SecGuard: Secure and Practical Integrity Protection

Model for Operating Systems

Ennan Zhai1,2 , Qingni Shen1,3,4 , Yonggang Wang3,4 , Tao Yang3,4,

Liping Ding2 , and Sihan Qing1,2
1
School of Software and Microelectronics, Peking University, China
2
Institute of Software, Chinese Academy of Sciences, China
3
MoE Key Lab of Network and Software Assurance, Peking University, China
4
Network & Information Security Lab, Institute of Software, Peking University, China
ennan@nfs.iscas.ac.cn, qingnishen@ss.pku.edu.cn,
{wangyg,ytao}@infosec.pku.edu.cn, dlp@iscas.ac.cn,
qsihan@ss.pku.edu.cn

Abstract. Host compromise is a serious security problem for operating systems.

Most previous solutions based on integrity protection models are difficult to use;
on the other hand, usable integrity protection models can only provide limited
protection. This paper presents SecGuard, a secure and practical integrity pro-
tection model. To ensure the security of systems, SecGuard provides provable
guarantees for operating systems to defend against three categories of threats:
network-based threat, IPC communication threat and contaminative file threat. To
ensure practicability, SecGuard introduces several novel techniques. For example,
SecGuard leverages the information of existing discretionary access control in-
formation to initialize integrity labels for subjects and objects in the system. We
developed the prototype system of SecGuard based on Linux Security Modules
framework (LSM), and evaluated the security and practicability of SecGuard.

1 Introduction

Background. As the increment of the Internet-scale, computer systems are faced with
more threats. For example, the Internet worms can compromise and propagate hosts by
compromising vulnerable computer systems. Compromised hosts may be organized to
launch large-scale network attacks. Most existing efforts defend against such attacks by
using the network-level techniques (e.g., firewalls and NIDS). However, the study in [1]
claims that network-level solutions cannot resist such attacks fundamentally, because:
1) software on hosts are buggy, and 2) discretionary access control (DAC) mechanism is
insufficient against network-based attacks. Therefore, the problem should be addressed
by introducing mandatory access control (MAC) mechanism into operating systems.
Existing MAC models (e.g., DTE [2,3], SELinux [4], Apparmor [5,6], and LIDS [7])
are very complex to configure and difficult to use. For example, there are many different
categories of objects in SELinux; moreover, after configuring such MAC models, some

The first three authors of this paper are alphabetically ordered according to first names.

Corresponding Author.

X. Du et al. (Eds.): APWeb 2011, LNCS 6612, pp. 370–375, 2011.


c Springer-Verlag Berlin Heidelberg 2011
 SecGuard: Secure and Practical Integrity Protection Model for Operating Systems 371

existing applications will not be used. On the other hand, there has also been some
efforts on practical MAC models (e.g., LOMAC [8] and UMIP [1]). However, these
solutions only provide heuristic approaches without strong guarantees (e.g., provable
guarantees). Furthermore, these models are evaluated only against synthetic attacks
and designed based on some strong assumptions. For example, UMIP model allows
the remote system administration through secure shell daemon (sshd) to be completely
trustworthy (this means the integrity level of that process can not drop). Nevertheless,
attackers can actually always successfully exploit bugs in such daemon program, and
then “overwhelm” the system. In summary, it is still an open question that how to design
a secure and practical MAC model to protect the integrity of operating systems.
Our approach and contributions. This paper presents SecGuard, a secure and prac-
tical integrity protection model for operating systems. SecGuard aims to resist three
categories of threats: network-based threat, IPC communication threat, and contamina-
tive file threat1 . SecGuard has the following contributions: 1) SecGuard secures operat-
ing systems from three categories of threats: network-based threat, IPC communication
threat, and contaminative file threat; 2) SecGuard is a practical MAC model, and it is
easier to be configured and used than the existing MAC models; 3) SecGuard provides
provable guarantees; therefore, the security of the model can be ensured in theory; and
4) SecGuard has been developed as a prototype system in Linux, and we present some
representative designs and evaluations.
Roadmap. The rest of this paper is organized as follows. Threat scenarios and assump-
tions are described in Section 2. Section 3 shows details of SecGuard. Our evaluations
are given in Section 4. Finally, we conclude in Section 5.

2 Threat Scenarios and Assumptions

Threat Scenarios. SecGuard aims to defend against three categories of threats: 1)
Network-based threat. Because the applications of system may contain some bugs, at-
tackers are able to utilize the network to inject malicious code into our hosts. Even
though the attackers will not launch the active attack, careless users still might also
download the malicious code into their local hosts from insecure network; 2) IPC
communication threat. When two processes communicate with each other, one pro-
cess might read the IPC object owned by the other process. However, the IPC object
might contain malicious codes which can destroy the integrity of systems; and 3) Con-
taminative file threat. The most common way to destroy the integrity of system is one
particular process may read the system objects carrying malicious code, and thus the
data owned by this process will be modified by the malicious code.
Assumptions. Three assumptions: 1) We assume that network server and client pro-
grams contain bugs and can be exploited by the attacker; 2) We assume that users may
make careless mistakes in their operations, e.g., downloading a malicious file from the
Internet and reading it; and, 3) We assume that the attacker cannot physically access
the host. Based on the above assumptions, SecGuard aims to ensure attackers can only
1
The existing study in [8] has pointed these three categories of attacks are the main threats in
operating systems.