Protecting User Files by Reducing Application AccessABSTRACTTraditional discretionary access control mechanisms do not differ-entiate between a user’s running applications–hence they provideno means of preventing one application from exploiting another’sdata. Commercial mandatory access control mechanisms such asSELinux and AppArmor aim to protect system files, but do little toprevent similar misuse of user data. This paper presents the PinUPaccess control overlay. PinUP extends filesystem protections to ex-plicitly identify the set of applications that may access each user’ssensitive files. This reflects users’ intuition about access: that filesshould only be accessed by the applications that own them. Thisapproach reduces the often esoteric task of access control policyspecification to a significantly simpler declaration of the relation-ship between sensitive user files and applications. In so doing, wereduce the significant gap between existing access control and leastprivilege frequently exploited by malware such as viruses, worms,and spyware. We describe our model, architecture, and Linux im-plementation, evaluate run-time costs, and detail use-cases illus-trating the power and utility of the augmented policy. Our perfor-mance experiments show that all costs are nominal, with a max-imum observed delay of 40 milliseconds occurring at applicationstartup and a few tens of microseconds at each access check. Inthis, we provide an efficient and intuitive means of pushing accesscontrols provided to users ever closer to the ideal of least privilege.1. INTRODUCTIONFiles are the object of user risk. They can contain the sensitiveartifacts of a user’s job, finances, and personal life. Files are modi-fied by diverse applications implementing complex tasks and work-flows. Further, the access control mechanisms of current operatingsystems make no distinction between the vast array of applicationsthat can modify user files. As a result, user applications can cor-rupt or leak user files w ith impunity. This leads to an unfortunatereality: a user’s files are only as protected as the least trustworthyapplication accomodates. This lack of least privilege is frequentlyexploited by every kind of malware: Trojans, viruses, spyware, andworms can change user startup files and configurations, leak appli-cation caches, export user databases, and even modify files contain-ing other user applications. Whether to steal information, violateprivacy, install bots, or for other nefarious reasons, they all exploitthe broad permissions given to applications on behalf of users.Commercial operating systems now implement a form of manda-tory access control (MAC) that addresses a closely related problem:how to protect system files in the presence of broad discretionaryfile system controls. Systems such as SE Linux [?] and AppAr-mor [?] place tight controls on how processes can modify sensi-Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.tive system objects. However, such solutions are not appropriatefor users for at least two reasons. First, every user has a differentset of applications and files related to their data. Hence, specify-ing policy for these artifacts using largely foreign concepts such asgroups, roles, and attributes is difficult and probably impractical.Second, history has shown that users cannot and will not managecomplex policy correctly. For this reason, even the simplest of ex-isting system level policy specifications is beyond the grasp of thevast majority of users.We hypothesize that even sophisticated users can only success-fully create policy for their data when the specification process is:a) simple, b) uses language and concepts that native to their under-standing, and c) the implications of policy decisions are simple andobvious. This work promotes and access control extension that at-tempts to meet these ambitious goals. In pursing this, we reflectedon the nature of the user experience with commodity operating sys-tem. In essence, users create and manipulate each file with a singleor series of well-known applications. Users necessarily must un-derstand the nature of the relationship between sensitive files andthe applications that use them. Importantly, user knowledge aboutthese associations is authoritative (the user is often the only in aposition make decisions sensitive data) and complete.This introspection led to the following deceptively simple PinUPprotection model: each user-specific policy specifies the set of ap-plications that may access a user’s sensitive files (known as high-value files throughout). For example, a user may indicate financialdata (in a*.qdf file) be restricted to the Quicken accounting ap-plication. Of course, users cannot be reasonably expected to spec-ify policy for every sensitive file. We extend the model to embracePinUP policies that are automatically applied to files as they arecreated by applications. For example, it may be highly desirable torestrict the files .xls files created by Excel to only that applica-tion. These application-specific policies are largely uniform acrossusers and environments, and thus can be provided to the system dur-ing application installation. Such a system meets our goals above:the policy is simple, reflects users’ conceptual model of the system,and whose enforcement is observable and intuitive, i.e., respects theprincipal of least astonishment [].Note that PinUP is not intended replace existing protection sys-tems, but to augment them—any existing access controls will beenforced in addition to the user-specified PinUP policy. Architec-turally, we overlay MAC controls with a secondary access con-trol module that limits which applications can access which userfiles. Like stacking a second module in the Linux Security Mod-ules framework [?], our access control module “overlays” MACsystem access by consulting the additional user file controls only ifthe underlying file system protections permit the operation.This paper introduces the PinUP1access control overlay system.We begin by considering the
View Full Document
Unlocking...