Source:
Information Security Conference, Pisa, Italy (2009)
Abstract:
Applications typically rely on the operating system to en-
force access control policies such as MAC, DAC, or other policies. How-
ever, in the face of a compromised operating system, such protection
mechanisms may be ineective. Since security-sensitive applications are
most motivated to maintain access control to their secret or sensitive in-
formation, and have no control over the operating system, it is desirable
to provide mechanisms to enable applications to protect information with
application-specic policies, in spite of a compromised operating system.
In this paper, we enable application-level access control and information
sharing with direct hardware support and protection, bypassing the de-
pendency on the operating system. We analyze an originator-controlled
information sharing policy (ORCON), where the content creator speci-
es who has access to the le created and maintains this control after
the le has been distributed. We show that this policy can be enforced
by the software-hardware mechanisms provided by the Secret Protection
(SP) architecture, where a Trusted Software Module (TSM) is directly
protected by SP's hardware features. We develop a proof-of-concept text
editor application which contains such a TSM. This TSM can imple-
ment many dierent policies, not just the originator-controlled policy
that we have dened. We also propose a general methodology for trust-
partitioning an application into security-critical and non-critical parts.