Real-time Access Control Reconfiguration By Ashish Gehani and - - PowerPoint PPT Presentation

real time access control reconfiguration
SMART_READER_LITE
LIVE PREVIEW

Real-time Access Control Reconfiguration By Ashish Gehani and - - PowerPoint PPT Presentation

Jan 08, 2023 425 likes •585 views

Real-time Access Control Reconfiguration By Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University Introduction Internet growth Increasingly frequent attacks Heterogenous deployed software More

slide-1
SLIDE 1

Real-time Access Control Reconfiguration

By Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University

slide-2
SLIDE 2

Introduction

  • Internet growth

⇒ Increasingly frequent attacks

  • Heterogenous deployed software

⇒ More exploitable bugs

  • Anonymity online

⇒ Attacks spread quickly

slide-3
SLIDE 3

Motivation

  • Automate intrusion response
  • Tighten access control

⇒ Reduce exposure

  • Dynamically reconfigure

⇒ Minimize mean time to response

  • Decreases system usability

⇒ Deny only when risk warrants it

slide-4
SLIDE 4

Design - User Space Response

  • Intrusion detector ⇒ Application

⇒ Change permissions

  • Problems :

– Granularity : Exactly which permissions? – Overhead : Frequent reconfiguration – Temporal Gap : Allows race conditions (Time of use < Time of reconfiguration)

slide-5
SLIDE 5

Design - OS Support

  • Instrumented Linux 2.2.12 kernel
  • Instrumented Sun Java 1.2 runtime
  • Trapped all calls
  • Overhead unacceptable
  • Limited to extant security subsystem
  • Permissions are predicated
  • Result : Active Reference Monitor
slide-6
SLIDE 6

Design - Security Policy

  • Specified using:

L : Formal language X : Axioms I : Rules of inference Q : Proof technique

  • Can verify statement σ ∈ L

– Start with X, use I according to Q, derive σ

  • In principle, can specificy and verify
  • Problems in practice :

– Complex for “real” system – Part of system outside administrative domain – Gap between abstraction and implementation

slide-7
SLIDE 7

Design - Permission Semantics

  • Focus on subset of security policy
  • Authorization policy : σ → p(ermission)
  • Given : i ∈ S(ubjects), j ∈ O(bjects),

k ∈ A(uthorization types)

  • Instead of p(i,j,k) = 0 or p(i,j,k) = 1,

Use p(i,j,k) = σ

slide-8
SLIDE 8

Design - Temporal Constraints

  • Applications do not expect:

– Variable length permission checks – Access control configuration changes

  • Q bounded to constant t steps

⇒ Choice of L not material

  • Permission check time : O(t) = O(1)
  • Permission denial ⇒ Signal with buffer b
  • Signal handler can get (p,σ) from b
slide-9
SLIDE 9

Design - Activation

  • Select based on benefit and cost
  • Cost is frequency in workload
  • Interface :

enableSafeguard(Permission p) disableSafeguard(Permission p)

slide-10
SLIDE 10

Implementation - Interposition

slide-11
SLIDE 11

Implementation - Invocation

public abstract class PredicateThread extends Thread{ protected PredicateThread(Permission permission, Object lock); public void run(){ if(condition) result=true; synchronized(lock){ lock.notify(); } } public boolean getResult(); }

slide-12
SLIDE 12

Evaluation - Primitive times

1.02 ms getTransmitted(eth0) 0.39 ms getFreeRAM() 0.39 ms getFreeSwap() 1.01 ms getReceived(eth0) 0.34 ms getSystemLoad() Time Access Type

slide-13
SLIDE 13

Evaluation - Worst Case Impact

slide-14
SLIDE 14

Related Work

  • Active Capabilities, FLASK, RS-BAC …
  • Differences :

– Constant running time guarantee – Expose denial semantics programmatically ⇒ Allow application adaptation – Activation based on cost and benefit – Predicates activatable at permission granularity ⇒ Minimizes impact

slide-15
SLIDE 15

Conclusion

  • Argued for predicated permissions
  • Used temporal constraints
  • Described changes in semantics
  • Showed programmatic access
  • Dynamic reconfigurability

⇒ Needed for real-time response

  • Demonstrated acceptable performance