Mandatory Access Control Policies Research Articles

Improving the efficiency of intrusion detection in information systems

Abstract Policy Interaction Graph Analysis is a Host-based Intrusion Detection tool that uses Linux MAC Mandatory access control policy to build the licit information flow graph and uses a detection policy defined by the administrator to extract illicit behaviour from the graph. The main limitation of this tool is the generation of a huge signature base of illicit behaviours; hence, this leads to the use of huge memory space to store it. Our primary goal in this article is to reduce this memory space while keeping the tool’s efficiency in terms of intrusion detection rate and false generated alarms. First, the interactions between the two nodes of the graph were grouped into a single interaction. The notion of equivalence class was used to classify the paths in the graph and was compressed by using a genetic algorithm. Such an approach showed its efficiency compared to the approach proposed by Pierre Clairet, by which the detection rate obtained was 99.9%, and no false-positive with a compression rate of illicit behaviour signature database reached 99.44%. Having these results is one of the critical aspects of realizing successful host-based intrusion detection systems.

Mandatory Access Control Method for Windows Embedded OS Security

The Windows Embedded operating system (OS) adopts a discretionary access control (DAC)-based policy, but underlying vulnerabilities exist because of external hacker attacks and other factors. In this study, we propose a system that improves the security of the Windows Embedded OS by applying a mandatory access control (MAC) policy in which the access rights of objects, such as files and folders, and subjects’ privileges, such as processes, are compared. We conducted access control tests to verify whether the proposed system could avoid the vulnerabilities of DAC-based systems. Our results indicate that the existing DAC-based security systems could be neutralized if a principal’s security policy is removed. However, in the proposed MAC-based Windows Embedded OS, even if the clearance and category values of a subject’s files are given the highest rating, all accesses are automatically denied. Therefore, the execution of all files that were not previously registered on the whitelist was denied, proving that security was improved relative to DAC-based systems.

TRUST- BASED MODELING MAC-TYPE ACCESS CONTROL THROUGH ACCESS AND ACTIONS CONTROL POLICIES

In recent decades, the number of researches on access control and user actions in computer systems has increased. Over time, there have been two models of implementing Mandatory Access Control (MAC) policies for government institutions and Discretionary Access Control (DAC) for the business environment, policies that various access control modeling solutions seek to implement. Among the access control modeling solutions developed are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), presented in the U.S.A. by the National Institute of Standard and Technology (NIST). In Romania, in 2010, the access control solution based on trust was presented. This paper presents Mandatory Access Control policy modeling using the trust-based access and actions control modeling solution.

Fine-grained access control model based on sensitivity calculation by fuzzy mathematics

Access control regulates the behavior of legitimate users in the security domain to access and operate resources, and ensures that resources are not used by unauthorized users, in order to protect resources. With the maturity of security label technology, new requirements are put forward for access control of multi-level security network. In this paper, a fine-grained access control model based on sensitivity calculation by fuzzy mathematics is proposed. Fuzzy mathematics is used to comprehensively calculate the sensitivity level of users and files based on their security label attributes. On this basis, the mandatory access control policies are set to make the access control mechanism between users and files more reasonable.

AndroidBLP for Confidentiality Management in Android Environments

Users employ smartphones and tablets to manage and store personal information as well as corporate information. However, storing different types of information in the same device may lead to information leakage. Users need tools to define different confidentiality requirements over their data, and to enforce different access policies according to those requirements. Android is the most used mobile operating system, and although it implements various mechanisms to protect user information, it does not have any tool to meet the mentioned needs. This paper presents AndroidBLP, a tool based on the Bell-LaPadula confidentiality model that implements a predefined mandatory access control policy, enables users to define confidentiality requirements, and enforces a confidentiality policy based on those requirements.

A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR Data.

Electronic Patient Health Record (EPHR) systems may facilitate a patient not only to share his/her health records securely with healthcare professional but also to control his/her health privacy, in a convenient and easy way even in case of emergency. In order to fulfill these requirements, it is greatly desirable to have the access control mechanism which can efficiently handle every circumstance without negotiating security. However, the existing access control mechanisms used in healthcare to regulate and restrict the disclosure of patient data are often bypassed in case of emergencies. In this article, we propose a way to securely share EPHR data under any situation including break-the-glass (BtG) without compromising its security. In this regard, we design a reference security model, which consists of a multi-level data flow hierarchy, and an efficient access control framework based on the conventional Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) policies.

Mandatory Access Control Policies Based on Vague Requirements

This article focuses on mandatory access control and security policies within an operating system. It proposes a general methodology for the selection and deployment of policies based on vague descriptions, which are representing operational, functional and security requirements imposed on the operating system. The methodology is extended by generating customized policies and supported by an expert system, as a tool, that offers to minimize, or even completely eliminate, the need for a security consultant as an expert in the problem domain, for designing and selecting policies to harden the operating system and furthermore to design a secure operating system. This methodology moves this key r esponsibility to either the user or the system administrator. In this article, the methodology is used to generate components of operating system and with conjunction with SELinux reference policy to generate the customized policies, also called custom policies, which will allow setting the security level of certain applications vaguely.

Protecting the integrity of trusted applications in mobile phone systems

AbstractMobile phones have evolved into indispensable devices that run many exciting applications that users can download from phone vendor's application stores. However, as it is not practical to fully vet all application code, users may download malware‐infected applications, which may steal or modify security‐critical data. In this paper, we propose a security architecture for phone systems that protects trusted applications from such downloaded code. Our architecture uses reference monitors in the operating system and user‐space services to enforce mandatory access control policies that express an approximation of Clark—Wilson integrity. In addition, we show how to justify the integrity of mobile phone applications by using the Policy Reduced Integrity Measurement Architecture (PRIMA), which enables a remote party to verify the integrity of applications running on a phone. We have implemented a prototype on the Openmoko Linux Platform, using an SELinux kernel with a PRIMA module and user‐space services that leverage the SELinux user‐level policy server. We find that the performance of enforcement and integrity measurement is satisfactory, and the SELinux reference policy can be reduced in size by 90% (although more reduction should be possible), enabling practical system integrity with a desirable usability model. Copyright © 2010 John Wiley & Sons, Ltd.

MODEL CHECKING FOR VERIFICATION OF MANDATORY ACCESS CONTROL MODELS AND PROPERTIES

Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Dynamic Trusted Domain: Preventing Data Leakage of Trusted Subjects

The existence of trusted subjects is a major complication in implementing multilevel secure (MLS) systems. In MLS, trusted subjects are granted with privileges to perform operations possibly violating mandatory access control policies. It is difficult to prevent them from data leakage with out too strict confinement. This paper reconsiders the privilege from the view of sensitive data and presents a dynamic trusted domain (DTD) mechanism for trusted subjects. In DTD, a domain is associated with a special label structure (LabelVector) distinguishing security policies and builds an isolated environment based on virtualization for a certain trusted subject. The channel for the trusted subject to communicate with outsider is controlled by a trusted request decision maker (TRDM). Only the request satisfies the rules on domain label and security levels can be passed through.

A logical specification and analysis for SELinux MLS policy

The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of the SELinux MLS model makes it impractical to manually evaluate that a given policy meets certain specific properties. To address this issue, we have modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing information flow properties of a given policy as well as an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and ⋆-property defined by Bell and LaPadula. We also evaluated whether the policy associated to a given application is compliant with the policy of the SELinux system in which it would be deployed.

A layered approach to simplified access control in virtualized systems

In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.

Heuristics for Safety and Security Constraints

The flow logic approach to static analysis amounts to specifying the admissibility of solutions to analysis problems; when specified using formulae in stratified alternation-free least fixed point logic one may use efficient algorithms for computing the least admissible solutions. We extend this scenario to validate the fulfilment of safety and security constraints on admissible solutions; the modified development produces a least solution together with a boolean value indicating whether or not the constraints are validated or violated.The main contribution is the development of a deterministic heuristics for obtaining a solution that is close to the least solution while enforcing the safety or security constraints. We illustrate it on the Bell-LaPadula mandatory access control policy where the heuristics is used to suggest modifications to the security annotations of entities in order for the security policy to hold.

A typed encoding of boxed into safe ambients

We present: (i) an encoding of Boxed Ambients into a variant of Safe Ambients; and (ii) a new type system for multi-level security of Safe Ambients in the style of Cardelli et al. (Information and Computation 177(2), 160–194 (2002)) and Dezani-Ciancaglini and Salvo (Security types for mobile safe ambients. In: Proceedings of ASIAN '00, LNCS 1961, pp. 215–236. Springer Verlag (2000)). Then, we show that the types, when applied to the encoded BA proceses, permits to accurately verify Mandatory Access Control policies of the source processes.

Guest Editors' Introduction to the Special Issue on Secure Database Systems Technology

INCE the U.S. Air Force Summer Study in 1982, several S research and development efforts in secure database management systems have been initiated. These include efforts in Secure Relational DBMS, Secure Object-Oriented DBMS, Secure Distributed IDBMS, and other topics such as inference and aggregation, policies and models, polyinstantiation, concurrency control, auditing, and role-based security. In addition to military applications, security for commercial applications such as medical information systems and banking systems have received increased attention in recent years. Since security is becoming increasingly important to many government as well as commercial organizations, and database technology is a necessity for these organizations, it is important for the various communities to be aware of the developments made in securing database systems. Due to the considerable pressing interest and concern in this area, this special issue of IEEE Transactions on Knowledge and Data Engineering is devoted to this topic. This issue consists of seven papers addressing a variety of topics in secure database systems technology. The first paper by Qian and Lunt describes a MAC policy framework for multilevel relational databases. Much of the work in multilevel secure database management systems has focussed on the relational model. Various prototype systems as well as commercial products have been developed. This paper presents a formal framework to specify mandatory access control policies for relational database systems. More recently quite a few efforts have been reported on multilevel secure object-oriented database management systems. One such effort is reported in the second paper by Thomas and Sandhu. ‘They propose a trusted subject architecture for designing multilevel secure objectoriented databases. Transaction processing in multilevel secure database management systems is a major issue. Concurrency control algorithms such as locking are known to cause covert channels. The goal in secure transaction processing is to ensure consistency as well as security. The third paper by Smith, Blaustein, . Jajodia, and Notargiacomo describes a

High assurance composite systems

This paper describes a possible architecture for an MLS-secure distributed system based on a client/server model of interaction between components, and argues that a system with such an architecture can meet high levels of assurance using the same models and practices of existing stand-alone systems. The scope of the paper is limited to the label-based Mandatory Access Control Policy described in the U.S. Department of Defense Trusted Computer Security Evaluation Criteria (TCSEC) [DOD85], along with a number of supporting policies needed to support the mandatory policy. Mandatory policy enforcement was chosen as the topic for this paper in the belief that demonstration of composite trusted systems should proceed first with simple policies, and then later be extended to include other policies such as discretionary controls and availability.

With MVS/ESA security labels towards B1

IBM's MVS operating system at the level MVS/ESA 3.1.3 supplemented by RACF 1.9 has intentionally been designed to function as part of a trusted computer base with B1 security. Among the enhancements there is full support for security labels for both subjects and objects, allowing implementation of a mandatory access control policy and the use of MVS/ESA systems as multi-level security systems. The evolution of the MVS security mechanisms ultimately resulting in the introduction of security labels will be discussed from the view- point of the technical EDP-auditor.