{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,12,29]],"date-time":"2022-12-29T05:17:14Z","timestamp":1672291034689},"reference-count":16,"publisher":"Association for Computing Machinery (ACM)","issue":"3","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGOPS Oper. Syst. Rev."],"published-print":{"date-parts":[[2005,7]]},"abstract":"<jats:p>As the fundamental software to guarantee information security, operating system is desired to support various security policies flexibly and to control the propagation and revocation of access rights efficiently. This paper presents a design and implementation of Policy Flexible Architecture (PFA) for secure operating system to achieve the coordination, extensibility, consistency and dynamic configuration of security policies. Through a thorough analysis of all related facilities, PFA classifies policy constructions into several levels according to their effects on security status; PFA emphasizes on centralized management of security policy as well as on centralized maintainability of security attributes; for the first time PFA gives revocation rules to specify how and when to revoke permissions. PFA has been applied to our Secure Enhanced Linux Operating System, and the experiment shows that the system holds at least three advantages. First, it helps users to choose intended security policies flexibly. Besides it supports users to add new security policies according to specific security requirements easily. Finally it sets permission revocations immediately and gets no significant performance penalty.<\/jats:p>","DOI":"10.1145\/1075395.1075397","type":"journal-article","created":{"date-parts":[[2005,11,7]],"date-time":"2005-11-07T19:28:32Z","timestamp":1131391712000},"page":"24-33","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["A policy flexible architecture for secure operating system"],"prefix":"10.1145","volume":"39","author":[{"given":"Zhiqiang","family":"Lin","sequence":"first","affiliation":[{"name":"Nanjing University, Nanjing, China"}]},{"given":"Chao","family":"Wang","sequence":"additional","affiliation":[{"name":"Nanjing University, Nanjing, China"}]},{"given":"Bing","family":"Mao","sequence":"additional","affiliation":[{"name":"Nanjing University, Nanjing, China"}]},{"given":"Li","family":"Xie","sequence":"additional","affiliation":[{"name":"Nanjing University, Nanjing, China"}]}],"member":"320","published-online":{"date-parts":[[2005,7]]},"reference":[{"key":"e_1_2_1_1_1","first-page":"56","volume-title":"Secure Applications Need Flexible Operating Systems. The 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)","author":"Mazieres D.","year":"1997","unstructured":"D. Mazieres , M. Kaashoek . Secure Applications Need Flexible Operating Systems. The 6th Workshop on Hot Topics in Operating Systems (HotOS-VI) , pp. 56 -- 61 , 1997 .]] D. Mazieres, M. Kaashoek. Secure Applications Need Flexible Operating Systems. The 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), pp. 56--61, 1997.]]"},{"key":"e_1_2_1_2_1","volume-title":"The Flask Security Architecture: System Support for Diverse Security Policies. The 8th USENIX Security Symposium","author":"Spencer R.","year":"1999","unstructured":"R. Spencer , The Flask Security Architecture: System Support for Diverse Security Policies. The 8th USENIX Security Symposium , 1999 .]] R. Spencer, The Flask Security Architecture: System Support for Diverse Security Policies. The 8th USENIX Security Symposium, 1999.]]"},{"key":"e_1_2_1_3_1","first-page":"135","volume-title":"Proc. of the 13th National Computer Security Conference","author":"Abrams M. D.","year":"1990","unstructured":"M. D. Abrams , L. LaPadula , et.al. Generalized Framework for Access Control: An Informal Description . Proc. of the 13th National Computer Security Conference , pp. 135 -- 143 , Oct. 1990 .]] M. D. Abrams, L. LaPadula, et.al. Generalized Framework for Access Control: An Informal Description. Proc. of the 13th National Computer Security Conference, pp. 135--143, Oct. 1990.]]"},{"key":"e_1_2_1_4_1","volume-title":"The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension. Proc. of the 8th International Linux Congress","author":"Ott A.","year":"2001","unstructured":"A. Ott , The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension. Proc. of the 8th International Linux Congress , November , 2001 .]] A. Ott, The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension. Proc. of the 8th International Linux Congress, November, 2001.]]"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.485845"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/646962.712108"},{"key":"e_1_2_1_7_1","volume-title":"Proc. Of Network and Distributed System Security Symposium","author":"Ribeiro C.","year":"2001","unstructured":"C. Ribeiro . SPL : An access control language for security policies with complex constraints . Proc. Of Network and Distributed System Security Symposium , 2001 .]] C. Ribeiro. SPL: An access control language for security policies with complex constraints. Proc. Of Network and Distributed System Security Symposium, 2001.]]"},{"key":"e_1_2_1_8_1","volume-title":"CSC-STD-001-83","author":"America Department of Defense","year":"1983","unstructured":"America Department of Defense , Trusted Computer System Evaluation Criteria , CSC-STD-001-83 , Aug 1983 .]] America Department of Defense, Trusted Computer System Evaluation Criteria, CSC-STD-001-83, Aug 1983.]]"},{"key":"e_1_2_1_9_1","volume-title":"Confining Root Programs with Domain and Type Enforcement. The 6th USENIX Security Symposium","author":"Walker K. M.","unstructured":"K. M. Walker , Confining Root Programs with Domain and Type Enforcement. The 6th USENIX Security Symposium , August 1996]] K. M. Walker, Confining Root Programs with Domain and Type Enforcement. The 6th USENIX Security Symposium, August 1996]]"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/184996.185003"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/352600.352623"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1989.36276"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/352600.352624"},{"key":"e_1_2_1_14_1","first-page":"29","volume-title":"Proc. of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX'01)","author":"Loscocco P.","year":"2001","unstructured":"P. Loscocco , S. Smalley , Integrating Flexible Support for Security Policies into the Linux Operating System . Proc. of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX'01) , pp. 29 -- 42 , June 2001 .]] P. Loscocco, S. Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System. Proc. of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX'01), pp. 29--42, June 2001.]]"},{"key":"e_1_2_1_15_1","first-page":"73","volume-title":"Proc. of the General Track: 2002 USENIX Annual Technical Conference","author":"Fassino J.","year":"2002","unstructured":"J. Fassino , J. B. Stefani , J. L. Lawall , G. Muller , Think : A Software Framework for Component-based Operating System Kernels , Proc. of the General Track: 2002 USENIX Annual Technical Conference , p. 73 -- 86 , June 10-15, 2002 ]] J. Fassino, J. B. Stefani, J. L. Lawall, G. Muller, Think: A Software Framework for Component-based Operating System Kernels, Proc. of the General Track: 2002 USENIX Annual Technical Conference, p. 73--86, June 10-15, 2002]]"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/958965.958966"}],"container-title":["ACM SIGOPS Operating Systems Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1075395.1075397","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T16:15:29Z","timestamp":1672244129000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1075395.1075397"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,7]]},"references-count":16,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2005,7]]}},"alternative-id":["10.1145\/1075395.1075397"],"URL":"https:\/\/doi.org\/10.1145\/1075395.1075397","relation":{},"ISSN":["0163-5980"],"issn-type":[{"value":"0163-5980","type":"print"}],"subject":[],"published":{"date-parts":[[2005,7]]},"assertion":[{"value":"2005-07-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}