Dynamic Mandatory Access Control For Multiple Stakeholders

In this paper, we present a mandatory access control system that uses input from multiple stakeholders to compose policies based on runtime information. In the emerging open cell phone system environment, many devices run software whose access permissions depends on multiple stakeholders, such as the device owner, the service provider, the application owner, etc., rather than a single system administrator. However, current access control administration remains as either discretionary, allowing the running and perhaps compromised process to administer permissions, or mandatory, requiring a system administrator to know all permissions for all possible legal runs. A key problem is that users may download arbitrary programs to their devices, requiring that the system contain such programs while allowing some reasonable functionality. However, such programs may need access to permissions that in combination with other conflicting permissions may lead to an attack, such as allowing voice-over-IP calls. In our approach, we use a "soft" sand-boxing mechanism to first contain such processes, request the stakeholder to authorize operations outside the sandbox that are not prohibited by policy, and maintain a runtime execution role for the process to identify its access state to the stakeholders. We define a proxy policy server that caches and combines stakeholder policies to make such access decisions. Our framework was implemented by modifying the SELinux module and using a remote proxy policy server, although a local proxy policy server is also possible. We incur a 0.288 mu s performance overhead only when stakeholders need to be consulted, and new permissions axe cached.