Architectural design for a secure Linux operating system
- Resource Type
- Authors
- Jayaraj Poroor; Hari Narayanan; Shiju-Sathyadevan; Vivek Radhakrishnan
- Source
- 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).
- Subject
- 021110 strategic, defence & security studies
Software_OPERATINGSYSTEMS
Exploit
Computer science
05 social sciences
Principle of least privilege
0211 other engineering and technologies
Process (computing)
Vulnerability
Authorization
02 engineering and technology
computer.software_genre
Blocking (computing)
Sandbox (computer security)
0502 economics and business
Ticket
Operating system
Daemon
computer
050203 business & management
- Language
Operating system security is a hot research area for the past several decades. Various security mechanisms have been introduced till now to secure the operating system. In this paper we are focusing on securing Linux operating system. Even though Linux is open source and large numbers of people are involved in developing kernel patches for security holes, there are still many malwares to exploit the existing vulnerabilities. Using our architecture we are trying to minimize the damage done by the malwares if not blocking them altogether. Our architecture is designed to ensure the principle of least privilege. Principle of least privilege guarantees that a process will get the privileges just enough to perform its task. This ensures that even if the process is compromised it can do the least damage to the system as it is running in a sandbox. Major chunk of our system is running in the user level to make it portable across the distributions. Our system uses a specially structured security ticket to provide fine grained authorization to user processes which is not currently possible in the traditional linux architecture. The security ticket is designed in such a way that it can be inherited by a child process, can be shared and is unforgeable. The core module in the system is called Secd (Secure Daemon) which authorizes all the requests and also manages the security tickets.