A Dynamically Modified Privilege Control Policy

Trusted systems typically include trusted processes which possess special privileges. Such privileges can circumvent certain security checks but should be used in a controlled manner. This paper proposes a privilege control policy called DMPC (dynamically modified privilege control). It has two components: a hybrid privilege control model and a new POSIX (portable operating system interface) capability inheritance algorithm. The privilege control model in DMPC is a combination of role based access control (RBAC), domain and type enforcement (DTE) and POSIX capability mechanism while the capability inheritance algorithm serves as an engine to effectively enforce the hybrid privilege control model on a secure operating system. The DMPC´s design has given a high priority to supporting least privilege to a finer level of granularity on trusted systems. Additional (sub-) goals for the DMPC policy are: realizing separation of duties among privileged users, achieving separation of trusted functions from untrusted ones and providing a flexible and dynamically mediated capability mechanism. We show that RBAC alone is insufficient to enforce the principle of least privilege in a dynamic context, and that DTE and POSIX capability mechanism can successfully be conjugated with RBAC for this purpose. We also describe an implementation of the DMPC policy on a real system and report on experimental results