FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions

Z. Cliffe Schreuders, Christian Payne



Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of applications. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.


  1. ANSI INCITS 359-2004. American National Standards Institute / International Committee for Information Technology Standards (ANSI/INCITS).
  2. Acharya, A. & Raje, M. (2000) MAPbox: Using Parameterized Behavior Classes to Confine Applications. Proceedings of the 2000 USENIX Security Symposium. Denver, CO, USA.
  3. Bacarella, M. (2002) Taking advantage of Linux capabilities. Linux Journal, 2002.
  4. Badger, L. (1996) A Domain and Type Enforcement UNIX Prototype. Computing Systems, 9, 47-83.
  5. Berman, A., Bourassa, V. & Selberg, E. (1995) TRON: Process-Specific File Protection for the UNIX Operating System. Proceedings of the 1995 Winter USENIX Conference.
  6. Boebert, W. E. & Kain, R. Y. (1985) A Practical Alternative to Hierarchical Integrity Policies. Proceedings of the 8th National Computer Security Conference, 18-27.
  7. Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P. & Gligor, V. (2000) SubDomain: Parsimonious Server Security. USENIX 14th Systems Administration Conference (LISA).
  8. Department of Defense (1985) Trusted Computer Security Evaluation Criteria. DOD 5200.28-STD.
  9. Ferraiolo, D., Cugini, J. A. & Kuhn, R. (1995) Role-Based Access Control (RBAC): Features and Motivations. Annual Computer Security Applications Conference. Gaithersburg, MD, USA, IEEE Computer Society Press.
  10. Ferraiolo, D. & Kuhn, R. (1992) Role-Based Access Control. 15th National Computer Security Conference. Baltimore, MD, USA.
  11. Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R. & Chandramouli, R. (2001) Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security, 4, 224-274.
  12. Garfinkel, T. (2003) Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. Proceedings of the 10th Network and Distributed System Security Symposium. February ed. San Diego, CA, USA, Stanford University.
  13. Goldberg, I., Wagner, D., Thomas, R. & Brewer, E. A. (1996) A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker. Proceedings of the 6th USENIX Security Symposium. San Jose, CA, USA, University of California.
  14. Hinrichs, S. & Naldurg, P. (2006) Attack-based Domain Transition Analysis. 2nd Annual Security Enhanced Linux Symposium. Baltimore, Md., USA.
  15. Jaeger, T., Sailer, R. & Zhang, X. (2003) Analyzing Integrity Protection in the SELinux Example Policy. Proceedings of the 12th USENIX Security Symposium, 59-74.
  16. Kamp, P.-H. & Watson, R. (2000) Jails: Confining the Omnipotent Root. Sane 2000 - 2nd International SANE Conference.
  17. Kamp, P.-H. & Watson, R. (2004) Building Systems to be Shared Securely. ACM Queue, 2, 42-51.
  18. Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, F., Kohler, E., Mazieres, D., Morris, R., Osborne, M., Vandebogart, S. & Ziegler, D. (2005) Make least privilege a right (not a privilege). Procedings of 10th Hot Topics in Operating Systems Symposium (HotOSX). Santa Fe, NM, USA.
  19. Krsti, I. & Garfinkel, S. L. (2007) Bitfrost: the one laptop per child security model. ACM International Conference Proceeding Series, 229, 132-142.
  20. Madnick, S. E. & Donovan, J. J. (1973) Application and Analysis of the Virtual Machine Approach to Information Security. Proceedings of the ACM Workshop on Virtual Computer Systems. Cambridge, MA, USA.
  21. Marceau, C. & Joyce, R. (2005) Empirical Privilege Profiling. Proceedings of the 2005 Workshop on New Security Paradigms, 111-118.
  22. Miller, M. S. & Shapiro, J. (2003) Paradigm Regained: Abstraction Mechanisms for Access Control. 8th Asian Computing Science Conference (ASIAN03), 224-242.
  23. Miller, M. S., Tulloh, B. & Shapiro, J. S. (2004) The structure of authority: Why security is not a separable concern. Multiparadigm Programming in Mozart/Oz: Proceedings of MOZ, 3389.
  24. Ott, A. (2002) The Role Compatibility Security Model. 7th Nordic Workshop on Secure IT Systems.
  25. Provos, N. (2002) Improving Host Security with System Call Policies. 12th USENIX Security Symposium. Washington, DC, USA, USENIX.
  26. Raje, M. (1999) Behavior-based Confinement of Untrusted Applications. TRCS 99-12. Department of Computer Science. Santa Barbara, University of Calfornia.
  27. Stiegler, M., Karp, A. H., Yee, K. P., Close, T. & Miller, M. S. (2006) Polaris: virus-safe computing for Windows XP. Communications of the ACM, 49, 83- 88.
  28. Tucker, A. & Comay, D. Solaris Zones: Operating System Support for Server Consolidation. 3rd Virtual Machine Research and Technology Symposium Works-inProgress.
  29. Wagner, D. (2006) Object capabilities for security. Conference on Programming Language Design and Implementation: Proceedings of the 2006 workshop on Programming languages and analysis for security, 10, 1-2.
  30. Wagner, D. A. (1999) Janus: An Approach for Confinement of Untrusted Applications. Technical Report: CSD-99-1056. Electrical Engineering and Computer Sciences. Berkeley, USA, University of California.
  31. Whitaker, A., Shaw, M. & Gribble, S. D. (2002) Denali: Lightweight virtual machines for distributed and networked applications. Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation, 195-209.
  32. Wright, C., Cowan, C., Smalley, S., Morris, J. & KroahHartman, G. (2002) Linux Security Module Framework. Ottawa Linux Symposium. Ottawa Canada.

Paper Citation

in Harvard Style

Cliffe Schreuders Z. and Payne C. (2008). FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 72-77. DOI: 10.5220/0001928900720077

in Bibtex Style

author={Z. Cliffe Schreuders and Christian Payne},
title={FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - FUNCTIONALITY-BASED APPLICATION CONFINEMENT - Parameterised Hierarchical Application Restrictions
SN - 978-989-8111-59-3
AU - Cliffe Schreuders Z.
AU - Payne C.
PY - 2008
SP - 72
EP - 77
DO - 10.5220/0001928900720077