State-based usage control enforcement with data flow tracking using system call interposition

Matúš Harvan, Alexander Pretschner

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

48 Scopus citations

Abstract

Usage control generalizes access control to what happens to data in the future. We contribute to the enforcement of usage control requirements at the level of system calls by also taking into account data flow: Restrictions on the dissemination of data, for instance, as stipulated by data protection regulations, of course relate not to just one file containing the data, but likely to all copies of that file as well. In order to enforce the dissemination restrictions on all copies of the sensitive data item, we introduce a data flow model that tracks how the content of a file flows through the system (files, network sockets, main memory). By using this model, the existence of potential copies of the data is reflected in the state of the data flow model. This allows us to enforce the dissemination restrictions by relating to the state rather than all sequences of events that possibly yield copies. Generalizing this idea, we describe how usage control policies can be expressed in a related state-based manner. Finally, we present an implementation of the data flow model and state-based policy enforcement as well as first encouraging performance measurements.

Original languageEnglish
Title of host publicationNSS 2009 - Network and System Security
Pages373-380
Number of pages8
DOIs
StatePublished - 2009
Externally publishedYes
Event2009 3rd International Conference on Network and System Security, NSS 2009 - Gold Coast, QLD, Australia
Duration: 19 Oct 200921 Oct 2009

Publication series

NameNSS 2009 - Network and System Security

Conference

Conference2009 3rd International Conference on Network and System Security, NSS 2009
Country/TerritoryAustralia
CityGold Coast, QLD
Period19/10/0921/10/09

Fingerprint

Dive into the research topics of 'State-based usage control enforcement with data flow tracking using system call interposition'. Together they form a unique fingerprint.

Cite this