A Security Domain Model for Implementing Trusted Subject Behaviors
Abstract
Within a multilevel secure (MLS) system, trusted subjects are granted privileges to perform operations that are not possible by ordinary subjects controlled by mandatory access control (MAC) policy enforcement mechanisms. These subjects are trusted not to conduct malicious activity or degrade system security. The authors present a formal definition for trusted subject behaviors that depends upon a representation of information flow and control dependencies generated during a program execution. They describe a security Domain Model (DM) designed in the Alloy specification language for conducting static analysis of programs to identify illicit information flows and access control flaws and covert channel vulnerabilities. The DM is compiled from a representation of a target program, written in an intermediate Implementation Modeling Language (IML), and a specification of the security policy written in Alloy. The Alloy Analyzer tool is used to perform static analysis of the DM to detect potential security policy violations in the target program. In particular, since the operating system upon which the trusted subject runs has limited ability to control its actions, static analysis of trusted subject operations can contribute to the security of the system.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2008
- Accession Number
- ADA512133
Entities
People
- Alan Shaffer
- Cynthia E. Irvine
- Mikhail I. Auguston
- Timothy E. Levin
Organizations
- Naval Postgraduate School