Abstract
The Windows Embedded operating system (OS) adopts a discretionary access control (DAC)-based policy, but underlying vulnerabilities exist because of external hacker attacks and other factors. In this study, we propose a system that improves the security of the Windows Embedded OS by applying a mandatory access control (MAC) policy in which the access rights of objects, such as files and folders, and subjects’ privileges, such as processes, are compared. We conducted access control tests to verify whether the proposed system could avoid the vulnerabilities of DAC-based systems. Our results indicate that the existing DAC-based security systems could be neutralized if a principal’s security policy is removed. However, in the proposed MAC-based Windows Embedded OS, even if the clearance and category values of a subject’s files are given the highest rating, all accesses are automatically denied. Therefore, the execution of all files that were not previously registered on the whitelist was denied, proving that security was improved relative to DAC-based systems.
Highlights
An embedded operating system (OS) is a specialized OS designed for specific purposes, and it is installed as a built-in component of a system, for example, a point of sales (POS), automatic teller machine (ATM), or a KIOSK
We propose a method for improving the security of the Windows Embedded OS by implementing mandatory access control (MAC)-based policies to determine the privileges of subjects and objects
We designed and implemented a Windows Embedded OS security system based on the MAC model
Summary
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. As embedded OSes are designed to serve specific purposes, they operate in a low-memory capacity, under low-power, and in lowCPU environments and have limited support capabilities. Because Windows Embedded OSes use the discretionary access control (DAC) model for access control and require computer resources that are limited, it is inappropriate for applications to use systems requiring high resource allocation, such as traditional anti-virus programs, for security purposes. We propose a method for improving the security of the Windows Embedded OS by implementing mandatory access control (MAC)-based policies to determine the privileges of subjects and objects. The proposed MAC-based security system was implemented as a file system filter driver, and the security policy was managed by the filter driver kernel memory and the file system’s alternate data stream (ADS) to reduce resource usage and enhance policy security in limited system environments
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.