| The privilege management of the traditional operating systems is based on the user identification. This is a major source of damage to the system that the superuser can do any harmful operation when owning the administrative identity. The principle of least privilege requires that each program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. If this principle is followed, it is effective to constrain the operation of the legal user; on the other hand, the impact of the damage by the malware can be reduced to a minimum level. Based on the thorough analysis of the traditional security enhancement mechanisms, including the principle of least privilege and access control mechanism, the User Privilege Minimization technique is presented in the paper to control and restrict the process's privilege operation.In the concrete, a user privilege minimization model is designed in the paper, which is based on the access control framework combining RBAC model with capability mechanism. In the model, the login user does not have any capability by default via the role-based authorization control. When the privilege is required by an operation of the user or an application, it is obtained by the proper promotion. Furthermore, it is available only for one time and will be discarded once the operation is finished. This paper classifies the privileges of each operation in the system following the POSIX 1003.1e standard and confirms the least privileges required by each operation. Further, by introducing the concept of process capability state, we characterize the behaviour of the privileged operation of each process. When a user process calls for the privilege operation, a privilege state change event of process is triggered. In our model, whether the capability of process matchs is first checked and then it is decided by the result of user authentication whether the privilege of the process should be promoted and the state be migrated. However, the process state will restore to the previous unprivileged one as well as the removal of the promoted privilege when the event is over. Aiming at eliminating the ambiguity and subjectivity of informal specification, it contributes to discovering the flaws of system design by giving the formalized description and definition of the model. To sum up, our model provides an effective mechanism for the dynamic adjustment and flexible management of each process's privilege minimization in the system.Based on the model, a general access control framework for user privilege minimization is designed which is used for the purpose of user permission control. The requests of privilege promotions from the capability checkpoints are queued by a kernel thread which is responsible for the communication and cooperation with the daemon in user space to perform the interaction with user. When the model is implemented in Kylin system, a device file is set up to deal with the communication of requests and responses between kernel and user space. An improvement on the ACL check algorithm is also made to reduce the frequency of unnecessary promotion. The framework is protected by the policy of TE. The model resolves the problem of the minimization of user privilege effectively, which presents a securer and more convenient environment to the users. |
PDF Full Text Request