Reducing security policy size for internet servers in secure operating systems

Toshihiro Yokoyama, Miyuki Hanaoka, Makoto Shimamura, Kenji Kono, Takahiro Shinagawa

Research output: Contribution to journalArticle

Abstract

Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Since remote attacks cannot be launched in the initialization phase, a secure OS is not required to enforce access control in this phase. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. To prove the effectiveness of our scheme, we wrote security policies for three kinds of Internet servers (HTTP, SMTP, and POP servers). Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers, respectively, compared with an existing SELinux policy that includes the initialization of the server.

Original languageEnglish
Pages (from-to)2196-2206
Number of pages11
JournalIEICE Transactions on Information and Systems
VolumeE92-D
Issue number11
DOIs
Publication statusPublished - 2009

Fingerprint

Computer operating systems
Servers
Internet
Access control
HTTP
Network protocols
Processing
Computer systems

Keywords

  • Internet server
  • Policy description
  • Secure operating system
  • SELinux

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Software
  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition

Cite this

Reducing security policy size for internet servers in secure operating systems. / Yokoyama, Toshihiro; Hanaoka, Miyuki; Shimamura, Makoto; Kono, Kenji; Shinagawa, Takahiro.

In: IEICE Transactions on Information and Systems, Vol. E92-D, No. 11, 2009, p. 2196-2206.

Research output: Contribution to journalArticle

Yokoyama, Toshihiro ; Hanaoka, Miyuki ; Shimamura, Makoto ; Kono, Kenji ; Shinagawa, Takahiro. / Reducing security policy size for internet servers in secure operating systems. In: IEICE Transactions on Information and Systems. 2009 ; Vol. E92-D, No. 11. pp. 2196-2206.
@article{c6279e734f5f432092718b5cb0034cca,
title = "Reducing security policy size for internet servers in secure operating systems",
abstract = "Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Since remote attacks cannot be launched in the initialization phase, a secure OS is not required to enforce access control in this phase. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. To prove the effectiveness of our scheme, we wrote security policies for three kinds of Internet servers (HTTP, SMTP, and POP servers). Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2{\%}, 27.5{\%}, and 24.0{\%} of policy rules for HTTP, SMTP, and POP servers, respectively, compared with an existing SELinux policy that includes the initialization of the server.",
keywords = "Internet server, Policy description, Secure operating system, SELinux",
author = "Toshihiro Yokoyama and Miyuki Hanaoka and Makoto Shimamura and Kenji Kono and Takahiro Shinagawa",
year = "2009",
doi = "10.1587/transinf.E92.D.2196",
language = "English",
volume = "E92-D",
pages = "2196--2206",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "11",

}

TY - JOUR

T1 - Reducing security policy size for internet servers in secure operating systems

AU - Yokoyama, Toshihiro

AU - Hanaoka, Miyuki

AU - Shimamura, Makoto

AU - Kono, Kenji

AU - Shinagawa, Takahiro

PY - 2009

Y1 - 2009

N2 - Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Since remote attacks cannot be launched in the initialization phase, a secure OS is not required to enforce access control in this phase. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. To prove the effectiveness of our scheme, we wrote security policies for three kinds of Internet servers (HTTP, SMTP, and POP servers). Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers, respectively, compared with an existing SELinux policy that includes the initialization of the server.

AB - Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Since remote attacks cannot be launched in the initialization phase, a secure OS is not required to enforce access control in this phase. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. To prove the effectiveness of our scheme, we wrote security policies for three kinds of Internet servers (HTTP, SMTP, and POP servers). Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers, respectively, compared with an existing SELinux policy that includes the initialization of the server.

KW - Internet server

KW - Policy description

KW - Secure operating system

KW - SELinux

UR - http://www.scopus.com/inward/record.url?scp=77950233691&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77950233691&partnerID=8YFLogxK

U2 - 10.1587/transinf.E92.D.2196

DO - 10.1587/transinf.E92.D.2196

M3 - Article

AN - SCOPUS:77950233691

VL - E92-D

SP - 2196

EP - 2206

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 11

ER -