Secure APIs for Applications in Microkernel-based Systems

Mohammad Hamad, Vassilis Prevelakis

2017

Abstract

The Internet evolved from a collection of computers to today’s agglomeration of all sort of devices (e.g. printers, phones, coffee makers, cameras and so on) a large part of which contain security vulnerabilities. The current wide scale attacks are, in most cases, simple replays of the original Morris Worm of the mid-80s. The effects of these attacks are equally devastating because they affect huge numbers of connected devices. The reason for this lack of progress is that software developers will keep writing vulnerable software due to problems associated with the way software is designed and implemented and market realities. So in order to contain the problem we need effective control of network communications and more specifically, we need to vet all network connections made by an application on the premise that if we can prevent an attacker from reaching his victim, the attack cannot take place. This paper presents a comprehensive network security framework, including a well-defined applications programming interface (API) that allows fine-grained and flexible control of network connections. In this way, we can finally instantiate the principles of dynamic network control and protect vulnerable applications from network attacks.

References

  1. Arkko, J. and Nikander, P. (2003). Limitations of ipsec policy mechanisms. In Security Protocols, 11th International Workshop, Cambridge, UK, April 2-4, 2003, Revised Selected Papers, pages 241-251.
  2. Bellovin, S. (2009). Guidelines for specifying the use of ipsec version 2. BCP 146, RFC Editor.
  3. Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. (1999). The keynote trust-management system version 2. RFC 2704, RFC Editor.
  4. Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard).
  5. Genode Labs GmbH. Genode OS Framework. https://genode.org/ [last access on Jan 2017].
  6. Hamad, M. and Prevelakis, V. (2015). Implementation and performance evaluation of embedded ipsec in microkernel os. In Computer Networks and Information Security (WSCNIS), 2015 World Symposium on, pages 1-7. IEEE.
  7. Hiltgen, A., Kramp, T., and Weigold, T. (2006). Secure internet banking authentication. IEEE Security & Privacy, 4(2):21-29.
  8. Ioannidis, J. (2003). Why don't we still have ipsec, dammit? In NDSS 2003.
  9. Ioannidis, S., Keromytis, A. D., Bellovin, S. M., and Smith, J. M. (2000). Implementing a distributed firewall. In Proceedings of the 7th ACM conference on Computer and communications security, pages 190-199. ACM.
  10. Kent, S. and Atkinson, R. (1998a). Ip authentication header. RFC 2402, RFC Editor.
  11. Kent, S. and Atkinson, R. (1998b). Ip encapsulating security payload (esp). RFC 2406, RFC Editor.
  12. Kent, S. and Seo, K. (2005). Security Architecture for the Internet Protocol.
  13. Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., et al. (2010). Experimental security analysis of a modern automobile. In 2010 IEEE Symposium on Security and Privacy, pages 447-462. IEEE.
  14. McDonald, D. L. (1997). A Simple IP Security API Extension to BSD Sockets. Internet-Draft draft-mcdonaldsimple-ipsec-api-02, Internet Engineering Task Force.
  15. Niederberger, R., Allcock, W., Gommans, L., Grünter, E., Metsch, T., Monga, I., Valpato, G. L., and Grimm, C. (2006). Firewall issues overview.
  16. Pereira, R. and Beaulieu, S. (1999). Extended Authentication Within ISAKMP/Oakley (XAUTH). InternetDraft draft-ietf-ipsec-isakmp-xauth-06, Internet Engineering Task Force. Work in Progress.
  17. Prevelakis, V. and Hamad, M. (2015). A policy-based communications architecture for vehicles. In International Conference on Information Systems Security and Privacy, France.
  18. Richardson, M. and Sommerfeld, B. E. (2006). Requirements for an IPsec API. Internet-Draft draft-ietf-btnsipsec-apireq-00, Internet Engineering Task Force.
  19. Wu, C.-L., Wu, S. F., and Narayan, R. (2001). Ipsec/phil (packet header information list): design, implementation, and evaluation. In Li, J. J., Luijten, R. P., and Park, E. K., editors, ICCCN, pages 206-211. IEEE.
  20. Yin, H. and Wang, H. (2007). Building an applicationaware ipsec policy system. IEEE/ACM Transactions on Networking, 15(6):1502-1513.
Download


Paper Citation


in Harvard Style

Hamad M. and Prevelakis V. (2017). Secure APIs for Applications in Microkernel-based Systems . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 553-558. DOI: 10.5220/0006265805530558


in Bibtex Style

@conference{icissp17,
author={Mohammad Hamad and Vassilis Prevelakis},
title={Secure APIs for Applications in Microkernel-based Systems},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={553-558},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006265805530558},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Secure APIs for Applications in Microkernel-based Systems
SN - 978-989-758-209-7
AU - Hamad M.
AU - Prevelakis V.
PY - 2017
SP - 553
EP - 558
DO - 10.5220/0006265805530558