A Secure and Efficient File System Access Control Mechanism (FlexFS)

  • Jihane NajarEmail author
  • Vassilis Prevelakis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11398)


The FlexFS approach provides an effective credential-based access control mechanism while ensuring file access performance equivalent to that of the normal file system. This is achieved by decoupling the file system naming and access control layer from the block I/O layer. By intercepting and redefining file system API calls in libc (e.g. open(2)), we allow any existing executable to use FlexFS while keeping FlexFS as a user-level system without any changes to the kernel. This allows for rapid experimentation without impacting system stability.


Access control File system Credentials Opencall Wrapper functions 



This work was supported by the European Commission Horizon 2020 through project H2020-DS-SC7-2017 “THREAT-ARREST” under Grant Agreement No. 786890.


  1. 1.
    Ancillary library. Accessed 18 July 2018
  2. 2.
    Blaze, M.: A cryptographic file system for UNIX. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 9–16. ACM (1993)Google Scholar
  3. 3.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote trust-management system version 2. Technical report (1999)Google Scholar
  4. 4.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173. IEEE (1996)Google Scholar
  5. 5.
    Corp, M.: CWE-367: Time-of-check time-of-use (TOCTOU) race condition. Accessed 29 Mar 2018
  6. 6.
    Dyer, S.P.: The Hesiod name server. In: USENIX Winter, pp. 183–189 (1988)Google Scholar
  7. 7.
    Gunter, C.A., Jim, T.: Policy-directed certificate retrieval. Softw.: Pract. Exp. 30(15), 1609–1640 (2000)zbMATHGoogle Scholar
  8. 8.
    Nichols, D.A., et al.: Scale and performance in a distributed file system. ACM Trans. Comput. Syst. (TOCS) 6(1), 51–81 (1988)CrossRefGoogle Scholar
  9. 9.
    Kohl, J., Neuman, C.: The Kerberos network authentication service (V5). Technical report (1993)Google Scholar
  10. 10.
    Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory (1999)Google Scholar
  11. 11.
    Mazieres, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. ACM SIGOPS Oper. Syst. Rev. 33, 124–139 (1999)CrossRefGoogle Scholar
  12. 12.
    Miltchev, S., Prevelakis, V., Ioannidis, S., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Secure and flexible global file sharing. In: USENIX Annual Technical Conference, FREENIX Track, pp. 165–178 (2003)Google Scholar
  13. 13.
    Regan, J.T., Jensen, C.D.: Capability file names: separating authorisation from user management in an internet file system. In: USENIX Security Symposium (2001)Google Scholar
  14. 14.
    Rodeh, O.: B-trees, shadowing, and clones. ACM Trans. Storage (TOS) 3(4), 2 (2008)Google Scholar
  15. 15.
    Rodeh, O., Bacik, J., Mason, C.: BTRFS: the Linux B-tree filesystem. ACM Trans. Storage (TOS) 9(3), 9 (2013)Google Scholar
  16. 16.
    Rodeh, O., Teperman, A.: zFS-a scalable distributed file system using object disks. In: Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies, MSST 2003, pp. 207–218. IEEE (2003)Google Scholar
  17. 17.
    Rosenstein, M.A., Geer Jr., D.E., Levine, P.J.: The Athena service management system. In: USENIX Winter, pp. 203–211 (1988)Google Scholar
  18. 18.
    Sandberg, R., Goldberg, D., Kleiman, S., Walsh, D., Lyon, B.: Design and implementation of the sun network filesystem. In: Proceedings of the Summer USENIX Conference, pp. 119–130 (1985)Google Scholar
  19. 19.
    Schönwälder, J., Langendörfer, H.: Administration of large distributed UNIX LANs with BONES. In: Proceedings of the World Conference On Tools and Techniques for System Administration, Networking, and Security. Citeseer (1993)Google Scholar
  20. 20.
    Sweeney, A., Doucette, D., Hu, W., Anderson, C., Nishimoto, M., Peck, G.: Scalability in the XFS file system. In: USENIX Annual Technical Conference, vol. 15 (1996)Google Scholar
  21. 21.
    Tsantekidis, M., Prevelakis, V.: Library-level policy enforcementGoogle Scholar
  22. 22.
    Ubale Swapnaja, A., Modani Dattatray, G., Apte Sulabha, S.: Analysis of DAC MAC RBAC access control based models for security. Analysis 104(5) (2014)Google Scholar
  23. 23.
    Vahdat, M.A., Anderson, T.E., Kubiatowicz, J.D.: Operating System Services for Wide-Area Applications. Citeseer, Princeton (1998)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institute of Computer and Network EngineeringTU BraunschweigBraunschweigGermany

Personalised recommendations