Empirical privilege profiling

Marceau, Carla; Joyce, Robert

doi:10.1145/1146269.1146294

Cited by 6 publications

(10 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These privilege associations provide very little policy abstraction other than the granularity of the privileges assigned making the policy either inexpressive or extremely large and complex (Garfinkel, 2003). Translating high level security goals into finely grained policies is difficult, making these policies difficult to both construct and verify for correctness (Marceau and Joyce, 2005).…”

Section: Application-oriented Access Control Modelsmentioning

confidence: 99%

See 1 more Smart Citation

FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Schreuders

Payne²

2008

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

Abstract:Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of applications. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.

show abstract

Section: Application-oriented Access Control Modelsmentioning

confidence: 99%

“…For example, although a DTE domain represents a policy abstraction, domains typically apply to a single application only (Marceau and Joyce, 2005). Additionally, there is significant overlap of privileges granted to compiled domain policies and yet domains are specified separately (Jaeger et al, 2003).…”

Section: Application-oriented Access Control Modelsmentioning

confidence: 99%

FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Schreuders

Payne²

2008

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

show abstract

“…In this project, the wrapper technology was further developed to map the locations of DLLs in memory, trace the program stack from the call to ntdll.dll up to the call from the main binary, and to note the transitions from one DLL to another. This technique made it possible to track calls between executables; the technology was also used in a successful DARPA-funded effort [Marceau05] to profile resource use by applications.…”

Section: Performance Penalty For a MIX Of Dll Functionsmentioning

confidence: 99%

Distinguishing Novel Usage From Novel Attacks

Marceau¹

2006

Self Cite

View full text Add to dashboard Cite

Public Reporting Burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. ABSTRACTIn this project, ATC-NY is developing methods for evaluating anomalous behavior concurrently with reacting to it. Anomalous events that are not so suspicious as to cause an immediate alarm are continually reexamined in the light of later events, with the goal of eventually understanding whether they are benign or malign. As time goes on, the IDS should become familiar with common attacks, even while it continually adapts to small changes in normal behavior. By focusing on the long-term problem (building up knowledge), the proposed IDS should become better over time at solving the short-term problem (detecting attacks).

show abstract

“…This innovation is made possible by empirical privilege profiling, an automatic technique pioneered by the proposed principal investigator [Marceau05] that identifies how resources are used by an application. A naYve approach might be to simply list, for example, the files used by an application during execution; however, such an approach fails to abstract away from actual files to concepts such as "the log file" or "the file being edited."…”

mentioning

confidence: 99%

“…As described in [Marceau05], empirical privilege profiling depends on knowing the location where control left an application binary and (possibly through various library functions) resulted in a call to a kernel operation. Further, this technique is not applicable to programs written in interpreted languages-such as Java or languages compiled with .Net-since for such applications, the binary executable is the interpreter.…”

mentioning

confidence: 99%

AppMon: Application Monitors for Not-Yet-Trusted Software

Marceau¹,

Kozen²

2007

Self Cite

View full text Add to dashboard Cite

Public reporting burden for this collection of information is estimated to average 1 hour per response, incuding the time for reviewing instructions, searching eidsting dam sources, gathering and maintaining the data needed and corpleting and revewing this collection of information. Send comments regarding this burden estimate or any other aspect d this collection of information, including suggestion; for reducing this burden to Department of Defense, Washington Headquarters Services, Directoratefor Information Operations and Rsporta (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlngton, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. REPORT DATE (DD-MM-YYYY)2 Report developed under STTR contract for topic OSD06-SP2. AppMon represents a novel approach to monitoring the behavior of not-yettrusted applications that avoids the disadvantages of current approaches. It is based on a self-customizing monitor that constrains the application's use of computer resources. A self-customizing monitor learns how the application normally uses computer resources and does not interfere with normal use. However, when the application uses resources in an unusual way, AppMon prevents potentially harmful accesses. Self-customizing monitors satisfy three important requirements on application security monitors. First, the application can be run immediately without testing or training. Second, customization is automatic, so only minimal demands are made on the user and system administrator. Finally, the self-customizing monitors are applicable to a wide variety of applications, including those that read and write files, read and write registry keys, invoke other processes, and use the Internet.

show abstract

Empirical privilege profiling

Cited by 6 publications

References 9 publications

FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Distinguishing Novel Usage From Novel Attacks

AppMon: Application Monitors for Not-Yet-Trusted Software

Contact Info

Product

Resources

About