IJCNS  Vol.5 No.2 , February 2012
Research on User Permission Isolation for Multi-Users Service-Oriented Program
Abstract: For the super user privilege control problem in system services, a user permission isolation method is proposed. Based on virtualization technology, the permission limited environments are constructed for different users. According to privilege sets, the users, mapping relations are built among users, isolated domains and program modules. Besides, we give an algorithm for division of program permissions based on Concept Lattices. And the security strategies are designed for different isolated domains. Finally, we propose the implications of least privilege, and prove that the method eliminates the potential privileged users in system services.
Cite this paper: L. Yu, J. Wei, L. Li, Z. Jing, L. Peng, Y. Lai and S. Bu, "Research on User Permission Isolation for Multi-Users Service-Oriented Program," International Journal of Communications, Network and System Sciences, Vol. 5 No. 2, 2012, pp. 105-110. doi: 10.4236/ijcns.2012.52014.

[1]   R. Stevens, “Advanced Programming in the UNIX Environment,” Addison-Wesley Publishing Company, 1992.

[2]   H. Chen, D. Wagner and D. Dean, “Setuid Demystified,” Proceedings of the11th USENIX Security Symposium, San Francisco, 05-09 August 2002, pp. 171-190.

[3]   Sendmail Inc. Sendmail Workaround for Linux Capabilities Bug, 2009.

[4]   D. Price and A. Tucker, “Solaris Zones: Operating System Support for Consolidating Commercial Workloads,” USENIX 18th Large Installation System Administration Conference (LISA’04), Atlanta, 14-19 November 2004, pp. 241-254.

[5]   C. Lindig and G. Snelting, “Assessing Modular Structure of Legacy Code Based on Mathematical Concept Analysis,” Proceedings of the 19th International Conference on Software Engineering, Boston, May 1997, pp. 349-359.

[6]   K. Buyens, B. D. Win, and W. Joosen, “Resolving Least Privilege Violations in Software Architectures,” Proceedings of the 5th International Workshop on Software Engineering for Secure Systems, Vancouver, 19 May 2009, pp. 9-16.

[7]   T. E. Levin, C. E. Irvine and T. D. Nguyen, “A Least Privilege Model for Static Separation Kernels,” Technical Report NPS-CS-05-003, Center of Information Systems Security Studies and Research, Naval Postgraduate School, October 2004.

[8]   J. H. Saltzer and M. D. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE, Vol. 63, No. 9, 1975, pp. 1278-1308. doi:10.1109/PROC.1975.9939

[9]   S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities,” Proceedings of Network and Distributed System Security Symposium, San Diego, 3-4 February 2005, pp. 42-53.

[10]   K. Buyens, R. Scandariato and W. Joosen, “Composition of Least Privilege Analysis Results in Software Architectures,” Proceeding of the 7th International Workshop on Software Engineering for Secure Systems, Waikiki, 22 May 2011, pp. 29-35.

[11]   D. Kilpatrick, “Privman: A Library for Partitioning Applications,” Proceedings of Freenix, San Antonio, 12-14 June 2003, pp. 273-284.

[12]   D. Brumley and D. Song, “Privtrans: Automatically Partitioning Programs for Privilege Separation,” Proceedings of the 13th conference on USENIX Security Symposium, San Diego, 9-13 August 2004, p. 5.

[13]   P. H. Kamp and R. N. Watson, “Jails: Confining the Omnipotent Root,” 2nd International System Administration and Network Engineering Conference (SANE’00), Maastricht, 2000, pp. 1-15.

[14]   S. Evan, “Securing FreeBSD Using Jail,” System Administration, Vol. 10, No. 5, 2001, pp. 31-37.

[15]   Y. Yu, F.-L. Guo, S. Nanda, L.-C. Lam and T.-C. Chiueh, “A Feather-Weight Virtual Machine for Windows Applications,” Proceedings of the Second ACM/USENIX Conference on Virtual Execution Environments (VEE’06), Ottawa, 14-16 June 2006, pp. 24-34.