|
Confining Root Programs with Domain and Type Enforcement (DTE)
Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David
L. Shermann, and Karen A. Oostendorp
Abstract
The pervasive use of the root privilege is a central problem for UNIX
security because an attacker who subverts a singel root program gains
complete control over a computing system. Domain and type enforcement
(DTE) is a strong, configurable operating system access control
technology that can minimize the damage root programs can cause if
subverted. DTE does this by preventing groups of root programs from
accessing critical files in inappropriate access modes. This paper
illustrates how a DTE-enhanced UNIX prototype, driven by simple,
machine-interpretable DTE policies, can provide strong protection
against specific classes of attacks by malicious programs that gain
root privilege. We present a sequence of policy componenets that
protest system binaries against Rootkit, a widely-used hacker toolkit,
and protect password, system log, user, and device special files
against other root-based attacks. Tradeoffs among DTE policy
complexity, scope of protection, and other factors are discussed.
View the full text of this paper in
POSTSCRIPT (241,531 Bytes) form.
To Become a USENIX Member, please see our
Membership Information.
|
Need help? Use our Contacts page.
Conference Index