Professional Documents
Culture Documents
1 Introduction
Background. As the increment of the Internet-scale, computer systems are faced with
more threats. For example, the Internet worms can compromise and propagate hosts by
compromising vulnerable computer systems. Compromised hosts may be organized to
launch large-scale network attacks. Most existing efforts defend against such attacks by
using the network-level techniques (e.g., firewalls and NIDS). However, the study in [1]
claims that network-level solutions cannot resist such attacks fundamentally, because:
1) software on hosts are buggy, and 2) discretionary access control (DAC) mechanism is
insufficient against network-based attacks. Therefore, the problem should be addressed
by introducing mandatory access control (MAC) mechanism into operating systems.
Existing MAC models (e.g., DTE [2,3], SELinux [4], Apparmor [5,6], and LIDS [7])
are very complex to configure and difficult to use. For example, there are many different
categories of objects in SELinux; moreover, after configuring such MAC models, some
The first three authors of this paper are alphabetically ordered according to first names.
Corresponding Author.
existing applications will not be used. On the other hand, there has also been some
efforts on practical MAC models (e.g., LOMAC [8] and UMIP [1]). However, these
solutions only provide heuristic approaches without strong guarantees (e.g., provable
guarantees). Furthermore, these models are evaluated only against synthetic attacks
and designed based on some strong assumptions. For example, UMIP model allows
the remote system administration through secure shell daemon (sshd) to be completely
trustworthy (this means the integrity level of that process can not drop). Nevertheless,
attackers can actually always successfully exploit bugs in such daemon program, and
then “overwhelm” the system. In summary, it is still an open question that how to design
a secure and practical MAC model to protect the integrity of operating systems.
Our approach and contributions. This paper presents SecGuard, a secure and prac-
tical integrity protection model for operating systems. SecGuard aims to resist three
categories of threats: network-based threat, IPC communication threat, and contamina-
tive file threat1 . SecGuard has the following contributions: 1) SecGuard secures operat-
ing systems from three categories of threats: network-based threat, IPC communication
threat, and contaminative file threat; 2) SecGuard is a practical MAC model, and it is
easier to be configured and used than the existing MAC models; 3) SecGuard provides
provable guarantees; therefore, the security of the model can be ensured in theory; and
4) SecGuard has been developed as a prototype system in Linux, and we present some
representative designs and evaluations.
Roadmap. The rest of this paper is organized as follows. Threat scenarios and assump-
tions are described in Section 2. Section 3 shows details of SecGuard. Our evaluations
are given in Section 4. Finally, we conclude in Section 5.