. Farhadi, K., Li, Z., Goel, A., Po, K., Lara, E.: The taser intrusion recovery system. In: Proceedings of the twentieth ACM symposium on Operating systems principles (2005)

    Google Scholar 

  13. King, S.T., Chen, P.M.: Backtracking Intrusions. In: SOSP 2003. Proceedings of ACM Symposium on Operating Systems Principles (October 2003)

    Google Scholar 

  14. Information technology security evaluation criteria (ITSEC). Technical Report Version 1.2, Commission of the European Communities, Brussels, Belgium (June 1991)

    Google Scholar 

  15. Provos, N.: Improving Host Security with System Call Policies. In: 12th USENIX Security Symposium, Washington, DC (August 2003)

    Google Scholar 

  16. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proc. of the 2001 USENIX, FREENIX track, pp. 29–40 (June 2001)

    Google Scholar 

  17. Abrams, M., LaPadula, L., Eggers, K., Olson, I.: A Generalized Framework for Access Control: an Informal Description. In: Proceedings of the 13th National Computer Security Conference, pp. 134–143 (October 1990)

    Google Scholar 

  18. Abrams, M.D., Joyce, M.V.: Extending the ISO Access Control Framework for Multiple Policies. In: IFIP Transactions in Computer Security A-37, Elsevier Publishers, Amsterdam (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information, Renmin University of, China

    Zhiyong Shan, Qiuyue Wang & Xiaofeng Meng

Authors
  1. Zhiyong Shan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qiuyue Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaofeng Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Patrick McDaniel Shyam K. Gupta

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shan, Z., Wang, Q., Meng, X. (2007). An OS Security Protection Model for Defeating Attacks from Network. In: McDaniel, P., Gupta, S.K. (eds) Information Systems Security. ICISS 2007. Lecture Notes in Computer Science, vol 4812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77086-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77086-2_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77085-5

  • Online ISBN: 978-3-540-77086-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation