Authors:
Z. Cliffe Schreuders
and
Christian Payne
Affiliation:
School of IT, Murdoch University, Australia
Keyword(s):
Application-Oriented Access Control, Application Confinement, Sandbox, Functionality-Based Application Confinement (FBAC), Role-Based Access Control (RBAC), Usable Security.
Related
Ontology
Subjects/Areas/Topics:
Access Control
;
Data Engineering
;
Databases and Data Security
;
Information and Systems Security
;
Internet Technology
;
Web Information Systems and Technologies
Abstract:
Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of application
s. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.
(More)