FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Z. Cliffe Schreuders; Christian Payne

doi:10.5220/0001928900720077

FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Z. Cliffe Schreuders, Christian Payne

2008

Abstract

Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of applications. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.

Download

Paper Citation

in Harvard Style

Cliffe Schreuders Z. and Payne C. (2008). FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 72-77. DOI: 10.5220/0001928900720077

in Bibtex Style

@conference{secrypt08,
author={Z. Cliffe Schreuders and Christian Payne},
title={FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={72-77},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001928900720077},
isbn={978-989-8111-59-3},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions
SN - 978-989-8111-59-3
AU - Cliffe Schreuders Z.
AU - Payne C.
PY - 2008
SP - 72
EP - 77
DO - 10.5220/0001928900720077