Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

Paper
View File
pdf
414KB

Divya Muthukumaran
Penn State
United States

Sandra Rueda
Universidad de los Andes
Colombia

Nirupama Talele
Penn State
United States

Hayawardh Vijayakumar
Penn State
United States

Jason Teutsch
Penn State
United States

Trent Jaeger
Penn State
United States

Abstract:
Modern distributed systems are composed from several
off-the-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application code (e.g., web application) is deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual system, the complexity of distributed systems composed in this manner makes it difficult to identify how threats may be propagated throughout the system. As a result, security practitioners react to vulnerabilities when they are identified by adversaries, rather than proactively protecting the system's data integrity.In this paper, the goal is to develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively provides classical integrity protection, in particular satisfying an approximation of the Clark-Wilson integrity model. The Clark-Wilson model prescribes integrity verification of security-critical data and mediation at program entrypoints to protect the integrity of processing that operates on security-critical data;
features that are currently missing in commodity system MAC policies. By solving a graph-cut problem over the information flows produced by available MAC policies, we identify a near-minimal placement for integrity verification and program mediation necessary to satisfy Clark-Wilson. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized SELinux hosts, where our method finds that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries, mediators for possible local threats can be computed automatically, and 20 integrity verification procedures are necessary to provide information flow integrity approximating Clark-Wilson integrity.





 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC