MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

Patrick Stöckle,Michael Sammereier,Bernd Grobauer,Alexander Pretschner

DOI: https://doi.org/10.1109/AST58925.2023.00013

2023-03-10

Abstract:Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality. This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.

Software Engineering

Cataldo Basile,Gabriele Gatti,Francesco Settanni

2024-05-06

Abstract:Enforcing security requirements in networked information systems relies on security controls to mitigate the risks from increasingly dangerous threats. Configuring security controls is challenging; even nowadays, administrators must perform it without adequate tool support. Hence, this process is plagued by errors that translate to insecure postures, security incidents, and a lack of promptness in answering threats. This paper presents the Security Capability Model (SCM), a formal model that abstracts the features that security controls offer for enforcing security policies, which includes an Information Model that depicts the basic concepts related to rules (i.e., conditions, actions, events) and policies (i.e., conditions' evaluation, resolution strategies, default actions), and a Data Model that covers the capabilities needed to describe different types of filtering and channel protection controls. Following state-of-the-art design patterns, the model allows for generating abstract versions of the security controls' languages and a model-driven approach for translating abstract policies into device-specific configuration settings. By validating its effectiveness in real-world scenarios, we show that SCM enables the automation of different and complex security tasks, i.e., accurate and granular security control comparison, policy refinement, and incident response. Lastly, we present opportunities for extensions and integration with other frameworks and models.

Cryptography and Security

John Homer,Xinming Ou

DOI: https://doi.org/10.1109/jsac.2009.090407

IF: 16.4

2009-04-01

IEEE Journal on Selected Areas in Communications

Abstract:Enterprise network security management is a complex task of balancing security and usability, with trade-offs often necessary between the two. Past work has provided ways to identify intricate attack paths due to misconfiguration and vulnerabilities in an enterprise system, but little has been done to address how to correct the security problems within the context of various other requirements such as usability, ease of access, and cost of countermeasures. This paper presents an approach based on Boolean satisfiability solving (SAT solving) that can reason about attacks, usability requirements, cost of actions, etc. in a unified, logical framework. Preliminary results show that the approach is both effective and efficient.

telecommunications,engineering, electrical & electronic

Patrick Stöckle,Bernd Grobauer,Alexander Pretschner

DOI: https://doi.org/10.48550/arXiv.2209.08936

2022-09-19

Cryptography and Security

Abstract:Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. The complexity of contemporary IT infrastructures, however, renders manual security hardening and maintenance a daunting task. In many organizations, security-configuration guides expressed in the SCAP (Security Content Automation Protocol) are used as a basis for hardening, but these guides by themselves provide no means for automatically implementing the required configurations. In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined. We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides.

Przemysław Buczkowski,Pasquale Malacaria,Chris Hankin,Andrew Fielder

DOI: https://doi.org/10.48550/arXiv.2204.11707

2022-04-25

Cryptography and Security

Abstract:CySecTool is a tool that finds a cost-optimal security controls portfolio in a given budget for a probabilistic attack graph. A portfolio is a set of counter-measures, or controls, against vulnerabilities adopted for a computer system, while an attack graph is a type of a threat scenario model. In an attack graph, nodes are privilege states of the attacker, edges are vulnerabilities escalating privileges, and controls reduce the probabilities of some vulnerabilities being exploited. The tool builds on an optimisation algorithm published by Khouzani et al. (2019), enabling a user to quickly create, edit, and incrementally improve models, analyse results for given portfolios and display the best solutions for all possible budgets in the form of a Pareto frontier. A case study was performed utilising a system graph and suspected attack paths prepared by industrial security engineers based on an industrial source with which they work. The goal of the case study is to model a supervisory control and data acquisition (SCADA) industrial system which, due to having the potential to harm people, necessitates strong protection while not allowing the use of typical penetration tools like vulnerability scanners. Results are analysed to show how a cyber-security analyst would use CySecTool to store cyber-security intelligence and draw further conclusions.

Zhiqiang Lin,Chao Wang,Bing Mao,Li Xie

DOI: https://doi.org/10.1145/1075395.1075397

2005-01-01

Abstract:As the fundamental software to guarantee information security, operating system is desired to support various security policies flexibly and to control the propagation and revocation of access rights efficiently. This paper presents a design and implementation of Policy Flexible Architecture (PFA) for secure operating system to achieve the coordination, extensibility, consistency and dynamic configuration of security policies. Through a thorough analysis of all related facilities, PFA classifies policy constructions into several levels according to their effects on security status; PFA emphasizes on centralized management of security policy as well as on centralized maintainability of security attributes; for the first time PFA gives revocation rules to specify how and when to revoke permissions. PFA has been applied to our Secure Enhanced Linux Operating System, and the experiment shows that the system holds at least three advantages. First, it helps users to choose intended security policies flexibly. Besides it supports users to add new security policies according to specific security requirements easily. Finally it sets permission revocations immediately and gets no significant performance penalty.

Ting Yu,Dhivya Sivasubramanian,Tao Xie

DOI: https://doi.org/10.1145/1558607.1558623

2009-01-01

Abstract:Access control is one of the fundamental security mechanisms for information systems. It determines the availability of resources to principals, operations that can be performed, and under what circumstances. Traditionally the enforcement of access control is often hardcoded in applications or systems; such hardcoding makes it hard to verify the correctness of access control and to accommodate changes of security requirements. Recently, access control policies have been increasingly separated from enforcement mechanisms. An access control policy is explicitly specified using certain policy languages with well-defined syntax and semantics. An application then consults the policy during runtime to determine whether an access request from a principal should be allowed or denied. There are two main advantages of this approach. First, security officers can now perform systematic and formal security analysis on access control policies. Second, by separating policies from enforcement mechanisms, it is possible to change policies without affecting the underlying mechanisms, and vice versa.

Liang Cheng,Yang Zhang,Zhihui Han

DOI: https://doi.org/10.1109/SERE.2013.12

2013-01-01

Abstract:Access control mechanisms (ACM) play a critical role in protecting operating systems from malicious attacks. A variety of ACMs have been proposed till date, including discretionary access control (DAC) and mandatory access control (MAC). However, it is often challenging to evaluate and compare the quality of protection (QoP) of ACMs, especially when they are deployed on different platforms. In this paper, we propose an approach to quantitatively measure and compare the quality of ACMs. We introduce the notion of vulnerability profiles to capture the weakness of ACMs in protecting against attacks, and the notion of vulnerability coefficients as a numeric and platform-independent measurement of the protection quality of ACMs. Based on these two notions, our approach applies the Grey System Theory and an independent vulnerability scoring system to infer complete vulnerability profiles and to calculate fair and objective vulnerability coefficients for ACMs. To our knowledge, our approach is the first attempt for quantitative measurement and comparison of ACMs across different operating systems. Based on our approach, we implement a prototype tool called ACVAL that leverages logic programming to characterize, evaluate, and compare access control mechanisms. We apply ACVAL to three mainstream ACMs, and results that ACVAL is effective in evaluating access control mechanisms across different operating systems, a feature particularly useful to administrators of heterogenous IT systems.

Monowar Hasan,Sibin Mohan

2023-04-27

Abstract:Cyber-physical systems (CPS) are vulnerable to attacks targeting outgoing actuation commands that modify their physical behaviors. The limited resources in such systems, coupled with their stringent timing constraints, often prevents the checking of every outgoing command. We present a "selective checking" mechanism that uses game-theoretic modeling to identify the right subset of commands to be checked in order to deter an adversary. This mechanism is coupled with a "delay-aware" trusted execution environment (TEE) to ensure that only verified actuation commands are ever sent to the physical system, thus maintaining their safety and integrity. The selective checking and trusted execution (SCATE) framework is implemented on an off-the-shelf ARM platform running standard embedded Linux. We demonstrate the effectiveness of SCATE using four realistic cyber-physical systems (a ground rover, a flight controller, a robotic arm and an automated syringe pump) and study design trade-offs. Not only does SCATE provide a high level of security and high performance, it also suffers from significantly lower overheads (30.48%-47.32% less) in the process. In fact, SCATE can work with more systems without negatively affecting the safety of the system. Considering that most CPS do not have any such checking mechanisms, and SCATE is guaranteed to meet all the timing requirements (i.e., ensure the safety/integrity of the system), our methods can significantly improve the security (and, hence, safety) of the system.

Cryptography and Security

LI Hong-jiao,LI Jian-hua,ZHU Hong-wen

DOI: https://doi.org/10.3321/j.issn:1006-2467.2005.08.021

2005-01-01

Abstract:A new access control method,called Multi-policy Access Control Model(MACM),was proposed by analyzing the limitations of single security model and the security requirements of electronic government applications.The new method makes use of virtues of single security model,and at the same time the system's reliability and availability are taken into account. The formal description of the new method was given and its implementation on Linux kernel was investigated.The performance tests show that there is little overhead introduced by the method.

Ennan Zhai,Qingni Shen,Yonggang Wang,Tao Yang,Liping Ding,Sihan Qing

DOI: https://doi.org/10.1007/978-3-642-20291-9_38

2011-01-01

Abstract:Host compromise is a serious security problem for operating systems. Most previous solutions based on integrity protection models are difficult to use: on the other hand, usable integrity protection models can only provide limited protection. This paper presents SecGuard, a secure and practical integrity protection model. To ensure the security of systems. SecGuard provides provable guarantees for operating systems to defend against three categories of threats: network-based threat, IPC communication threat and contaminative file threat. To ensure practicability, SecGuard introduces several novel techniques. For example, SecGuard leverages the information of existing discretionary access control information to initialize integrity labels for subjects and objects in the system. We developed the prototype system of SecGuard based on Linux Security Modules framework (LSM), and evaluated the security and practicability of SecGuard.

SHEN Qing-ni,QING Si-han,HE Ye-ping,SHEN Jian-jun

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.010

2006-01-01

Abstract:In order to support POSIX capability mechanism,many secure operating systems provided individual capability inheritable algorithms.These algorithms were only applicable to specified least privilege control policies,and had such defects as semantic conflicts and no defined security-objectives.So they couldn’t flexibly support for implementing diversified privilege policies for different requirements.Based on the analysis of some existing algorithms,a new capability inheritance algorithm was proposed,which introduced the policy-relevant capability control variable and the trusted application attribution.The implementation of the algorithm in ANSHENG secure operating system demonstrates that this algorithm provides such properties as policy-adaptability and usability,the formal analysis and verification of this algorithm proves that it supports a secure operating system to meet basic security theorems of the privilege policies enforced in it.

Eric Rothstein-Morris,Sun Jun

DOI: https://doi.org/10.48550/arXiv.1811.10400

2018-11-16

Abstract:This work aims to solve a practical problem, i.e., how to quantify the risk brought upon a system by different attackers. The answer is useful for optimising resource allocation for system defence. Given a set of safety requirements, we quantify the attacker capability in terms of the set of safety requirements an attacker can compromise. Given a system (in the presence of an attacker), model checking it against each safety requirement one by one is expensive and wasteful since the same state space is explored many times. We thus propose model checking multiple properties efficiently by means of coalgebraic model checking using enhanced coinduction techniques. We apply the proposed technique to a real-world water treatment system and the results show that our approach can effectively reduce the effort required for model checking.

Logic in Computer Science,Formal Languages and Automata Theory

Jianwen Sun,Xiang Long,Yongwang Zhao

DOI: https://doi.org/10.1109/access.2018.2815766

IF: 3.9

2018-01-01

IEEE Access

Abstract:Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

Zhang Lianhua,Zhang Renlong,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.10.074

2007-01-01

Abstract:Attack scenario modeling and recognizing technology can provide the security system operator(SSO) with the high-level attack views and precise decision information for response,and it has been a hot research direction in network and information security domain.In order to succeed in attacking,attackers often use different steps and various skills such as mutation,re-sequencing,substitution,distribution,looping etc.to construct almost infinite attack scenarios.The variation in attack steps and diversity in scenario constructions lead to difficulties in attack scenario modeling and recognizing.On the basis of researches of the present attack scenario modeling technologies,a new attack scenario modeling using Requires/Provides relation represented by Capability is proposed,which can take both the various attack steps and diverse scenario constructions into consideration simultaneously.

Ali Tamimi,Ozgur Oksuz,Jinyoung Lee,Adam Hahn

DOI: https://doi.org/10.48550/arXiv.1806.06168

2018-06-16

Abstract:Cybersecurity risks are often managed by reducing the system's attack surface, which includes minimizing the number of interconnections, privileges, and impacts of an attack. While attack surface reduction techniques have been frequently deployed in more traditional information technology (IT) domains, metrics tailored to cyber-physical systems (CPS) have not yet been identified. This paper introduces attack surface analysis metrics and algorithms to evaluate the attack surface of a CPS. The proposed approach includes both physical system impact metrics, along with a variety of cyber system properties from the software (network connections, methods) and operating system (privileges, exploit mitigations). The proposed algorithm is defined to incorporate with the Architecture Analysis \& Design Language (AADL), which is commonly used to many CPS industries to model their control system architecture, and tools have been developed to automate this analysis on an AADL model. Furthermore, the proposed approach is evaluated on a distribution power grid case study, which includes a 7 feeder distribution system, AADL model of the SCADA control centers, and analysis of the OpenDNP3 protocol library used in many real-world SCADA systems.

Cryptography and Security

Ruipeng Wang,Kaixiang Chen,Chao Zhang,Zulie Pan,Qianyu Li,Siliang Qin,Shenglin Xu,Min Zhang,Yang Li

2023-01-01

Abstract:Memory corruption vulnerabilities are often exploited to corrupt sensitive objects and launch attacks. An efficient way to mitigate such threats is identifying and protecting such sensitive objects against corruption. However, it is still an open question that what objects are security sensitive and how sensitive they are. In this paper, we present the first expert system based solution AlphaEXP to identify security sensitive objects, in a specific and important target - the Linux kernel. It works by simulating an adversary to assess whether an object could be abused to get unintended capabilities and contribute to exploitation, and marks it as sensitive if so. Specifically, AlphaEXP first constructs a knowledge graph to represent the facts of the kernel, including objects, functions, and their relationships etc. Then, it explores the knowledge graph to infer potential attack paths for given vulnerabilities, and marks objects used in the attack paths as sensitive. Lastly, it evaluates the feasibility of the attack paths in a customized emulating system, and classifies the sensitivity of objects accordingly. We have built a prototype of AlphaEXP and evaluated it on 84 synthesized representative vulnerabilities and 19 real world vulnerabilities to identify sensitive kernel objects. AlphaEXP successfully generates attack paths for most of these vulnerabilities, and finds 50 objects that could be abused to get writing capability, 81 objects with reading capability, and 112 objects with execution capability, then classifies them into 12 levels of sensitivity.

YANG Zhi,YIN Li-Hua,DUAN Mi-Yi,WU Jin-Yu,JIN Shu-Yuan,GUO Li

DOI: https://doi.org/10.3724/sp.j.1001.2012.04083

2012-01-01

Journal of Software

Abstract:Dynamically adjusting the security label of each subject is a main approach to improving the availability of MAC models.It includes the method of security label range and the method of taint propagation.The former lacks the support for a less proviledge subject,and the latter has a known covert channels.In this paper,a model called generalized taint propagation model(GTPM) is proposed to protect the confidentiality and integrity of operating systems.It inherits the least privilege characteristic of taint propagation model(TPM),expands the semantics of TPM to close the known covert channels,and introduces declassification and decontamination capacities of subjects to avoid accumulating contamination.The paper also introduces its specification using communicating sequential processes(CSP) language to clear the formal semantics of a GTPM operating system's behaviors of information flow control;Moreover,the study noninterference with declassification in CSP verification model of process equivalence,and proves that abstract GTPM system have the security property of noninterference with declassification in virtue of FDR tool.Finally,this paper uses an example to demonstrate its improvement of availability.