Logo image
Back
Reusability of functionality-based application confinement policy abstractions
Conference paper   Open access

Reusability of functionality-based application confinement policy abstractions

Z.C. Schreuders and C. Payne
Springer-Verlag
10th International Conference on Information and Communications Security (ICICS 2008) (Birmingham, 20/10/2008–22/10/2008)
2008
pdf
reusability.pdfDownloadView
Author’s Version Open Access
url
Link to Published Version *Subscription may be requiredView

Abstract

Traditional access control models and mechanisms struggle to contain the threats posed by malware and software vulnerabilities as these cannot differentiate between processes acting on behalf of users and those posing threats to users’ security as every process executes with the full set of the user's privileges. Existing application confinement schemes attempt to address this by limiting the actions of particular processes. However, the management of these mechanisms requires security-specific expertise which users and administrators often do not possess. Further, these models do not scale well to confine the large number of applications found on functionality-rich contemporary systems. This paper describes how the principles of role-based access control (RBAC) can be applied to the problem of restricting an application's behaviour. This approach provides a more flexible, scalable and easier to manage confinement paradigm that requires far less in terms of user expertise than existing schemes. Known as functionality-based application confinement (FBAC), this model significantly mitigates the usability limitations of existing approaches. We present a case study of a Linux-based implementation of FBAC known as FBAC-LSM and demonstrate the flexibility and scalability of the FBAC model.

Details

Metrics

312 File views/ downloads
64 Record Views
Logo image