Limiting the Damage Potential of Discretionary Trojan Horses

Karger, Paul A.

doi:10.1109/sp.1987.10011

Cited by 56 publications

(37 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Karger first proposed using access control for vulnerability mitigation while working on capability systems [18], and took as his threat model the trojan horse: subverted software working on behalf of the adversary. Contemporary compartmentalization for vulnerability mitigation, sometimes referred to as privilege separation, saw its foundations in work by Provos et al [35] and Kilpatrick [19], and has been applied to complex, security-relevant programs such as OpenSSH and the Chromium web browser, both of which hold substantial effective privilege and perform complex processing of untrustworthy, network-originated data.…”

Section: Conceptual Frameworkmentioning

confidence: 99%

Clean Application Compartmentalization with SOAAP

Gudka

Watson

Anderson

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Application compartmentalization, a vulnerability mitigation technique employed in programs such as OpenSSH and the Chromium web browser, decomposes software into isolated components to limit privileges leaked or otherwise available to attackers. However, compartmentalizing applications -and maintaining that compartmentalization -is hindered by ad hoc methodologies and significantly increased programming effort. In practice, programmers stumble through (rather than overtly reason about) compartmentalization spaces of possible decompositions, unknowingly trading off correctness, security, complexity, and performance. We present a new conceptual framework embodied in an LLVM-based tool: the Security-Oriented Analysis of Application Programs (SOAAP) that allows programmers to reason about compartmentalization using source-code annotations (compartmentalization hypotheses). We demonstrate considerable benefit when creating new compartmentalizations for complex applications, and analyze existing compartmentalized applications to discover design faults and maintenance issues arising from application evolution.

show abstract

Section: Conceptual Frameworkmentioning

confidence: 99%

Clean Application Compartmentalization with SOAAP

Gudka

Watson

Anderson

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The work in [19,51] proposes interposing, between programs and the actual file system, a protected system imposing further restrictions. In particular, Boebert and Ferguson [19] forces all files to go through a dynamic linker that compares the name of the user who invoked the program, the name of the originator of the program, and the name of the owner of any data files.…”

Section: Authorization-based Information Flow Policiesmentioning

confidence: 99%

“…If a user invokes a program owned by someone else and the program attempts to write the user's files, the dynamic linker will recognize the name mismatch and raise an alarm. Karger [51] proposes instead the specification of name restrictions on the files that programs can access, and the refusal by the system of all access requests not satisfying the given patterns (e.g., a FORTRAN compiler may be restricted to read only files with suffix ".for" and to create only files with suffix ".obj" and ".lis").…”

Section: Authorization-based Information Flow Policiesmentioning

confidence: 99%

Access Control: Policies, Models, and Mechanisms

Samarati

Vimercati

2001

Lecture Notes in Computer Science

447

289

View full text Add to dashboard Cite

Abstract. Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access control policies can be applied, corresponding to different criteria for defining what should, and what should not, be allowed, and, in some sense, to different definitions of what ensuring security means. In this chapter we investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration. We discuss several access control policies, and models formalizing them, that have been proposed in the literature or that are currently under investigation.

show abstract

“…With a model-based reasoning, specific models of defending prescribed attacks can be developed [11]. Other approaches are either defining acceptable, as opposed to intrusive, behavior [15], or -on earlier stages of technology -are based on the introduction of trap doors for intruders (i.e. "bogus" user accounts with "magic" passwords, etc.)…”

Section: Related Workmentioning

confidence: 99%

Panoptis: Intrusion detection using a domain-specific language

Spinellis

Gritzalis

2002

JCS

View full text Add to dashboard Cite

We describe the use of a domain-specific language (DSL) for expressing critical design values and constraints in an intrusion detection application. Through the use of this specialised language, information that is critical to the correct operation of the software can be expressed in a form that can be easily drafted, verified, and maintained by domain experts (security officers), thus minimising the risk inherent from the mediation of software engineers. Our application, Panoptis, is a DSL-based low-cost, easyto-use intrusion detection system using the process accounting records kept by most Unix systems. A set of database tables contain resource usage profiles for processes, terminals, users, and time intervals. Panoptis monitors new process data against the recorded profiles and reports on entities diverging from the established resource usage envelopes implying possible data security threats. We demonstrate the operation of Panoptis by a case study of a real attack and subsequent system compromise that occured on a system under our administrative control.

show abstract

Limiting the Damage Potential of Discretionary Trojan Horses

Cited by 56 publications

References 4 publications

Clean Application Compartmentalization with SOAAP

Clean Application Compartmentalization with SOAAP

Access Control: Policies, Models, and Mechanisms

Panoptis: Intrusion detection using a domain-specific language

Contact Info

Product

Resources

About