Yuanzhong Xu and Alan M. Dunn, The University of Texas at Austin; Owen S. Hofmann, Google, Inc.; Michael Z. Lee, Syed Akbar Mehdi, and Emmett Witchel, The University of Texas at Austin
Abstract:
DCAC is a practical OS-level access control system that supports application-defined principals. It allows normal users to perform administrative operations within their privilege, enabling isolation and privilege separation for applications. It does not require centralized policy specification or management, giving applications freedom to manage their principals while the policies are still enforced by the OS. DCAC uses hierarchically-named attributes as a generic framework for user-defined policies such as groups defined by normal users. For both local and networked file systems, its execution time overhead is between 0%–9% on file system microbenchmarks, and under 1% on applications.
This paper shows the design and implementation of DCAC, as well as several real-world use cases, including sandboxing applications, enforcing server applications’ security policies, supporting NFS, and authenticating user-defined sub-principals in SSH, all with minimal code changes.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {183953,
author = {Yuanzhong Xu and Alan M. Dunn and Owen S. Hofmann and Michael Z. Lee and Syed Akbar Mehdi and Emmett Witchel},
title = {{Application-Defined} Decentralized Access Control},
booktitle = {2014 USENIX Annual Technical Conference (USENIX ATC 14)},
year = {2014},
isbn = {978-1-931971-10-2},
address = {Philadelphia, PA},
pages = {395--407},
url = {https://www.usenix.org/conference/atc14/technical-sessions/presentation/xu},
publisher = {USENIX Association},
month = jun
}
connect with us