Programming semantics for multiprogrammed computations
Communications of the ACM
Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Linux Security Modules: General Security Support for the Linux Kernel
Proceedings of the 11th USENIX Security Symposium
Aligning Security and Usability
IEEE Security and Privacy
DigSig: Runtime Authentication of Binaries at Kernel Level
LISA '04 Proceedings of the 18th USENIX conference on System administration
Understanding The Linux Kernel
Understanding The Linux Kernel
Linux Device Drivers, 3rd Edition
Linux Device Drivers, 3rd Edition
The flask security architecture: system support for diverse security policies
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The structure of authority: why security is not a separable concern
MOZ'04 Proceedings of the Second international conference on Multiparadigm Programming in Mozart/Oz
Hi-index | 0.00 |
The discretionary access controls (DAC) employed by traditional operating systems only provide system administrators and users with a loose ability to specify the security policies of the system. In contrast, mandatory access controls (MAC) provide a stronger, finer-grained mechanism for specifying and enforcing system security policies. A related security concept called the principle of least authority (POLA) states that subjects should only have access to the specific resources that they absolutely require to function properly at any given time. Although a number of existing projects (Plash and Polaris) seek to provide POLA implementations, these are not enforced using strong MAC. Conversely, existing MAC implementations (SELinux and AppArmor) do not provide rigorous POLA because they do not provide an effective mechanism for dynamic policy modification based on user preferences. This paper presents our solution to fill this void, called the Pluggable User-space Linux Security Environment (PULSE), which implements a MAC enforced, dynamic, user-level POLA implementation. Through the use of user-space plug-ins to specify security policy, PULSE provides a high degree of dynamism, flexibility and usability which is not available in existing security architectures.