UNIX system security: a guide for users and system administrators
UNIX system security: a guide for users and system administrators
The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Planned Extensions to the Linux Ext2/Ext3 Filesystem
Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Linux Security Modules: General Security Support for the Linux Kernel
Proceedings of the 11th USENIX Security Symposium
Digital rights management for content distribution
ACSW Frontiers '03 Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003 - Volume 21
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Linux Journal
Detecting Kernel-Level Rootkits Through Binary Analysis
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Kernel korner: unionfs: bringing filesystems together
Linux Journal
An Approach for Secure Software Installation
LISA '02 Proceedings of the 16th USENIX conference on System administration
Detecting Stealth Software with Strider GhostBuster
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Towards Protecting Sensitive Files in a Compromised System
SISW '05 Proceedings of the Third IEEE International Security in Storage Workshop
Sub-operating systems: a new approach to application security
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
Paranoid penguin: an introduction to Novell AppArmor
Linux Journal
Polaris: virus-safe computing for Windows XP
Communications of the ACM - Privacy and security in highly dynamic systems
Fedora Linux
Making system configuration more declarative
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Self-securing storage: protecting data in compromised system
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Storage-based intrusion detection: watching storage activity for suspicious behavior
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Lurking in the Shadows: Identifying Systemic Threats to Kernel Data
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Confining root programs with domain and type enforcement (DTE)
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Secure software updates: disappointments and new challenges
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Purely functional system configuration management
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Self-signed executables: restricting replacement of program binaries by malware
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Expanding Malware Defense by Securing Software Installations
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Proceedings of the 15th ACM conference on Computer and communications security
A look in the mirror: attacks on package managers
Proceedings of the 15th ACM conference on Computer and communications security
Position: the user is the enemy
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Secure in-VM monitoring using hardware virtualization
Proceedings of the 16th ACM conference on Computer and communications security
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
Mapping kernel objects to enable systematic integrity checking
Proceedings of the 16th ACM conference on Computer and communications security
Robust signatures for kernel data structures
Proceedings of the 16th ACM conference on Computer and communications security
SoftwarePot: an encapsulated transferable file system for secure software circulation
ISSS'02 Proceedings of the 2002 Mext-NSF-JSPS international conference on Software security: theories and systems
System configuration as a privilege
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Security mechanisms and policy for mandatory access control in computer systems
Security mechanisms and policy for mandatory access control in computer systems
System security, platform security and usability
Proceedings of the fifth ACM workshop on Scalable trusted computing
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Hi-index | 0.00 |
We address the problem of restricting root's ability to change arbitrary files on disk, in order to prevent abuse on most current desktop operating systems. The approach first involves recognizing and separating out the ability to configure a system from the ability to use the system to perform tasks. The permission to modify configuration of the system is then further subdivided in order to restrict applications from modifying the file-system objects of other applications. We explore the division of root's current ability to change arbitrary files on disk and discuss a prototype that proves out the viability of the approach for designated system-wide file-system objects. Our architecture exposes a control point available for use to enforce policies that prevent one application from modifying another's file-system objects. In addition, we review in detail the permissions given to current installers, and alternative approaches for secure software installation.