• Login
    View Item 
    •   DSpace Home
    • Stony Brook University
    • Stony Brook Theses & Dissertations [SBU]
    • View Item
    •   DSpace Home
    • Stony Brook University
    • Stony Brook Theses & Dissertations [SBU]
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Browse

    All of DSpaceCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsThis CollectionBy Issue DateAuthorsTitlesSubjects

    My Account

    LoginRegister

    Statistics

    Most Popular ItemsStatistics by CountryMost Popular Authors

    A Framework for Enforcing Information Flow Policies

    Thumbnail
    View/Open
    Mital_grad.sunysb_0771M_10100.pdf (567.6Kb)
    A Framework for Enforcing Information Flow Policies: Presentation (2.454Mb)
    Date
    1-May-10
    Author
    Mital, Bhuvan
    Publisher
    The Graduate School, Stony Brook University: Stony Brook, NY.
    Metadata
    Show full item record
    Abstract
    Reactive approaches for ensuring security, like signature based scanning and behavior monitoring, have been around for quite some time. However they have failed to provide assurances about overall system integrity, and can easily be defeated by sophisticated techniques like code obfuscation and encryption. Another class of attacks includes those that occur in multiple steps (often referred to as multi-step attacks). Information flow based approaches provide a basis for mediating and tracking dependencies between system entities, and can thus prove to be helpful in overcoming these shortcomings. However, success in applying information flow based techniques to modern COTS operating systems has been limited, since a strict application of information flow policy can break existing applications and OS services. One common case of poor usability is when an application is denied write access to a high integrity file in the middle of the write-operation as a result of reading from a low integrity file.Our framework attempts to address this issue of loss in usability by maintaining integrity constraints for each subject (process) and object (files, sockets, IPC channels etc.) in the system, and permitting or denying access requests by ensuring that no invariant is violated. To achieve this, our approach maintains a per-process list of objects being accessed. For each new read-open request made by an application, our policy enforcer propagates integrity constraints from the objects in the application's list to the new object that the application wishes to open. The success or failure of the request then depends on the new object's ability to honor these constraints. This strategy restricts service denials to early failures, which the applications handle far more gracefully than read or write denials. To provide completeness to the solution, our framework enforces policies for all different types of objects (files, links, pipes, sockets, devices, IPC channels). The implementation of our framework utilizes Linux Security Module (LSM) hooks. A considerable portion of our work also deals with understanding and documenting the flow of the Linux kernel code involved in the LSM framework and mapping the abstract operations of our framework to the appropriate LSM hooks.
    URI
    http://hdl.handle.net/1951/55553
    Collections
    • Stony Brook Theses & Dissertations [SBU] [1955]

    SUNY Digital Repository Support
    DSpace software copyright © 2002-2022  DuraSpace
    Contact Us | Send Feedback
    DSpace Express is a service operated by 
    Atmire NV
     

     


    SUNY Digital Repository Support
    DSpace software copyright © 2002-2022  DuraSpace
    Contact Us | Send Feedback
    DSpace Express is a service operated by 
    Atmire NV