Protection of components based on a smart-card enhanced security module

Joaquín García-Alfaro; Sergio Castillo; Jordi Castellà-Roca; Guillermo Navarro; Joan Borrell

doi:10.1007/11962977_11

Protection of components based on a smart-card enhanced security module

Joaquín García-Alfaro
, Sergio Castillo
, Jordi Castellà-Roca
, Guillermo Navarro
, Joan Borrell

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator's identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator's actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.

Original language	English
Title of host publication	Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers
Pages	128-139
Number of pages	12
DOIs	https://doi.org/10.1007/11962977_11
Publication status	Published - 1 Dec 2006
Externally published	Yes
Event	1st International Workshop on Critical Information Infrastructures Security, CRITIS 2006 - Samos, Greece Duration: 31 Aug 2006 → 1 Sept 2006

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4347 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	1st International Workshop on Critical Information Infrastructures Security, CRITIS 2006
Country/Territory	Greece
City	Samos
Period	31/08/06 → 1/09/06

Access to Document

10.1007/11962977_11

Cite this

García-Alfaro, J., Castillo, S., Castellà-Roca, J., Navarro, G., & Borrell, J. (2006). Protection of components based on a smart-card enhanced security module. In Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers (pp. 128-139). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4347 LNCS). https://doi.org/10.1007/11962977_11

García-Alfaro, Joaquín ; Castillo, Sergio ; Castellà-Roca, Jordi et al. / Protection of components based on a smart-card enhanced security module. Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers. 2006. pp. 128-139 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a145d56143fc4214add861c664d64bfb,

title = "Protection of components based on a smart-card enhanced security module",

abstract = "We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator's identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator's actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.",

author = "Joaqu{\'i}n Garc{\'i}a-Alfaro and Sergio Castillo and Jordi Castell{\`a}-Roca and Guillermo Navarro and Joan Borrell",

year = "2006",

month = dec,

day = "1",

doi = "10.1007/11962977\_11",

language = "English",

isbn = "3540690832",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "128--139",

booktitle = "Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers",

note = "1st International Workshop on Critical Information Infrastructures Security, CRITIS 2006 ; Conference date: 31-08-2006 Through 01-09-2006",

}

García-Alfaro, J, Castillo, S, Castellà-Roca, J, Navarro, G & Borrell, J 2006, Protection of components based on a smart-card enhanced security module. in Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4347 LNCS, pp. 128-139, 1st International Workshop on Critical Information Infrastructures Security, CRITIS 2006, Samos, Greece, 31/08/06. https://doi.org/10.1007/11962977_11

Protection of components based on a smart-card enhanced security module. / García-Alfaro, Joaquín; Castillo, Sergio; Castellà-Roca, Jordi et al.
Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers. 2006. p. 128-139 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4347 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Protection of components based on a smart-card enhanced security module

AU - García-Alfaro, Joaquín

AU - Castillo, Sergio

AU - Castellà-Roca, Jordi

AU - Navarro, Guillermo

AU - Borrell, Joan

PY - 2006/12/1

Y1 - 2006/12/1

N2 - We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator's identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator's actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.

AB - We present in this paper the use of a security mechanism to handle the protection of network security components, such as Firewalls and Intrusion Detection Systems. Our approach consists of a kernel-based access control method which intercepts and cancels forbidden system calls launched by a potential remote attacker. This way, even if the attacker gains administration permissions, she will not achieve her purpose. To solve the administration constraints of our approach, we use a smart-card based authentication mechanism for ensuring the administrator's identity. Through the use of a cryptographic protocol, the protection mechanism verifies administrator's actions before holding her the indispensable privileges to manipulate a component. Otherwise, the access control enforcement will come to its normal operation. We also show in this paper an overview of the implementation of this mechanism on a research prototype, developed for GNU/Linux systems, over the Linux Security Modules (LSM) framework.

UR - https://www.scopus.com/pages/publications/84885705762

U2 - 10.1007/11962977_11

DO - 10.1007/11962977_11

M3 - Conference contribution

AN - SCOPUS:84885705762

SN - 3540690832

SN - 9783540690832

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 128

EP - 139

BT - Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers

T2 - 1st International Workshop on Critical Information Infrastructures Security, CRITIS 2006

Y2 - 31 August 2006 through 1 September 2006

ER -

García-Alfaro J, Castillo S, Castellà-Roca J, Navarro G, Borrell J. Protection of components based on a smart-card enhanced security module. In Critical Information Infrastructures Security - First International Workshop, CRITIS 2006, Revised Papers. 2006. p. 128-139. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/11962977_11

Protection of components based on a smart-card enhanced security module

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this