International Journal of Information Security

, Volume 12, Issue 5, pp 393–422 | Cite as

The functionality-based application confinement model

  • Z. Cliffe Schreuders
  • Christian Payne
  • Tanya McGill
Regular Contribution

Abstract

This paper presents the functionality-based application confinement (FBAC) access control model. FBAC is an application-oriented access control model, intended to restrict processes to the behaviour that is authorised by end users, administrators, and processes, in order to limit the damage that can be caused by malicious code, due to software vulnerabilities or malware. FBAC is unique in its ability to limit applications to finely grained access control rules based on high-level easy-to-understand reusable policy abstractions, its ability to simultaneously enforce application-oriented security goals of administrators, programs, and end users, its ability to perform dynamic activation and deactivation of logically grouped portions of a process’s authority, its approach to process invocation history and intersection-based privilege propagation, its suitability to policy automation techniques, and in the resulting usability benefits. Central to the model are ‘functionalities’, hierarchical and parameterised policy abstractions, which can represent features that applications provide; ‘confinements’, which can model simultaneous enforcement of multiple sets of policies to enforce a diverse range of types of application restrictions; and ‘applications’, which represent the processes to be confined. The paper defines the model in terms of structure (which is described in five components) and function, and serves as a culmination of our work thus far, reviewing the evaluation of the model that has been conducted to date.

Keywords

Application-oriented access control  Sandboxing Usable security Policy abstraction 

References

  1. 1.
    Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: a sandbox for portable, utrusted x86 native code. Commun. ACM 53(1), 91–99 (2010)CrossRefGoogle Scholar
  2. 2.
    Gong, L., Mueller, M., Prafullchandra, H., Schemers, R.: Going beyond the sandbox: an overview of the new security architecture in the Java development kit 1.2. In: Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, CA, USA. Prentice Hall PTR (1997)Google Scholar
  3. 3.
    Whitaker, A., Shaw, M., Gribble, S.D.: Denali: lightweight virtual machines for distributed and networked applications. In: Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation, Boston, MA, USA. USENIX Association (2002)Google Scholar
  4. 4.
    Madnick, S.E., Donovan, J.J.: Application and analysis of the virtual machine approach to information security. In: ACM Workshop on Virtual Computer Systems, Cambridge, MA, USA. Harvard University (1973)Google Scholar
  5. 5.
    Kamp, P.-H., Watson, R.: Jails: confining the omnipotent root. In: Proceedings of the 2nd International System Administration and Networking Conference (SANE 2000), Maastricht, The Netherlands (2000)Google Scholar
  6. 6.
    Tucker, A., Comay, D.: Solaris zones: operating system support for server consolidation. In: Proceedings of the 3rd Virtual Machine Research and Technology Symposium Works-in-Progress, San Jose, CA, USA (2004)Google Scholar
  7. 7.
    Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Computer Security Conference, Gaithersburg, MD, USA. NIST (1985)Google Scholar
  8. 8.
    Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications: confining the Wily Hacker. In: Proceedings of the 6th USENIX Security Symposium, San Jose, CA, USA. USENIX Association (1996)Google Scholar
  9. 9.
    Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, USENIX Association, Aug 2002Google Scholar
  10. 10.
    Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., Gligor, V.: SubDomain: parsimonious server security. In: Proceedings of the USENIX 14th Systems Administration Conference, New Orleans, LA, USA. USENIX Association (2000)Google Scholar
  11. 11.
    Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, Boston, MA, USA. USENIX Association (2001)Google Scholar
  12. 12.
    Harada, T., Horie, T., Tanaka, K.: Task oriented management obviates your onus on Linux. In: Proceedings of the Linux Conference, Tokyo, Japan (2004)Google Scholar
  13. 13.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: Role based access control. American National Standards Institute/International Committee for Information Technology Standards (ANSI/INCITS) (2004)Google Scholar
  14. 14.
    Walker, K., Sterne, D., Badger, M., Petkac, M., Sherman, D., Oostendorp, K.: Confining root programs with domain and type enforcement. In: Proceedings of the 6th USENIX Security Symposium, San Jose, CA, USA, USENIX Association (1996)Google Scholar
  15. 15.
    Schreuders, Z.C.: A role-based approach to restricting application execution.Thesis, Murdoch University (2005)Google Scholar
  16. 16.
    Raje, M.: TRCS 99-12: Behavior-Based Confinement of Untrusted Applications. University of California, Oakland, CA (1999)Google Scholar
  17. 17.
    Acharya, A., Raje, M.: MAPbox: using parameterized behavior classes to confine applications. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO, USA. USENIX Association (2000)Google Scholar
  18. 18.
    Giuri, L., Iglio, P.: Role templates for content-based access control. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, USA. ACM Press (1997)Google Scholar
  19. 19.
    Yao, W., Moody, K., Bacon, J.: A model of OASIS role-based access control and its support for active security. In: 1997 6th ACM Symposium on Access Control Models and Technologies, Chantilly, VA, USA. ACM Press (2001)Google Scholar
  20. 20.
    Ferraiolo, D., Cugini, J.A., Kuhn, R.: Role-based access control (RBAC): features and motivations. In: Proceedings of the 11th Annual Computer Security Applications Conference (ACSAC), Gaithersburg, MD, USA. IEEE Computer Society Press (1995)Google Scholar
  21. 21.
    Johnson, M., Karat, J., Karat, C.-M., Grueneberg, K.: Optimizing a policy authoring framework for security and privacy policies. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS), Redmond, Washington, DC, USA. ACM Press (2010)Google Scholar
  22. 22.
    Wagner, D.A.: Janus: an approach for confinement of untrusted applications. M.S. thesis. Electrical Engineering and Computer Sciences. University of California, Berkeley, CA (1999)Google Scholar
  23. 23.
    Berman, A., Bourassa, V., Selberg, E.: TRON: process-specific file protection for the UNIX operating system. In: Proceedings of the Winter USENIX Conference, New Orleans, LA, USA. USENIX Association (1995)Google Scholar
  24. 24.
    Hallyn, S.E., Kearns, P.: Domain and type enforcement for Linux. In: Proceedings of the 4th Annual Linux Showcase and Conference, Atlanta, GA, USA (2000)Google Scholar
  25. 25.
    Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SELinux system. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, Yorktown Heights, NY, USA. ACM Press (2004)Google Scholar
  26. 26.
    Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: Proceedings of the Linux Symposium, Ottawa, ON, Canada (2008)Google Scholar
  27. 27.
    Edge, C., Barker, W., Hunter, B., Sullivan, G.: Enterprise Mac Security: Mac OS X Snow Leopard, 2nd edn. Apress, New York (2010)Google Scholar
  28. 28.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)CrossRefGoogle Scholar
  29. 29.
    Tidswell, J., Potter, J.: An approach to dynamic domain and type enforcement. In: Proceedings of the Australasian Conference on Information Security and Privacy, Syndey, NSW, Australia. Springer (1997)Google Scholar
  30. 30.
    Ott, A.: The role compatibility security model. In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (NordSec), Karlstad, Sweden (2002)Google Scholar
  31. 31.
    Hinrichs, S., Naldurg, P.: Attack-based domain transition analysis. In: Proceedings of the 2nd Annual Security Enhanced Linux Symposium, Baltimore, MD, USA (2006)Google Scholar
  32. 32.
    Hardy, N.: The confused deputy: or why capabilities might have been invented. ACM SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)Google Scholar
  33. 33.
    Fournet, C., Gordon, A.D.: Stack inspection: theory and variants. ACM Trans. Program. Lang. Syst. (TOPLAS) 25(3), 360–399 (2003)CrossRefGoogle Scholar
  34. 34.
    Wallach, D.S., Felten, E.W.: Understanding Java stack inspection. In: Proceedings of the 19th IEEE Symposium on Security and Privacy, Oakland, CA, USA. IEEE Computer Society (1998)Google Scholar
  35. 35.
    Besson, F., Blanc, T., Fournet, C., Gordon, A.D.: From stack inspection to access control: a security analysis for libraries. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, Asilomar, CA, USA IEEE Computer Society (2004)Google Scholar
  36. 36.
    Hunt, G., Larus, J., Abadi, M., Aiken, M., Barham, P., Fhndrich, M., Hawblitzel, C., Hodson, O., Levi, S., Murphy, N., Steensgaard, B., Tarditi, D., Wobber, T., Zill, B.: An overview of the singularity project. Microsoft Research, Redmond, WA, USA (2005)Google Scholar
  37. 37.
    Schreuders, Z.C.: The functionality-based application confinement model and its Linux prototype FBAC-LSM (presentation). In: linux.conf.au—LCA2009, Tasmania, Australia (2009)Google Scholar
  38. 38.
    Schreuders, Z.C.: FBAC-LSM: protect yourself from your apps. http://schreuders.org/FBAC-LSM (accessed 2011)
  39. 39.
    Harada, T., Horie, T., Tanaka, K.: Towards a manageable Linux security. In: Proceedings of the Linux conference 2005 (Japanese), Japan (2005)Google Scholar
  40. 40.
    Morris, J.: Filesystem labeling in SELinux. Linux J. 126, 22–24 (2004)Google Scholar
  41. 41.
    Schaufler, C.: The simplified mandatory access control kernel. http://schaufler-ca.com/ (2008)
  42. 42.
    Department of Defense: Trusted computer security evaluation criteria. DOD 5200.28-STD (1985)Google Scholar
  43. 43.
    Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Computer Security Conference, pp. 18–27 (1985) Google Scholar
  44. 44.
    Schreuders, Z.C., Payne, C.: Reusability of functionality-based application confinement policy abstractions. In: Proceedings of the 10th International Conference on Information and Communications Security (ICICS 2008), Birmingham, UK. Springer (2008)Google Scholar
  45. 45.
    Schreuders, Z.C., Payne, C., McGill, T.: A Policy language for abstraction and automation in application-oriented access controls: the functionality-based application confinement policy language. In: Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY 2011), Italy, Pisa. IEEE Computer Society (2011)Google Scholar
  46. 46.
    Schreuders, Z.C., Payne, C., McGill, T.: Techniques for automating policy specification for application-oriented access controls. In: Proceedings of the 6th International Conference on Availability, Reliability and Security (ARES 2011), Vienna, Austria. IEEE Computer Society (2011)Google Scholar
  47. 47.
    Schreuders, Z.C., McGill, T., Payne, C.: Towards usable application-oriented access controls: qualitative results from a usability study of SELinux, AppArmor and FBAC-LSM. Int. J. Inf. Secur. Priv. 6(1), 57–76 (2012)CrossRefGoogle Scholar
  48. 48.
    Schreuders, Z.C., McGill, T., Payne, C.: Empowering end users to confine their own applications: the results of a usability study comparing SELinux, AppArmor and FBAC-LSM. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(2), 1–28 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Z. Cliffe Schreuders
    • 1
  • Christian Payne
    • 2
  • Tanya McGill
    • 2
  1. 1.School of Computing, Creative Technologies and EngineeringLeeds Metropolitan UniversityLeeds, West YorkshireUK
  2. 2.School of Information TechnologyMurdoch UniversityMurdochAustralia

Personalised recommendations