Abstract
Existing non-discretionary access control systems (such as Security
Enhanced Linux) are difficult to use by ordinary users. We identify
several principles for designing usable access control system and
introduce the Host Integrity Protection Policy (HIPP) model that
adds usable non-discretionary access control to operating systems.
The HIPP model is designed to defend against attacks targeting
network server and client programs and to protect the system from
careless mistakes users might make. It aims at not breaking existing
applications or existing ways of using and administering systems.
HIPP has several novel features to achieve these goals. For example,
it supports several types of partially trusted programs to support
common system administration practices. Furthermore, rather than
requiring file labeling, it uses information in the existing
discretionary access control mechanism for non-discretionary access
control. We also discuss our implementation of the HIPP model for
Linux using the Linux Security Modules framework, as well as our
evaluation results.