Abstract
It’s very important for a general-purpose operating system to have a security-tunable feature to meet different security requirements. This can be achieved by supporting diverse security modules, invoking them on demand. However, the security architectures of existing projects on Linux kernels do not support this feature or have some drawbacks in their supporting. Thus we introduce a layered architecture which consists of original kernel layer, module coordination layer and module decision layer. The architecture supports multiple modules register, resolves policy-conflicts of modules by changing their invoking order, and allow user to customize the security by enabling or disabling modules during runtime. The detailed structure and implementation in Linux based system, SECIMOS is described. The caching issue and performance are also discussed. Our practice showed the architecture helps us achieve flexible adaptation in different environments.
Supported by the National Natural Science Foundation of China under Grant No.60373054 and No.60073022; the National 863 High-tech Program of China under Grant No.2002AA141080; Graduate Student Innovation Grant of Chinese Academy of Sciences.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security modules: General security support for the linux kernel. In: Proceedings of the 11th USENIX Security Symposium
Rule Set Based Access Control, http://www.rsbac.org
Abrams, M.D., LaPadula, L.J., Eggers, K.W., et al.: Generalized Framework for Access Control: An Informal Description. In: Proceedings of the 13th National Computer Security Conference, October 1990, pp. 135–143 (1990)
NSA Security Enhanced Linux, http://www.nsa.gov/selinux
Spencer, R., Smalley, S., Loscocco, P., et al.: The Flask Security Architecture: System Support for Diverse Security Policies. In: Proceedings of the 8th USENIX Security Symposium, Washington, DC, USA, August 1999, pp. 123–139 (1999)
Openwall Project, http://www.openwall.com
Bernaschi, M., et al.: REMUS: A Security-Enhanced Operating System
Garfinkel, T., Wagner, D.: Janus: A practical tool for application sandboxing
Bell, D., LaPadual, L.J.: Secure Computer System: Unified Exposition and MULTICS Interpretation. MTR-2997 Rev.1, The MITRE Corporation, Bedford, MA, USA (Mar 1976)
Linux EA/ACL project, http://acl.bestbits.at
Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control model. IEEE Computer 29(2), 38–47 (1996)
Chari, S.N., Cheng, P.-C.: BlueBoX: A Policy-Driven, Host-Based Intrusion Detection System
McVoy, L., Staelin, C.: lmbench: Portable tools for performance analysis. In: Proc. Winter 1996 USENIX, San Diego, CA, January 1996, pp. 279–284 (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wu, Y., Shi, W., Liang, H., Shang, Q., Yuan, C., Bin, L. (2005). Security On-demand Architecture with Multiple Modules Support. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-31979-5_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25584-0
Online ISBN: 978-3-540-31979-5
eBook Packages: Computer ScienceComputer Science (R0)