Authors:
Kirill Belyaev
and
Indrakshi Ray
Affiliation:
Colorado State University, United States
Keyword(s):
Access Control, Service and Systems Design, Inter-application Communication.
Related
Ontology
Subjects/Areas/Topics:
Access Control
;
Cloud Computing
;
Data Engineering
;
Databases and Data Security
;
Information and Systems Security
;
Internet Technology
;
Security in Information Systems
;
Security Information Systems Architecture and Design and Security Patterns
;
Service and Systems Design and Qos Network Security
;
Services Science
;
Web Information Systems and Technologies
Abstract:
With the advancements in contemporary multi-core CPU architectures, it is now possible for a server operating
system (OS), such as Linux, to handle a large number of concurrent application services on a single server
instance. Individual application components of such services may run in different isolated runtime environments,
such as chrooted jails or application containers, and may need access to system resources and the ability
to collaborate and coordinate with each other in a regulated and secure manner. We propose an access control
framework for policy formulation, management, and enforcement that allows access to OS resources and also
permits controlled collaboration and coordination for service components running in disjoint containerized
environments under a single Linux OS server instance. The framework consists of two models and the policy
formulation is based on the concept of policy classes for ease of administration and enforcement. The policy
classes are managed and e
nforced through a Linux Policy Machine (LPM) that acts as the centralized reference
monitor and provides a uniform interface for accessing system resources and requesting application data and
control objects. We present the details of our framework and also discuss the preliminary implementation to
demonstrate the feasibility of our approach.
(More)