TY - GEN
T1 - Simplifying security policy descriptions for internet servers in secure operating systems
AU - Yokoyama, Toshihiro
AU - Hanaoka, Miyuki
AU - Shimamura, Makoto
AU - Kono, Kenji
PY - 2009/12/1
Y1 - 2009/12/1
N2 - Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers respectively, compared with an existing SELinux policy that includes the initialization of the server.
AB - Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers respectively, compared with an existing SELinux policy that includes the initialization of the server.
KW - Internet server
KW - Policy description
KW - SELinux
KW - Secure operating system
UR - http://www.scopus.com/inward/record.url?scp=72949115921&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=72949115921&partnerID=8YFLogxK
U2 - 10.1145/1529282.1529352
DO - 10.1145/1529282.1529352
M3 - Conference contribution
AN - SCOPUS:72949115921
SN - 9781605581668
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 326
EP - 333
BT - 24th Annual ACM Symposium on Applied Computing, SAC 2009
T2 - 24th Annual ACM Symposium on Applied Computing, SAC 2009
Y2 - 8 March 2009 through 12 March 2009
ER -