Towards Access Control for Isolated Applications
Kirill Belyaev, Indrakshi Ray
2016
Abstract
With the advancements in contemporary multi-core CPU architectures, it is now possible for a server operating system (OS), such as Linux, to handle a large number of concurrent application services on a single server instance. Individual application components of such services may run in different isolated runtime environments, such as chrooted jails or application containers, and may need access to system resources and the ability to collaborate and coordinate with each other in a regulated and secure manner. We propose an access control framework for policy formulation, management, and enforcement that allows access to OS resources and also permits controlled collaboration and coordination for service components running in disjoint containerized environments under a single Linux OS server instance. The framework consists of two models and the policy formulation is based on the concept of policy classes for ease of administration and enforcement. The policy classes are managed and enforced through a Linux Policy Machine (LPM) that acts as the centralized reference monitor and provides a uniform interface for accessing system resources and requesting application data and control objects. We present the details of our framework and also discuss the preliminary implementation to demonstrate the feasibility of our approach.
References
- Abrams, M., Eggers, K., LaPadula, L., and Olson, I. (1990). Generalized Framework for Access Control: An Informal Description. In Proceedings of NCSC.
- Armando, A., Carbone, R., Costa, G., and Merlo, A. (2015). Android Permissions Unleashed. In Proceedings of IEEE CSF, pages 320-333. IEEE.
- Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. (1996). A Domain and Type Enforcement UNIX Prototype. Computing Systems, 9(1):47-83.
- Belyaev, K. (2016). Linux Policy Machine (LPM) - Managing the Application-Level OS Resource Control in the Linux Environment. https://github.com/kirillbelyaev/tinypm/tree/LPM. accessed 12-March-2016.
- Belyaev, K. and Ray, I. (2015). Towards Efficient Dissemination and Filtering of XML Data Streams. In Proceedings of IEEE DASC.
- Cabri, G., Leonardi, L., and Zambonelli, F. (2000). XML Dataspaces for Mobile Agent Coordination. In Proceedings of ACM SAC, pages 181-188. ACM.
- Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. (2011). Analyzing inter-application communication in Android. In Proceedings of ACM MobiSys, pages 239-252. ACM.
- Cremonini, M., Omicini, A., and Zambonelli, F. (2000). Coordination and access control in open distributed agent systems: The TuCSoN approach. In Coordination Languages and Models, pages 99-114. Springer.
- Docker Developers (2016). What is Docker? https://www.docker.com/what-docker/. accessed 12-March-2016.
- Ferraiolo, D., Gavrila, S., and Jansen, W. (2014). On the Unification of Access Control and Data Services. In Proceedings of IEEE IRI, pages 450-457. IEEE.
- Gelernter, D. (1985). Generative Communication in Linda. ACM TOPLAS, 7(1):80-112.
- GrSecurity Developers (2016). What is GrSecurity? https://grsecurity.net. accessed 12-March-2016.
- Hallyn, S. and Kearns, P. (2000). Domain and Type Enforcement for Linux. In Proceedings of ALS, pages 247-260.
- Hallyn, S. E. and Morgan, A. G. (2008). Linux Capabilities: Making them Work. In Proceedings of OLS, page 163.
- Havoc Pennington, Red Hat, I. (2016). D-Bus Specification. https://dbus.freedesktop.org/doc/dbusspecification.html. accessed 12-March-2016.
- Johnson, M. K. and Troan, E. W. (2004). Linux Application Development. Addison-Wesley Professional.
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. (2007). Information flow control for standard OS abstractions. ACM SIGOPS OSR, 41(6):321-334.
- LaPadula, L. (1995). Rule-Set Modeling of Trusted Computer System. In M., A., S., J., and H., P., editors, Information Security: An Integrated Collection of Essays. IEEE Computer Society Press.
- Linux Developers (2016). Linux Programmer's Manual. http://man7.org/linux/manpages/man7/capabilities.7.html. accessed 12- March-2016.
- Linux Programmer's Manual (2016). LIBCAP Manual. http://man7.org/linux/man-pages/man3/libcap.3.html. accessed 12-March-2016.
- Loscocco, P. (2001). Integrating Flexible Support for Security Policies into the Linux Operating System. In Proceedings of USENIX ATC, FREENIX Track, page 29.
- Manual, L. P. (2016). Kernel Namespaces. http://man7.org/linux/man-pages/man7/namespaces. 7.html. accessed 12-March-2016.
- Minsky, N. H., Minsky, Y. M., and Ungureanu, V. (2000). Making Tuple Spaces Safe for Heterogeneous Distributed Systems. In Proceedings of ACM SAC, pages 218-226.
- Minsky, N. H. and Ungureanu, V. (1998). Unified support for heterogeneous security policies in distributed systems. In Proc. of USENIX SS, pages 131-142.
- n-Logic Ltd. (2016). n-Logic Web Caching Service Provider. http://n-logic.weebly.com/. accessed 12- March-2016.
- Ott, A. and Fischer-H übner, S. (2001). The Rule Set Based Access Control (RSBAC) Framework for Linux. In Proceedings of ILK.
- Singh, J., Bacon, J., and Eyers, D. (2014). Policy enforcement within emerging distributed, event-based systems. In Proceedings of ACM DEBS, pages 246-255. ACM.
- Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., and Lepreau, J. (1999). The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of USENIX SS.
- Vitek, J., Bryce, C., and Oriol, M. (2003). Coordinating Processes with Secure Spaces. Science of Computer Programming, 46(1):163-193.
- Wright, C., Cowan, C., Smalley, S., Morris, J., and KroahHartman, G. (2002). Linux Security Modules: General security support for the Linux kernel. In Proceedings of USENIX SS, pages 17-31.
- Xu, Y., Dunn, A. M., Hofmann, O. S., Lee, M. Z., Mehdi, S. A., and Witchel, E. (2014). Application-Defined Decentralized Access Control. In Proceedings of USENIX ATC, pages 395-408.
Paper Citation
in Harvard Style
Belyaev K. and Ray I. (2016). Towards Access Control for Isolated Applications . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 171-182. DOI: 10.5220/0005970001710182
in Bibtex Style
@conference{secrypt16,
author={Kirill Belyaev and Indrakshi Ray},
title={Towards Access Control for Isolated Applications},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={171-182},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005970001710182},
isbn={978-989-758-196-0},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - Towards Access Control for Isolated Applications
SN - 978-989-758-196-0
AU - Belyaev K.
AU - Ray I.
PY - 2016
SP - 171
EP - 182
DO - 10.5220/0005970001710182