References
Abedin, Muhammad, Nessa, Syeda, Khan, Latifur, Thuraisingham, Bhavani - Detection and Resolution of Anomalies in Firewall Policy Rules - 2006.
Summary/Abstract
A firewall is a system acting as an interface of a network to one or more external networks. It implements the security policy of the network by deciding which packets to let through based on rules defined by the network administrator. Any error in defining the rules may compromise the system security by letting unwanted traffic pass or blocking desired traffic. Manual definition of rules often results in a set that contains conflicting, redundant or overshadowed rules, resulting in anomalies in the policy. Manually detecting and resolving these anomalies is a critical but tedious and error prone task. Existing research on this problem have been focused on the analysis and detection of the anomalies in firewall policy. Previous works define the possible relations between rules and also define anomalies in terms of the relations and present algorithms to detect the anomalies by analyzing the rules. In this paper, we discuss some necessary modifications to the existing definitions of the relations. We present a new algorithm that will simultaneously detect and resolve any anomaly present in the policy rules by necessary reorder and split operations to generate a new anomaly free rule set. We also present proof of correctness of the algorithm. Then we present an algorithm to merge rules where possible in order to reduce the number of rules and hence increase efficiency of the firewall.
Sharaf, Husain, Ahmad, Imtiaz, Dimitriou, Tassos - Extended Berkeley Packet Filter: An Application Perspective - 2022.
Summary/Abstract
The extended Berkeley Packet Filter (eBPF) is a lightweight and fast 64-bit RISC-like virtual machine (VM) inside the Linux kernel. eBPF has emerged as the most promising and de facto standard of executing untrusted, user-defined specialized code at run-time inside the kernel with strong performance, portability, flexibility, and safety guarantees. Due to these key benefits and availability of a rich ecosystem of compilers and tools within the Linux kernel, eBPF has received widespread adoption by both industry and academia for a wide range of application domains. The most important include enhancing performance of monitoring tools and providing a variety of new security mechanisms, data collection tools and data screening applications. In this review, we investigate the landscape of existing eBPF use-cases and trends with aim to provide a clear roadmap for researchers and developers. We first introduce the necessary background knowledge for eBPF before delving into its applications. Although, the potential use-cases of eBPF are vast, we restrict our focus on four key application domains related to networking, security, storage, and sandboxing. Then for each application domain, we analyze and summarize solution techniques along with their working principles in an effort to provide an insightful discussion that will enable researchers and practitioners to easily adopt eBPF into their designs. Finally, we delineate several exciting research avenues to fully exploit the revolutionary eBPF technology.
Ferraiolo, David F., Sandhu, Ravi, Gavrila, Serban, Kuhn, D. Richard, Chandramouli, Ramaswamy - Proposed NIST standard for role-based access control - 2001.
Summary/Abstract
In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBAC's utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.
Sandhu, Ravi S., Coyne, Edward J., Feinstein, Hal L., Youman, Charles E. - Role-Based Access Control Models - 1996.
Summary/Abstract
Security administration of large systems is complex, but it can be simplified by a role-based access control approach. This article explains why RBAC is receiving renewed attention as a method of security administration and review, describes a framework of four reference models developed to better understand RBAC and categorizes different implementations, and discusses the use of RBAC to manage itself.
Kuhn, D. Richard - Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems - 1997.
Summary/Abstract
Role based access control (RBAC) is attracting increasing attention as a security mechanism for both commercial and many military systems. Much of RBAC is fundamentally different from multi-level security (MLS) systems, and the properties of RBAC systems have not been explored formally to the extent that MLS system properties have. This paper explores some aspects of mutual exclusion of roles as a means of implementing separation of duty policies, including a safety property for separation of duty; relationships between different types of exclusion rules; properties of mutual exclusion for roles; constraints on the role hierarchy introduced by mutual exclusion rules; and necessary and sufficient conditions for the safety property to hold. Results have implications for implementing separation of duty controls through mutual exclusion of roles, and for comparing mutual exclusion with other means of implementing separation of duty policies
Billoir, Eddie, Laborde, Romain, Wazan, Ahmad Samer, Rütschlé, Yves, Benzekri, Abdelmalek - Implementing the Principle of Least Privilege Using Linux Capabilities: Challenges and Perspectives - 2023.
Summary/Abstract
Historically and by default, Linux does not respect the principle of least privilege because it grants all the privileges to administrators to execute their tasks. With the new personal data protection or export control regulations, the principle of least privilege is mandatory and must be applied even for system administrators. The Linux operating system since version 2.2 divides the privileges associated with the superuser into distinct units called capabilities. Linux capabilities allow coarse-grained access control to restricted system features. The “RootAsRole†project is introduced as a solution for delegating administrative tasks while matching the necessary capabilities. However, limitations in user experience and the mapping of Linux capabilities pose significant obstacles. This paper proposes enhancements to achieving a balance between usability and the principle of least privilege, emphasizing the need for precise capability definitions. Future work involves enhancing the RootAsRole access control model and addressing the need for a comprehensive administration access control framework for managing Linux capabilities effectively.
Billoir, Eddie, Laborde, Romain, Wazan, Ahmad Samer, Rütschlé, Yves, Benzekri, Abdelmalek - Implementing the principle of least administrative privilege on operating systems: challenges and perspectives - 2024.
Summary/Abstract
With the new personal data protection or export control regulations, the principle of least privilege is mandatory and must be applied even for system administrators. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege. We define a set of requirements to manage these privileges properly, striving to balance adherence to the principle of least privilege and usability. We also present a deep analysis of each administrative privilege system based on these requirements and exhibit their benefits and limitations. This evaluation also covers the efficiency of the currently available solutions to assess the difficulty of performing administrative privileges management tasks. Following the results, the article presents the RootAsRole project, which aims to simplify Linux privilege management. We describe the new features introduced by the project and the difficulties we faced. This concrete experience allows us to highlight research challenges.
Wazan, Ahmad Samer, Chadwick, David W., Venant, Remi, Billoir, Eddie, Laborde, Romain, Ahmad, Liza, Kaiiali, Mustafa - RootAsRole: a security module to manage the administrative privileges for Linux - 2022.
Summary/Abstract
Today, Linux users use sudo/su commands to attribute Linux's administrative privileges to their programs. These commands always give the whole list of administrative privileges to Linux programs, unless there are pre-installed default policies defined by Linux Security Modules(LSM). LSM modules require users to inject the needed privileges into the memory of the process and to declare the needed privileges in an LSM policy. This approach can work for users who have good knowledge of the syntax of LSM modules’ policies. Adding or editing an existing policy is a very time-consuming process because LSM modules require adding a complete list of traditional permissions as well as administrative privileges. We propose a new Linux module called RootAsRole that is dedicated to the management of administrative privileges. RootAsRole is not proposed to replace LSM modules but to be used as a complementary module to manage Linux administrative privileges. RootAsRole allows Linux administrators to define a set of roles that contain the administrative privileges and restrict their usage to a set of users/groups and programs. Finally, we conduct an empirical performance study to compare RootAsRole tools with sudo/su commands to show that the overhead added by our module remains acceptable.
Wazan, Ahmad Samer, Chadwick, David W., Venant, Remi, Laborde, Romain, Benzekri, Abdelmalek - RootAsRole: Towards a Secure Alternative to sudo/su Commands for Home Users and SME Administrators - 2021.
Summary/Abstract
The typical way to run an administrative task on Linux is to execute it in the context of a super user. This breaks the principle of least privilege on access control. Other solutions, such as SELinux and AppArmor, are available but complex to use. In this paper, a new Linux module, named RootAsRole, is proposed to allow users to fine-grained control the privileges they grant to Linux commands as capabilities. It adopts a role-based access control (RBAC) [14], in which administrators can define a set of roles and the capabilities that are assigned to them. Administrators can then define the rules controlling what roles users or groups can assign to themselves. Each time a Linux user wants to execute a program that necessitates one or more capabilities, (s)he should assign the role to him/herself that contains the needed capabilities, providing there is a rule that allows it. A pilot implementation on Linux systems is illustrated in detail.
Billoir, Eddie - Orchestration et Application Du Principe Du Moindre Privilège Administratif Dans Les Systèmes Linux - 2025.
Summary/Abstract
The management of administrative privileges in modern operating systems suffers from a critical gap between the foundational Principle of Least Privilege (POLP) and its practical implementation. This thesis addresses this challenge by focusing specifically on administrative access, a domain we define as the Principle of Least Administrative Privilege (PoLAP). We argue that the persistent failure to enforce PoLAP stems not from a lack of security tools, but from a fragmented security landscape and the absence of a coherent orchestration methodology.To prove this thesis, we first conduct a comparative analysis of privilege models across modern operating systems, introducing a novel evaluation framework that separates developer and administrator concerns. We then present the primary contribution: RootAsRole (RaR), a new security framework for Linux that treats ''root as a role'' rather than a user to be impersonated. RaR acts as an orchestrator, unifying disparate mechanisms like POSIX ACLs and Linux Capabilities under a single, high-level policy. The framework provides an end-to-end workflow, which includes gensr, a tool for automated discovery of minimal permissions, and dosr, a high-performance, memory-safe enforcement engine for Just-in-Time (JIT) privilege elevation.The framework's efficacy is demonstrated through a real-world case study securing automated Infrastructure as Code (IaC) deployments with Ansible, where it successfully neutralizes a supply-chain attack and enables a verifiable, Zero-Trust organizational workflow. Performance evaluations confirm that the dosr enforcement engine significantly outperforms traditional tools like sudo, proving that fine-grained security can be achieved without sacrificing operational efficiency.Ultimately, this thesis provides a comprehensive, practical methodology that transforms PoLAP from an abstract ideal into an industrialized engineering practice, offering a new path forward for secure and auditable system administration.
Miller, Mark S, Yee, Ka-Ping, Shapiro, Jonathan - Capability Myths Demolished - 2003.
Summary/Abstract
We address three common misconceptions about capability-based systems: the Equivalence Myth (access control list systems and capability systems are formally equivalent), the Confinement Myth (capability systems cannot enforce confinement), and the Irrevocability Myth (capability-based access cannot be revoked). The Equivalence Myth obscures the benefits of capabilities as compared to access control lists, while the Confinement Myth and the Irrevocability Myth lead people to see problems with capabilities that do not actually exist.
IEEE and The Open Group - IEEE/Open Group Standard for Information Technology–Portable Operating System Interface (POSIX™) Base Specifications, Issue 8 - 2024.
Summary/Abstract
Section: 4
Security Working Group, sponsored by the Portable Applications Standards Committee of the IEEE Computer Society - Draft Standard for Information Technology— Portable Operating System Interface (POSIX)— Part 1: System Application Program Interface (API)— Amendment #: Protection, Audit and Control Interfaces [C Language] - 1997.
Summary/Abstract
IEEE Std 1003.1e is part of the POSIX series of standards. It defines security interfaces to open systems for access control lists, audit, separation of + privilege (capabilities), mandatory access control, and information label mechan- + isms. This standard is stated in terms of its C binding.
Lampson, Butler W. - Protection - 1974.
Summary/Abstract
Abstract models are given which reflect the properties of most existing mechanisms for enforcing protection or access control, together with some possible implementations. The properties of existing systems are explicated in terms of the model and implementations.
Sandhu, R.S., Samarati, P. - Access control: principle and practice - 1994.
Sandhu, Ravi S, Coyne, Edward J, Feinstein, Hal L, Youman, Charles E - Role-Based Access Control Models - 1995.
Summary/Abstract
This article introduces a family of reference models for rolebased access control (RBAC) in which permissions are associated with roles, and users are made members of appropriate roles. This greatly simplifes management of permissions. Roles are closely related to the concept of user groups in access control. However, a role brings together a set of users on one side and a set of permissions on the other, whereas user groups are typically defned as a set of users only.