An algebra for composing access control policies
ACM Transactions on Information and System Security (TISSEC)
Policy management using access control spaces
ACM Transactions on Information and System Security (TISSEC)
The UCONABC usage control model
ACM Transactions on Information and System Security (TISSEC)
Certificate-based access control for widely distributed resources
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The iphone book: how to do the things you want to do with your iphone
The iphone book: how to do the things you want to do with your iphone
Realizing dynamic behavior attestation for mobile platforms
Proceedings of the 7th International Conference on Frontiers of Information Technology
Porscha: policy oriented secure content handling in Android
Proceedings of the 26th Annual Computer Security Applications Conference
Practical and lightweight domain isolation on Android
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Semantically rich application-centric security in Android
Security and Communication Networks
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a "soft" sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 ts performance overhead only when stakeholders need to be consulted, and new permissions are cached.