The cake is a lie: Privilege rings as a policy resource

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 33-37

  Bratus, Sergey ^a   Johnson, Peter C ^a   Ramaswamy, Ashwin ^a   Smith, Sean W ^a   Locasto, Michael E ^b  

^a Dartmouth Department of Computer Science_Dartmouth College   (United States)

^b George Mason University   (United States)

Author keywords

Vertical isolation; X86 segmentation

Indexed keywords

COMMODITY SYSTEMS; DESCRIPTORS; KERNEL COMPONENTS; LEVEL PROCESS; MICRO KERNEL; PRACTICAL SOLUTIONS; SINGLE COMPONENTS; VERTICAL ISOLATION; VIRTUALIZATIONS;

NETWORK SECURITY;

COMPUTER HARDWARE;

EID: 74049099686     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1655148.1655154     Document Type: Conference Paper

References (25)

1. The Descriptor - A Definition of the B 5000 Information Processing System. Burroughs Corporation, 1961.
2. B. N. Bershad, S. Savage, E. G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, safety and performance in the SPIN operating system. In SOSP '95, pages 267-284, 1995.
3. D. Brumley and D. Song. Privtrans: automatically partitioning programs for privilege separation. In USENIX Security '04, pages 5-5, Berkeley, CA, USA, 2004. USENIX Association.
4. G. W. Cox, W. M. Corwin, K. K. Lai, and F. J. Pollack. A unified model and implementation for interprocess communication in a multiprocessor environment. SIGOPS Oper. Syst. Rev., 15(5):125-126, 1981.
5. D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236-243, 1976.
6. D. R. Engler, M. F. Kaashoek, and J. OâǍŹtoole. Exokernel: An Operating System Architecture for Application-Level Resource Management. In SOSP '95, pages 251-266, 1995.
7. B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86. In USENIX ATC '08, pages 293-306, Berkeley, CA, USA, 2008. USENIX Association.
8. S. Hand, A. Warfield, K. Fraser, E. Kotsovinos, and D. Magenheimer. Are Virtual Machine Monitors Microkernels Done Right? In HOTOS '05, June 2005.
9. P. A. Karger and D. R. Safford. Security and Performance Trade-Offs in I/O Operations for Virtual Machine Monitors. In IBM Research Technical Report RC24500 (W0802-069), February 2008.
10. D. Kilpatrick. Privman: A Library for Partitioning Applications. In USENIX Technical Conference, FREENIX Track, Berkeley, CA, USA, 2003. USENIX Association.
11. S. Microsystems. Consolidating applications with Solaris containers. 2004.
12. D. A. Moon. Architecture of the Symbolics 3600. SIGARCH Comput. Archit. News, 13(3):76-83, 1985.
13. S. Osman, D. Subhraveti, G. Su, and J. Nieh. The Design and Implementation of Zap: A System for Migrating Computing Environments. In OSDI '02, pages 361-376, Boston, MA, Dec. 2002.
14. T. Roscoe, K. Elphinstone, and G. Heiser. Hype and Virtue. In HOTOS '07, May 2007.
15. J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a Fast Capability System. In SOSP '99: Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles, pages 170-185, New York, NY, USA, 1999. ACM.
16. H. Shrobe, T. Knight, and A. de Hon. TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture. Technical Report MIT-CSAIL-TR-2007-028, MIT, May 2007.
17. S. Soltesz, H. P̈otzl, M. E. Fiuczynski, A. Bavier, and L. Peterson. Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. SIGOPS Oper. Syst. Rev., 41(3):275-287, 2007.
18. M. M. Swift. Improving the Reliability of Commodity Operating Systems, 2005.
19. M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering device drivers. ACM Trans. Comput. Syst., 24(4):333-360, 2006.
20. M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. ACM Trans. Comput. Syst., 23(1):77-110, 2005.
21. S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazìeres. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst., 25(4):11, 2007.
22. E. Witchel, J. Cates, and K. Asanovic. Mondrian memory protection. In ASPLOS-X: 2002, volume 37, New York, NY, USA, 2002. ACM Press.
23. E. Witchel, J. Rhee, and K. Asanović. Mondrix: memory isolation for linux using mondriaan memory protection. SIGOPS Oper. Syst. Rev., 39(5):31-44, 2005.
24. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazìeres. Making information flow explicit in HiStar. In OSDI '06, Berkeley, CA, USA, 2006. USENIX Association.
25. N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware Enforcement of Application Security Policies Using Tagged Memory. In OSDI '08, Berkeley, CA, USA, 2008. USENIX Association.