-
Notifications
You must be signed in to change notification settings - Fork 1
/
docs.bib
468 lines (379 loc) · 17.3 KB
/
docs.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
<!--
Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
All rights reserved.
This software was developed for the FreeBSD Project by Chris
Costello at Safeport Network Services and Network Associates
Laboratories, the Security Research Division of Network Associates,
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part
of the DARPA CHATS research program.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-->
<bibliography>
<title>Implementation Papers</title>
<entry role="paper" date="20030709">
<title>Security-Enhanced BSD</title>
<author>
<name>Chris Vance</name>
<affil>Network Associates Laboratories</affil>
</author>
<author>
<name>Robert Watson</name>
<affil>Network Associates Laboratories</affil>
</author>
<audience>
<venue>Network Associates Laboratories Technical Report</venue>
<city>Rockville</city> <state>MD</state>
<date>July 9, 2003</date>
</audience>
<download>
<file url="sebsd-july2003.pdf" format="PDF" />
</download>
<abstract>Network Associates Laboratories has completed an initial
port of the Flask security architecture and other components of
Security Enhanced Linux (SELinux) to the FreeBSD operating system.
This project, called Security Enhanced BSD (SEBSD), started with
the TrustedBSD MAC Framework and integrated the Flask access
vector cache and security server to make policy decisions. Then,
support was added to the kernel to manage security fields and
enforce permissions on files and processes. To demonstrate the
resulting kernel functionality, a policy compiler and file system
label management tools were ported. Also, modifications to login,
ls, and the ps program were integrated into the corresponding
FreeBSD programs. This paper discusses the TrustedBSD MAC Framework,
label management, access control checks, and differences between
SEBSD and SELinux.</abstract>
</entry>
<entry role="paper" date="20000908">
<title>Introducing Supporting Infrastructure for Trusted Operating
System Support in FreeBSD</title>
<author>
<name>Robert Watson</name>
<affil>FreeBSD Project</affil>
</author>
<audience>
<venue>BSDCon 2000</venue>
<city>Monterey</city> <state>CA</state>
<date>September 8, 2000</date>
</audience>
<download>
<file url="trustedbsd-bsdcon-2000.pdf" format="PDF" />
</download>
<abstract>Trusted operating systems provide a number of features
beyond the standard discretionary access control policies of
commercial, off-the-shelf operating systems. These include features
such as fine-grained event auditing, least-privilege design,
mandatory access control policies, and extensive design
documentation. The TrustedBSD project is adding trusted operating
system features to FreeBSD, an open source UNIX-like operating
system under a liberal license. However, TrustedBSD requires
extensive changes to the access control mechanisms in FreeBSD. At
this point in the project, we have implemented file system extended
attributes for storing security labels on files, revamped internal
handling of privilege in the operating systems, and are working on
an improved generalized access control system.</abstract>
</entry>
<entry role="paper" date="20010728">
<title>TrustedBSD: Adding Trusted Operating System Features to
FreeBSD</title>
<author>
<name>Robert Watson</name>
<affil>Network Associates Laboratories / FreeBSD Project</affil>
</author>
<audience>
<venue>USENIX Technical Conference</venue>
<city>Boston</city> <state>MA</state>
<date>June 28, 2001</date>
</audience>
<download>
<file url="trustedbsd-freenix-2001.pdf" format="PDF" />
</download>
<abstract>Trusted operating systems provide a ``next level'' of system
security, offering both new security features and higher
assurance that they are properly implemented. TrustedBSD
is an on-going project to integrate a number of trusted OS
features into the open source FreeBSD operating system,
and involves both architectural and development process
improvements. This paper describes how the open source
development practices of the FreeBSD Project impacted the
design and implementation choices for these features,
and describes lessons learned that will influence future
work. Several key TrustedBSD features are discussed as
examples of how new security services may be introduced in
such an environment.</abstract>
</entry>
<entry role="paper" date="20030600">
<title>The TrustedBSD MAC Framework: Extensible Kernel Access Control
for FreeBSD 5.0</title>
<author>
<name>Robert Watson</name>
<affil>Network Associates Laboratories / FreeBSD Project</affil>
</author>
<author>
<name>Wayne Morrison</name>
<affil>Network Associates Laboratories</affil>
</author>
<author>
<name>Chris Vance</name>
<affil>Network Associates Laboratories</affil>
</author>
<author>
<name>Brian Feldman</name>
<affil>FreeBSD Project</affil>
</author>
<audience>
<venue>USENIX Annual Technical Conference</venue>
<city>San Antonio</city> <state>TX</state>
<date>June, 2003</date>
</audience>
<download>
<file url="trustedbsd-usenix2003freenix.pdf" format="PDF" />
</download>
<abstract>We explore the requirements, design, and
implementation of the TrustedBSD MAC Framework.
The TrustedBSD MAC Framework, integrated into FreeBSD 5.0,
provides a flexible framework for kernel access control
extension, permitting extensions to be introduced
more easily, and avoiding the need for direct modification of
distributed kernel sources.
We also consider the performance impact of the Framework on the
FreeBSD 5.0 kernel in several test environments.</abstract>
</entry>
<entry role="doc">
<title>FreeBSD Handbook: Security Event Auditing</title>
<author>
<name>Tom Rhodes</name>
<affil>FreeBSD Project</affil>
</author>
<author>
<name>Robert Watson</name>
<affil>TrustedBSD Project</affil>
</author>
<download>
<file url="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html" format="HTML" />
</download>
<abstract>Brief introduction to configuring and using TrustedBSD audit
on FreeBSD 7.x.</abstract>
</entry>
<entry role="doc">
<title>FreeBSD Handbook: File System Access Control Lists</title>
<author>
<name>Tom Rhodes</name>
<affil>FreeBSD Project</affil>
</author>
<download>
<file url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html" format="HTML" />
</download>
<abstract>Brief introduction to configuring and using TrustedBSD
access control lists on FreeBSD 5.X.</abstract>
</entry>
<entry role="doc">
<title>FreeBSD Handbook: Mandatory Access Control (MAC)</title>
<author>
<name>Tom Rhodes</name>
<affil>FreeBSD Project</affil>
</author>
<download>
<file url="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html" format="HTML" />
</download>
<abstract>Introduction to configuring and using the TrustedBSD
Mandatory Access Control (MAC) Framework, as well as a list of
currently shipped MAC policy modules and implementation
examples.</abstract>
</entry>
<entry role="doc">
<title>FreeBSD Developer's Handbook: The TrustedBSD MAC Framework</title>
<author>
<name>Robert Watson</name>
<affil>Network Associates Laboratories / FreeBSD Project</affil>
</author>
<author>
<name>Chris Costello</name>
<affil>Safeport Network Services / FreeBSD Project</affil>
</author>
<download>
<file url="http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/mac.html" format="HTML" />
</download>
<abstract>Work in progress.
Developer's introduction to the TrustedBSD MAC Framework,
targetted at writers of new MAC policy modules.</abstract>
</entry>
<entry role="paper" date="20030400">
<title>Design and Implementation of the TrustedBSD MAC Framework</title>
<author>
<name>Robert Watson</name>
<affil>Network Associates Laboratories / FreeBSD Project</affil>
</author>
<author>
<name>Brian Feldman</name>
<affil>Network Associates Laboratories / FreeBSD Project</affil>
</author>
<author>
<name>Adam Migus</name>
<affil>Network Associates Laboratories</affil>
</author>
<author>
<name>Chris Vance</name>
<affil>Network Associates Laboratories</affil>
</author>
<audience>
<venue>Third DARPA Information Survivability Conference and Exhibition
(DISCEX3); proceedings published by IEEE.</venue>
<city>Washington</city> <state>DC</state>
<date>April, 2003</date>
</audience>
<download>
<file url="trustedbsd-discex3.pdf" format="PDF" />
</download>
<abstract>Developing access control extensions for operating systems
is an expensive and time-consuming task. Mechanisms available for
access control extension lag behind industry standard extension
solutions for file systems, process schedulers, and device drivers,
and suffer from a number of serious flaws in modern multi-processor,
multi-threaded kernels. In this paper, we explore the limitations
of current technologies for security extension. We describe
the TrustedBSD MAC Framework, a flexible and modular environment
for operating system access control extensions on the open source
FreeBSD platform. The TrustedBSD MAC Framework permits extensions
to be introduced at compile-time, boot-time, or at run-time, and
provides a number of services to support dynamically introduced
policies, including policy-agnostic object labeling services and
application interfaces. We discuss the design and implementation of
the framework, as well as the an implementation of a fixed-label
Biba integrity policy based on the framework.</abstract>
</entry>
<entry role="paper" date="20060303">
<title>The FreeBSD Audit System</title>
<author>
<name>Robert N. M. Watson</name>
<affil>University of Cambridge, TrustedBSD Project</affil>
</author>
<author>
<name>Wayne Salamon</name>
<affil>TrustedBSD Project</affil>
</author>
<audience>
<venue>UKUUG LISA Conference</venue>
<city>Durham</city> <state>UK</state>
<date>March, 2006</date>
</audience>
<download>
<file url="20060303-ukuug2006lisa-audit.pdf" format="PDF" />
</download>
<abstract>This paper describes the Common Criteria security event
auditing implementation added to the FreeBSD operating system by the
TrustedBSD Project. Audit is a critical element in operating system
security evaluation and operation, but both the standards-based and
operational requirements are complex. This paper describes the
requirements, FreeBSD kernel implementation, extensible file format
adopted from OpenSolaris BSM, mechanisms used for processing and
maintaining the audit trail, and the OpenBSM audit library and tool
set. Of importance is not just the content of audit records, but
also the reliability guarantees associated with the queuing and
delivery mechanisms.</abstract>
</entry>
<entry role="paper" date="20100811">
<title>Capsicum: practical capabilities for UNIX</title>
<author>
<name>Robert N. M. Watson</name>
<affil>University of Cambridge</affil>
</author>
<author>
<name>Jonathan Anderson</name>
<affil>University of Cambridge</affil>
</author>
<author>
<name>Ben Laurie</name>
<affil>Google UK Ltd.</affil>
</author>
<author>
<name>Kris Kennaway</name>
<affil>Google UK Ltd.</affil>
</author>
<download>
<file url="2010usenix-security-capsicum-website.pdf" format="PDF" />
</download>
<abstract>Capsicum is a lightweight operating system capability and
sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends,
rather than replaces, UNIX APIs, providing new kernel primitives
(sandboxed capability mode and capabilities) and a userspace sandbox
API. These tools support compartmentalisation of monolithic UNIX
applications into logical applications, an increasingly common goal
supported poorly by discretionary and mandatory access control. We
demonstrate our approach by adapting core FreeBSD utilities and
Google's Chromium web browser to use Capsicum primitives, and compare
the complexity and robustness of Capsicum with other sandboxing
techniques.</abstract>
</entry>
<entry role="paper" date="201204">
<title>New approaches to operating system security extensibility</title>
<author>
<name>Robert N. M. Watson</name>
<affil>University of Cambridge</affil>
</author>
<download>
<file url="http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.html"
format="Tech report page" />
<file url="http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.pdf"
format="PDF" />
</download>
<abstract><p>This dissertation proposes new approaches to commodity
computer operating system (OS) access control extensibility that
address historic problems with concurrency and technology transfer.
Access control extensibility addresses a lack of consensus on operating
system policy model at a time when security requirements are in flux:
OS vendors, anti-virus companies, firewall manufacturers, smart phone
developers, and application writers require new tools to express
policies tailored to their needs. By proposing principled approaches to
access control extensibility, this work allows OS security to be
"designed in" yet remain flexible in the face of diverse and changing
requirements.</p>
<p>I begin by analysing system call interposition, a popular extension
technology used in security research and products, and reveal
fundamental and readily exploited concurrency vulnerabilities.
Motivated by these failures, I propose two security extension models:
the TrustedBSD Mandatory Access Control (MAC) Framework, a flexible
kernel access control extension framework for the FreeBSD kernel, and
Capsicum, practical capabilities for UNIX.</p>
<p>The MAC Framework, a research project I began before starting my
PhD, allows policy modules to dynamically extend the kernel access
control policy.
The framework allows policies to integrate tightly with kernel
synchronisation, avoiding race conditions inherent to system call
interposition, as well as offering reduced development and technology
transfer costs for new security policies.
Over two chapters, I explore the framework itself, and its transfer to
and use in several products: the open source FreeBSD operating system,
nCircle's enforcement appliances, and Apple's Mac OS X and iOS
operating systems.</p>
<p>Capsicum is a new application-centric capability security model
extending POSIX.
Capsicum targets application writers rather than system designers,
reflecting a trend towards security-aware applications such as
Google's Chromium web browser, that map distributed security policies
into often inadequate local primitives.
I compare Capsicum with other sandboxing techniques, demonstrating
improved performance, programmability, and security.</p>
<p>This dissertation makes original contributions to challenging
research problems in security and operating system design.
Portions of this research have already had a significant impact on
industry practice.</p></abstract>
</entry>
</bibliography>