Title : 
A Dynamically Modified Privilege Control Policy
         
        
            Author : 
Qing, Sihan ; Shen, Qingni ; Ji, Qingguang ; He, Yeping
         
        
            Author_Institution : 
Inst. of Software, Chinese Acad. of Sci., Beijing
         
        
        
        
        
        
            Abstract : 
Trusted systems typically include trusted processes which possess special privileges. Such privileges can circumvent certain security checks but should be used in a controlled manner. This paper proposes a privilege control policy called DMPC (dynamically modified privilege control). It has two components: a hybrid privilege control model and a new POSIX (portable operating system interface) capability inheritance algorithm. The privilege control model in DMPC is a combination of role based access control (RBAC), domain and type enforcement (DTE) and POSIX capability mechanism while the capability inheritance algorithm serves as an engine to effectively enforce the hybrid privilege control model on a secure operating system. The DMPC´s design has given a high priority to supporting least privilege to a finer level of granularity on trusted systems. Additional (sub-) goals for the DMPC policy are: realizing separation of duties among privileged users, achieving separation of trusted functions from untrusted ones and providing a flexible and dynamically mediated capability mechanism. We show that RBAC alone is insufficient to enforce the principle of least privilege in a dynamic context, and that DTE and POSIX capability mechanism can successfully be conjugated with RBAC for this purpose. We also describe an implementation of the DMPC policy on a real system and report on experimental results
         
        
            Keywords : 
Unix; application program interfaces; authorisation; dynamically modified privilege control policy; portable operating system interface; role based access control; security checks; trusted systems; Access control; Availability; Computer security; Control systems; Electronic mail; Engines; Helium; Linux; Operating systems; Process control;
         
        
        
        
            Conference_Titel : 
Information Assurance Workshop, 2006 IEEE
         
        
            Conference_Location : 
West Point, NY
         
        
            Print_ISBN : 
1-4244-0130-5
         
        
        
            DOI : 
10.1109/IAW.2006.1652115