Access Control in Operating Systems
Access control mechanisms (ACMs) have been widely used by operating systems (OSes) to protect information security. However, it is often challenging to evaluate and compare the quality of protection (QoP) of ACMs, especially when they are deployed on different OS platforms. This article presents an approach to quantitatively measure and compare the quality of ACMs, which provides useful information to support OS administrators and users to choose ACMs that fit with their security needs.
We introduce the notion of vulnerability profiles to capture the weakness of ACMs in protecting against malicious attacks, based on which vulnerability coefficients are computed as the numeric and platform-independent measurement of the QoP of ACMs. The approach combines the grey system theory and an independent vulnerability scoring system to infer complete vulnerability profiles and to calculate fair and objective vulnerability coefficients for ACMs. We implement a prototype called ACVAL based on the approach, and apply it to four mainstream ACMs. The results show that ACVAL is effective in evaluating and comparing ACMs across different OSes, a feature particularly useful to administrators of heterogeneous IT systems. To the best of our knowledge, our approach is the first to quantitative measurement and comparison of ACMs across OSes.
- Security measurement;
- Vulnerability profile;
- Attack surface;
- Access control;
- Operating system;
- Logic programming
Copyright © 2014 Elsevier Ltd. All rights reserved.
Dr. Liang Cheng received his PhD in Information Security at the University of Science and Technology of China in 2009. His PhD focused on the verification of access control in secure operating systems. He contributed to several NFSC programs for verification of access control policies and the evaluation of their quality of protection. He is now Associate Professor at the Institute of Software, Chinese Academy of Sciences. Since 2010, he has been working on flaw detection and assessment of access control configurations and program codes in IT systems.