The Community for Technology Leaders
Pacific Rim International Symposium on Dependable Computing, IEEE (2002)
Tsukuba, Japan
Dec. 16, 2002 to Dec. 18, 2002
ISBN: 0-7695-1852-4
pp: 167
Yasushi Shinjo , University of Tsukuba
Kotaro Eiraku , University of Tsukuba
Atsushi Suzuki , University of Tsukuba
Kozo Itano , University of Tsukuba
Calton Pu , Georgia Institute of Technology
To install security modules o reference monitors into operating system kernels is a common and effective way fo enhancing access control for networks. However, security modules in conventional kernel-level reference monitors are usually not portable to other kernels and require detailed knowledge about kernel internals .Furthermore, different security modules are often not composable and conflict with each other. This paper describes a reference monitor called SysGuard that addresses these problems. SysGuard uses modules called guards that are invoked before or after the execution of system calls. Unlike kernel-specific security modules, guards are attached to standard system calls that enhance their portability.The guard scoping on a per-process basis improves composability of individual guards, and it is implemented efficiently by using per-process jump table of system calls. This paper describes the implementation of restricted execution environments for networks by composing simple and portable guards, and shows the advantages of the SysGuard security framework.

A. Suzuki, K. Itano, Y. Shinjo, C. Pu and K. Eiraku, "Enhancing Access Control with SysGuard, Reference Monitor Supporting Portable and Composable Kernel Module," Pacific Rim International Symposium on Dependable Computing, IEEE(PRDC), Tsukuba, Japan, 2002, pp. 167.
89 ms
(Ver 3.3 (11022016))