Protection of Components Based on a Smart-Card Enhanced Security Module

  • Joaquín García-Alfaro
  • Sergio Castillo
  • Jordi Castellà-Roca
  • Guillermo Navarro
  • Joan Borrell
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4347)


We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator’s identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator’s actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.


Access Control System Call Intrusion Detection System Authentication Protocol Message Authentication Code 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akkerman, W.: Strace,
  2. 2.
    Borchardt, M., Maziero, C., Jamhour, E.: An architecture for on-the-fly file integrity checking. In: Latin American Symposium on Dependable Computing, Brazil, pp. 117–126 (2003)Google Scholar
  3. 3.
    García, J., Autrel, F., Borrell, J., Castillo, S., Cuppens, F., Navarro, G.: Decentralized publish/subscribe system to prevent coordinated attacks via alert correlation. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 223–235. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    García, J., Castillo, S., Navarro, G., Borrell, J.: ACAPS: An Access Control Mechanism to Protect the Components of an Attack Prevention System. Journal of Computer Science and Network Security 5(11), 87–94 (2005)Google Scholar
  5. 5.
    García, J., Castillo, S., Navarro, G., Borrell, J.: Mechanisms for Attack Protection on a Prevention Framework. In: 39th Annual IEEE International Carnahan Conference on Security Technology, Spain, October 2005, pp. 137–140 (2005)Google Scholar
  6. 6.
    Geer, D.: Just How Secure Are Security Products? IEEE Computer 37(6), 14–16 (2004)Google Scholar
  7. 7.
    Herzog, A., Shahmehri, N.: Using the Java Sandbox for Resource Control. In: 7th Nordic Workshop on Secure IT Systems (NORDSEC 2002), Linköpings universitet, Linköping, Sweden (2002)Google Scholar
  8. 8.
    Hope, P.: Using Jails in FreeBSD for Fun and Profit. Login; The Magazine of Usenix & Sage 27(3), 48–55 (2002)Google Scholar
  9. 9.
    Loscocco, P., Smalley, S.: Integrating Flexible Support for Security Policies into the Linux Operating System. In: 11th FREENIX Track: 2001 USENIX Annual Technical Conference, USA (2001)Google Scholar
  10. 10.
    McVoy, L.: LMbench, Portable Tools for Performance Analysis. In: 1996 USENIX Annual Technical Conference, USA (1996)Google Scholar
  11. 11.
    Ott, A.: The Role Compatibility Security Model. In: 7th Nordic Workshop on Secure IT Systems, Sweden (November 2002)Google Scholar
  12. 12.
    Viega, J., McGraw, G.: Building Secure Software - How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)Google Scholar
  13. 13.
    Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: 11th USENIX Security Symposium, USA (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Joaquín García-Alfaro
    • 1
  • Sergio Castillo
    • 1
  • Jordi Castellà-Roca
    • 2
  • Guillermo Navarro
    • 1
  • Joan Borrell
    • 1
  1. 1.DEIC-UABBellaterra (Catalonia)Spain
  2. 2.DEiM-ETSE-URVTarragona (Catalonia)Spain

Personalised recommendations