Enhancing the OS against Security Threats in System Administration

  • Nuno Santos
  • Rodrigo Rodrigues
  • Bryan Ford
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7662)


The consequences of security breaches due to system administrator errors can be catastrophic. Software systems in general, and OSes in particular, ultimately depend on a fully trusted administrator whom is granted superuser privileges that allow him to fully control the system. Consequently, an administrator acting negligently or unethically can easily compromise user data in irreversible ways by leaking, modifying, or deleting data. In this paper we propose a new set of guiding principles for OS design that we call the broker security model. Our model aims to increase OS security without hindering manageability. This is achieved by a two-step process that (1) restricts administrator privileges to preclude inspection and modification of user data, and (2) allows for management tasks that are mediated by a layer of trusted programs—brokers—interposed between the management interface and system objects. We demonstrate the viability of this approach by building BrokULOS, a Linux-based OS that suppresses superuser privileges and exposes a narrow management interface consisting of a set of tailor-made brokers. Our evaluation shows that our modifications to Linux add negligible overhead to applications while preserving system manageability.


Information Security Cloud Provider Security Threat Kernel Module User Account 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Federal Government’s Cloud Plans: A $20 Billion Shift,
  2. 2.
    Lxc Linux Containers,
  3. 3.
  4. 4.
  5. 5.
    Verizon to Put Medical Records in the Cloud,
  6. 6.
    Insecurity of Privileged Users: Global Survey of IT Practitioners. Tech. rep. Ponem Institute and HP (2011),
  7. 7.
  8. 8.
    Bell, E.D., La Padula, J.L.: Secure computer system: Unified exposition and Multics interpretation. Tech. rep. MITRE Corp. (1976)Google Scholar
  9. 9.
    Biba, K.J.: Integrity considerations for secure computer systems. Tech. rep. MITRE Corp. (1977)Google Scholar
  10. 10.
    Clark, D.D., Wilson, D.R.: A Comparison of Commercial and Military Computer Security Policies. In: IEEE Symposium on Security and Privacy (1987)Google Scholar
  11. 11.
    Colp, P., Nanavati, M., Zhu, J., Aiello, W., Coker, G., Deegan, T., Loscocco, P., Warfield, A.: Breaking up is hard to do: security and functionality in a commodity hypervisor. In: SOSP (2011)Google Scholar
  12. 12.
  13. 13.
  14. 14.
    GBdirect: Linux System Administration (2004),
  15. 15.
    Hamilton, J.: An Architecture for Modular Data Centers. In: CIDR (2007)Google Scholar
  16. 16.
    Härtig, H., Hohmuth, M., Feske, N., Helmuth, C., Lackorzynski, A., Mehnert, F., Peter, M.: The Nizza Secure-system Architecture. In: CollaborateCom (2005)Google Scholar
  17. 17.
    Esteve, J., Boldrito, R.: GNU/Linux Advanced Administration (2007)Google Scholar
  18. 18.
    Kamp, P., Watson, R.N.M.: Jails: Confining the omnipotent root. In: SANE 2000 (2000)Google Scholar
  19. 19.
    Keeney, M.: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Tech. rep. U.S. Secret Service and CMU (2005),
  20. 20.
    Kim, T., Zeldovich, N.: Making Linux Protection Mechanisms Egalitarian with UserFS. In: USENIX Security Symposium 2010 (2010)Google Scholar
  21. 21.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: SOSP (2009)Google Scholar
  22. 22.
    Kowalski, E.: Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector. Tech. rep. U.S. Secret Service and CMU (2008),
  23. 23.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information Flow Control for Standard OS Abstractions. In: SOSP (2007)Google Scholar
  24. 24.
    McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: TrustVisor: Efficient TCB Reduction and Attestation. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  25. 25.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An Execution Infrastructure for TCB Minimization. In: EuroSys (2008)Google Scholar
  26. 26.
  27. 27.
    Murray, D.G., Milos, G., Hand, S.: Improving Xen Security Through Disaggregation. In: VEE (2008)Google Scholar
  28. 28.
    Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: SOSP (1997)Google Scholar
  29. 29.
    NSA: Security-Enhanced Linux (SELinux) (2001),
  30. 30.
    Parno, B., McCune, J.M., Perrig, A.: Bootstrapping Trust in Commodity Computers. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  31. 31.
    Cox, R., Grosse, E., Pike, R., Presotto, D., Quinlan, S.: Security in Plan 9. In: USENIX Security Symposium 2002 (2002)Google Scholar
  32. 32.
    Santos, N., Rodrigues, R., Gummadi, K.P., Saroiu, S.: Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services. In: USENIX Security (2012)Google Scholar
  33. 33.
    Sirer, E.G., de Bruijn, W., Reynold, P., Shieh, A., Walsh, K., Williams, D., Schneider, F.B.: Logical Attestation: An Authorization Architecture for Trustworthy Computing. In: SOSP (2011)Google Scholar
  34. 34.
    Steinberg, U., Kauer, B.: NOVA: A Microhypervisor-Based Secure Virtualization Architecture. In: Eurosys (2010)Google Scholar
  35. 35.
    Wirzenius, L., Oja, J., Stafford, S., Weeks, A.: The Linux System Administrator’s Guide (1993-2004),
  36. 36.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making Information Flow Explicit in HiStar. In: OSDI (2006)Google Scholar
  37. 37.
    Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In: SOSP (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Nuno Santos
    • 1
  • Rodrigo Rodrigues
    • 2
  • Bryan Ford
    • 3
  1. 1.MPI-SWSGermany
  2. 2.CITIUniversidade Nova de LisboaPortugal
  3. 3.Yale UniversityUS

Personalised recommendations