SecGuard: secure and practical integrity protection model for operating systems

Authors:
Ennan Zhai;Qingni Shen;Yonggang Wang;Tao Yang;Liping Ding;Sihan Qing
Affiliations:
School of Software and Microelectronics, Peking University, China and Institute of Software, Chinese Academy of Sciences, China;School of Software and Microelectronics and MoE Key Lab of Network and Software Assurance and Network & Information Security Lab, Institute of Software, Peking University, China;MoE Key Lab of Network and Software Assurance and Network & Information Security Lab, Institute of Software, Peking University, China;MoE Key Lab of Network and Software Assurance and Network & Information Security Lab, Institute of Software, Peking University, China;Institute of Software, Chinese Academy of Sciences, China;School of Software and Microelectronics, Peking University, China and Institute of Software, Chinese Academy of Sciences, China
Venue:
APWeb'11 Proceedings of the 13th Asia-Pacific web conference on Web technologies and applications
Year:
2011

Citing 5
Cited 0

Linux Security Modules: General Security Support for the Linux Kernel

Proceedings of the 11th USENIX Security Symposium
Practical Domain and Type Enforcement for UNIX

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
LOMAC: Low Water-Mark Integrity Protection for COTS Environments

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
SubDomain: Parsimonious Server Security

LISA '00 Proceedings of the 14th USENIX conference on System administration
Usable Mandatory Integrity Protection for Operating Systems

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Host compromise is a serious security problem for operating systems. Most previous solutions based on integrity protection models are difficult to use; on the other hand, usable integrity protection models can only provide limited protection. This paper presents SecGuard, a secure and practical integrity protection model. To ensure the security of systems, SecGuard provides provable guarantees for operating systems to defend against three categories of threats: network-based threat, IPC communication threat and contaminative file threat. To ensure practicability, SecGuard introduces several novel techniques. For example, SecGuard leverages the information of existing discretionary access control information to initialize integrity labels for subjects and objects in the system. We developed the prototype system of SecGuard based on Linux Security Modules framework (LSM), and evaluated the security and practicability of SecGuard.