Skip to main content
SpringerLink
Log in

Operating System Security Policy Hardening via Capability Dependency Graphs

  • Conference paper
Information Security Practice and Experience (ISPEC 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9065))

  • 1656 Accesses

Abstract

An operating system relies heavily on its access control mechanism to defend against various attacks. The complexities of modern access control mechanisms and the scale of possible configurations are often overwhelming to system administrators and software developers. Therefore, misconfigurations are very common and the security consequences are serious. It is very necessary to detect and eliminate these misconfigurations. We propose an automated and systematic approach to address how to correct the misconfigurations based on capability dependency graph generating and MaxSAT solving. Given the attacker’s initial capabilities, we first automatically generate a capability dependency graph to describe attacker’s potential capabilities and the dependency relationships among these capabilities. Based on the capability dependency graph, we then develop a solution to automate the task of hardening operating system security policy against multi-step attacks resulting from misconfigurations. In this solution, we first represent each capability obtained by an attacker as a propositional logic formula of initial conditions, and then transfer the policy hardening problem to a MaxSAT problem. Finally, we present a notation called normal capability loss to aid an administrator to select an optimal hardening solution leading to minimum system usability loss. We apply our approach to analyze misconfigurations in Ubuntu10.04 shipped with SELinux and study an attack case to evaluate the effectiveness of our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Chen, H., Li, N., Gates, C.S., Mao, Z.: Towards analyzing complex operating system access control configurations. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 13–22 (June 2010)

    Google Scholar 

  2. Chen, H., Li, N., Mao, Z.: Analyzing and comparing the protection quality of security enhanced operating systems. In: Proceedings of the 16th Network and Distributed System Security Symposium, NDSS 2009 (February 2009)

    Google Scholar 

  3. Cheng, L., Zhang, Y., Han, Z.: Quantitatively measure access control mechanisms across different operating systems. In: 2013 IEEE 7th International Conference on Software Security and Reliability (SERE), pp. 50–59. IEEE (2013)

    Google Scholar 

  4. Diamah, A., Mohammadian, M., Balachandran, B.M.: Network security evaluation method via attack graphs and fuzzy cognitive maps. In: Intelligent Decision Technologies, pp. 433–440. Springer (2012)

    Google Scholar 

  5. Govindavajhala, S., Appel, A.W.: Windows access control demystified. Technical report, Technical Report TR-744-06, Department of Computer Science, Princeton University (January 2006)

    Google Scholar 

  6. Govindavajhala, S., Appel, A.W.: Automatic configuration vulnerability analysis. Technical report, Technical Report TR-773-07, Department of Computer Science, Princeton University (February 2007)

    Google Scholar 

  7. Han, Z., Cheng, L., Zhang, Y., Feng, D.: Measuring and comparing the protection quality in different operating systems. In: Network and System Security, pp. 642–648. Springer (2013)

    Google Scholar 

  8. Heras, F., Morgado, A., Marques-Silva, J.: An empirical study of encodings for group maxsat. In: Advances in Artificial Intelligence, pp. 85–96. Springer (2012)

    Google Scholar 

  9. Homer, J., Ou, X.: Sat-solving approaches to context-aware enterprise network security management. IEEE Journal on Selected Areas in Communications 27(3), 315–322 (2009)

    Article  Google Scholar 

  10. Huang, H., Zhang, S., Ou, X., Prakash, A., Sakallah, K.: Distilling critical attack graph surface iteratively through minimum-cost sat solving. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 31–40. ACM (2011)

    Google Scholar 

  11. Huth, M., Ryan, M.: Logic in Computer Science: Modelling and reasoning about systems, 2nd edn. Cambridge University Press (2007)

    Google Scholar 

  12. Le Berre, D., Parrain, A., et al.: The sat4j library, release 2.2, system description. Journal on Satisfiability, Boolean Modeling and Computation 7, 59–64 (2010)

    Google Scholar 

  13. Naldurg, P., Raghavendra, K.R.: Seal: a logic programming framework for specifying and verifying access control models. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, pp. 83–92 (June 2011)

    Google Scholar 

  14. Naldurg, P., Schwoon, S., Rajamani, S.K., Lambert, J., Lambert, J.: Netra:seeing through access control. In: Proceedings of the 4th ACM Workshop on Formal Methods in Security Engineering, pp. 55–66 (2006)

    Google Scholar 

  15. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 2003 Proceedings of the 19th Annual Computer Security Applications Conference, pp. 86–95. IEEE (2003)

    Google Scholar 

  16. Ou, X., Appel, A.W.: A logic-programming approach to network security analysis. Phd, Princeton University Princeton (2005)

    Google Scholar 

  17. Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: USENIX Security (2005)

    Google Scholar 

  18. Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812–3824 (2006)

    Article  Google Scholar 

  19. Wang, S., Zhang, Z., Kadobayashi, Y.: Exploring attack graph for cost-benefit security hardening: A probabilistic approach. Computers and Security 32, 158–169 (2013)

    Article  Google Scholar 

  20. Zhu, Z., Li, C.-M., Manyà, F., Argelich, J.: A new encoding from minSAT into maxSAT. In: Milano, M. (ed.) CP 2012. LNCS, vol. 7514, pp. 455–463. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Software, Chinese Academy of Sciences, Beijing, China

    Zhihui Han, Liang Cheng, Yang Zhang & Dengguo Feng

Authors
  1. Zhihui Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liang Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dengguo Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhihui Han .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Javier Lopez

  2. Institute for Infocomm Research, Singapore, Singapore

    Yongdong Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Han, Z., Cheng, L., Zhang, Y., Feng, D. (2015). Operating System Security Policy Hardening via Capability Dependency Graphs. In: Lopez, J., Wu, Y. (eds) Information Security Practice and Experience. ISPEC 2015. Lecture Notes in Computer Science(), vol 9065. Springer, Cham. https://doi.org/10.1007/978-3-319-17533-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17533-1_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17532-4

  • Online ISBN: 978-3-319-17533-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation