A feather-weight application isolation model

  • Authors:

  • Jianhua Liao;Yong Zhao;Changxiang Shen

  • Affiliations:

  • School of Electronics Engineering and Computer Science, Peking University, Beijing, China;Department of Computer Science and Technology, Beijing University of Technology, Beijing, China;Department of Computer Science and Technology, Beijing University of Technology, Beijing, China

  • Venue:
  • INTRUST'09 Proceedings of the First international conference on Trusted Systems
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

In this paper, we introduce a new application isolation model which bases on Least-Privilege principle and Need-to-Know principle. Since this model is easy to implement, we call it the Feather-weight Application Isolation (FAI) model. This model is used to achieve the Process Permission Constraint (PPC) and classified Object Access Control (OAC). The model allows us to make application isolation depending on PPC policies and OAC policies. Compared with the existing complex isolation models such as sandboxes and virtual machines, the FAI model is simpler, and therefore it does not only meet the necessary security requirements but also increases the usability. To isolate applications and prevent classified objects of the applications from being illegally tampered, the FAI model extends the traditional two-dimensional access control matrix to a three-dimensional access control matrix, which includes subjects, objects and processes. In order to support multi-level security and Mandatory Access Control (MAC), the concept of processes sensitivity level ranges is considered in the model. In this article, we first give an informal description of the model, and then introduce the formalized description and safety analysis. Finally we explain the feasibility of the model by showing the result of the engineering implementation.