Protecting Users From “Themselves”William Enck, Sandra Rueda, Joshua Schiffman, Yogesh Sreenivasan,Luke St. Clair, Trent Jaeger, and Patrick McDanielSystems and Internet Infrastructure Security LaboratoryDepartment of Computer Science and EngineeringThe Pennsylvania State UniversityUniversity Park, PA 16802{enck,ruedarod,jschiffm,sreeniva,lstclair,tjaeger,mcdaniel}@cse.psu.eduABSTRACTComputer usage and threat models have changed drastically sincethe advent of access control systems in the 1960s. Instead of mul-tiple users sharing a single file system, each user has many deviceswith their own storage. Thus, a user’s fear has shifted away fromother users’ impact on the same system to the threat of malice in thesoftware they intentionally or even inadvertently run. As a result,we propose a new vision for access control: one where individ-ual users are isolated by default and where the access of individ-ual user applications is carefully managed. A key question is howmuch user administration effort would be required if a system im-plementing this vision were constructed. In this paper, we outlineour work on just such a system, called PinUP, which manages fileaccess on a per application basis for each user. We use historicaldata from our lab’s users to explore how much user and system ad-ministration effort is required. Since administration is required foruser sharing in PinUP, we find that sharing via mail and file repos-itories requires a modest amount of administrative effort, a systempolicy change every couple of days and a small number of useradministrative operations a day. We are encouraged that practicaladministration on such a scale is possible given an appropriate andsecure user approach.Categories and Subject DescriptorsD.4.6 [Operating Systems]: Security and protection —Access Con-trolsGeneral TermsSecurityKeywordsAccess Control, Policy1. INTRODUCTIONWhen access control was invented, computers were expensiveand limited resources. Each computer supported several users whoPermission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CSAW’07, November 2, 2007, Fairfax, Virginia, USA.Copyright 2007 ACM 978-1-59593-890-9/07/0011 ...$5.00.shared not only the CPU, but also the storage of these machines.Early access control systems were designed to protect the secrecyand integrity of each user’s files from all the other users’ processeson a single computer [16, 17]. The main concerns at this time werethat: (1) a user’s buggy program may modify the files of anotheruser and (2) a nosy user may be able to browse another user’s se-crets by scanning her files.The world of computing is very different now. Two major dif-ferences are: (1) the increased variety and lower cost of computingdevices1and (2) the increased variety of threats against our com-puting devices. First, the advent of many inexpensive devices hascreated a situation where each user owns multiple devices, so thereis no other user to restrict. Second, new threats have emerged due tothe increased connectivity and ease of appropriating software thatresults from that connectivity. Now, users must be more concernedwith the threat that their own processes may be malicious or havea vulnerability that a remote attacker can leverage. For example,a web browser client executes a variety of programs (e.g., plugins)to process browser content, but all these programs run with the fullrights of the user (i.e., as users “themselves”). Some of these pro-grams may be malicious, some may have vulnerabilities, but theuser must trust all these programs with all their data.We claim that the access control problem of the early days ofcomputing has morphed into a new problem. In the current envi-ronment, users are isolated from one another by default and themain challenge is to manage the access of each user’s applica-tions. Sharing among users does occur, of course, but we claimthat sharing can be modeled by a small number of mechanisms:email, web, and version control repositories. Thus, we believe thatfuture access control models should leverage such natural isolationof users to simplify policy, provide a reliable control of user’s databased on applications, and enable limited sharing without compli-cating policy significantly. Towards this end, we have developedthe PinUP access control system [7], a Linux Security Modulethat binds permissions to applications, provides a rule language forexpressing how files are shared among applications, and treatinginter-user sharing as an exceptional case.In the future, we envision that user administration should moreclosely mirror sharing among isolated users. Our access controlinfrastructure should be setup such that normal, predictable op-eration is handled by system policy (i.e., policy specified by sys-tem administrators and/or general-purpose policy rules). Systemadministrators may have to make some changes to system policyto support variations in behavior, but these should be quite infre-1The notion of a computing device is much broader than that of acomputer of the 1960’s and 1970’s. We consider any device thatmay be programmed or whose software may be reconfigured, in-cluding cell phones and PDAs, as a computing device.quent. In this vision, users will have to administer exceptionalsharing, but this sharing is limited to a few, well-defined mecha-nisms: email, web, and version control repositories. Only whenusers apply these mechanisms do they need to consider the sharingimplications. Otherwise, user files are isolated from other users.The PinUP system supports default isolation policies, so it is anideal candidate to implement this vision as we discuss.The approach above raises the following question, “In a worldin which we approximate acceptable system behavior through userisolation, how many exceptions to that approximation will occurin practice and how difficult will it be to correct the policy giventhat approximation?” This question highlights the key tradeoff inthe PinUP system. Inasmuch as the system can predict all uses ofa file, no user or system interactions are necessary. Where suchapproximations are
View Full Document
Unlocking...