TY - GEN
T1 - State-based usage control enforcement with data flow tracking using system call interposition
AU - Harvan, Matúš
AU - Pretschner, Alexander
PY - 2009
Y1 - 2009
N2 - Usage control generalizes access control to what happens to data in the future. We contribute to the enforcement of usage control requirements at the level of system calls by also taking into account data flow: Restrictions on the dissemination of data, for instance, as stipulated by data protection regulations, of course relate not to just one file containing the data, but likely to all copies of that file as well. In order to enforce the dissemination restrictions on all copies of the sensitive data item, we introduce a data flow model that tracks how the content of a file flows through the system (files, network sockets, main memory). By using this model, the existence of potential copies of the data is reflected in the state of the data flow model. This allows us to enforce the dissemination restrictions by relating to the state rather than all sequences of events that possibly yield copies. Generalizing this idea, we describe how usage control policies can be expressed in a related state-based manner. Finally, we present an implementation of the data flow model and state-based policy enforcement as well as first encouraging performance measurements.
AB - Usage control generalizes access control to what happens to data in the future. We contribute to the enforcement of usage control requirements at the level of system calls by also taking into account data flow: Restrictions on the dissemination of data, for instance, as stipulated by data protection regulations, of course relate not to just one file containing the data, but likely to all copies of that file as well. In order to enforce the dissemination restrictions on all copies of the sensitive data item, we introduce a data flow model that tracks how the content of a file flows through the system (files, network sockets, main memory). By using this model, the existence of potential copies of the data is reflected in the state of the data flow model. This allows us to enforce the dissemination restrictions by relating to the state rather than all sequences of events that possibly yield copies. Generalizing this idea, we describe how usage control policies can be expressed in a related state-based manner. Finally, we present an implementation of the data flow model and state-based policy enforcement as well as first encouraging performance measurements.
UR - http://www.scopus.com/inward/record.url?scp=72849109064&partnerID=8YFLogxK
U2 - 10.1109/NSS.2009.51
DO - 10.1109/NSS.2009.51
M3 - Conference contribution
AN - SCOPUS:72849109064
SN - 9780769538389
T3 - NSS 2009 - Network and System Security
SP - 373
EP - 380
BT - NSS 2009 - Network and System Security
T2 - 2009 3rd International Conference on Network and System Security, NSS 2009
Y2 - 19 October 2009 through 21 October 2009
ER -