{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:25:54Z","timestamp":1750307154219,"version":"3.41.0"},"reference-count":42,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2011,11,1]],"date-time":"2011-11-01T00:00:00Z","timestamp":1320105600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["4.48E+12"],"award-info":[{"award-number":["4.48E+12"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2011,11]]},"abstract":"<jats:p>Discretionary Access Control (DAC) is the primary access control mechanism in today\u2019s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC\u2019s easy-to-use discretionary policy specification and MAC\u2019s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.<\/jats:p>","DOI":"10.1145\/2043621.2043624","type":"journal-article","created":{"date-parts":[[2011,12,6]],"date-time":"2011-12-06T19:05:23Z","timestamp":1323198323000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Combining Discretionary Policy with Mandatory Information Flow in Operating Systems"],"prefix":"10.1145","volume":"14","author":[{"given":"Ziqing","family":"Mao","sequence":"first","affiliation":[{"name":"Purdue University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ninghui","family":"Li","sequence":"additional","affiliation":[{"name":"Purdue University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hong","family":"Chen","sequence":"additional","affiliation":[{"name":"Purdue University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xuxian","family":"Jiang","sequence":"additional","affiliation":[{"name":"North Carolina State University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2011,11]]},"reference":[{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX.","author":"Badger L.","key":"e_1_2_1_1_1","unstructured":"Badger , L. , Sterne , D. F. , Sherman , D. L. , Walker , K. M. , and Haghighat , S. A . 1995a. A domain and type enforcement UNIX prototype . In Proceedings of the USENIX Security Symposium. USENIX. Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995a. A domain and type enforcement UNIX prototype. In Proceedings of the USENIX Security Symposium. USENIX."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77","author":"Badger L.","key":"e_1_2_1_2_1","unstructured":"Badger , L. , Sterne , D. F. , Sherman , D. L. , Walker , K. M. , and Haghighat , S. A . 1995b. Practical domain and type enforcement for UNIX . In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77 . Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995b. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 66--77."},{"volume-title":"Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306","author":"Bell D. E.","key":"e_1_2_1_3_1","unstructured":"Bell , D. E. and LaPadula , L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306 , MITRE Corporation . Bell, D. E. and LaPadula, L. J. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. ESD-TR-75-306, MITRE Corporation."},{"key":"e_1_2_1_4_1","unstructured":"Biba K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. MTR-3153 MITRE. Biba K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. MTR-3153 MITRE."},{"volume-title":"Proceedings of the USENIX Security Symposium.","author":"Brumley D.","key":"e_1_2_1_5_1","unstructured":"Brumley , D. and Song , D . 2004. PrivTrans: Automatically partitioning programs for privilege separation . In Proceedings of the USENIX Security Symposium. Brumley, D. and Song, D. 2004. PrivTrans: Automatically partitioning programs for privilege separation. In Proceedings of the USENIX Security Symposium."},{"volume-title":"Proceedings of the USENIX Security Symposium. 171--190","author":"Chen H.","key":"e_1_2_1_6_1","unstructured":"Chen , H. , Dean , D. , and Wagner , D . 2002. Setuid demystified . In Proceedings of the USENIX Security Symposium. 171--190 . Chen, H., Dean, D., and Wagner, D. 2002. Setuid demystified. In Proceedings of the USENIX Security Symposium. 171--190."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194","author":"Clark D. D.","key":"e_1_2_1_7_1","unstructured":"Clark , D. D. and Wilson , D. R . 1987. A comparision of commercial and military computer security policies . In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194 . Clark, D. D. and Wilson, D. R. 1987. A comparision of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 184--194."},{"volume-title":"Proceedings of the 14th Conference on Systems Administration (LISA\u201900)","author":"Cowan C.","key":"e_1_2_1_8_1","unstructured":"Cowan , C. , Beattie , S. , Kroah-Hartman , G. , Pu , C. , Wagle , P. , and Gligor , V. D . 2000. Subdomain: Parsimonious server security . In Proceedings of the 14th Conference on Systems Administration (LISA\u201900) . USENIX, 355--368. Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., and Gligor, V. D. 2000. Subdomain: Parsimonious server security. In Proceedings of the 14th Conference on Systems Administration (LISA\u201900). USENIX, 355--368."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/360051.360056"},{"key":"e_1_2_1_10_1","unstructured":"DOD. 1985. Trusted computer system evaluation criteria. Department of Defense 5200.28-STD Washington DC. DOD . 1985. Trusted computer system evaluation criteria. Department of Defense 5200.28-STD Washington DC."},{"volume-title":"Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society","author":"Downs D. D.","key":"e_1_2_1_11_1","unstructured":"Downs , D. D. , Rub , J. R. , Kung , K. C. , and Jordan , C. S . 1985. Issues in discretionary access control . In Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society , Oakland, CA, 208--218. Downs, D. D., Rub, J. R., Kung, K. C., and Jordan, C. S. 1985. Issues in discretionary access control. In Proceedings of IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, 208--218."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.41"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/882494.884406"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20","author":"Goguen J.","key":"e_1_2_1_14_1","unstructured":"Goguen , J. and Meseguer , J . 1982. Security policies and security models . In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20 . Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 11--20."},{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX, 1--13","author":"Goldberg I.","key":"e_1_2_1_15_1","unstructured":"Goldberg , I. , Wagner , D. , Thomas , R. , and Brewer , E. A . 1996. A secure environment for untrusted helper applications: Confining the wily hacker . In Proceedings of the USENIX Security Symposium. USENIX, 1--13 . Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the USENIX Security Symposium. USENIX, 1--13."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the USENIX Annual Technical Conference. USENIX.","author":"Hicks B.","year":"2007","unstructured":"Hicks , B. , Rueda , S. , Jaeger , T. , and McDaniel , P. 2007 . From trusted to secure: Building and executing applications that enforce system security . In Proceedings of the USENIX Annual Technical Conference. USENIX. Hicks, B., Rueda, S., Jaeger, T., and McDaniel, P. 2007. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.5555\/1949221.1949242"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.23"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294293"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/1949221.1949243"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.37"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42","author":"Loscocco P.","key":"e_1_2_1_22_1","unstructured":"Loscocco , P. and Smalley , S . 2001a. Integrating flexible support for security policies into the Linux operating system . In Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42 . Loscocco, P. and Smalley, S. 2001a. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference (FREENIX track). USENIX, 29--42."},{"volume-title":"Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX.","author":"Loscocco P.","key":"e_1_2_1_23_1","unstructured":"Loscocco , P. and Smalley , S . 2001b . Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX. Loscocco, P. and Smalley, S. 2001b. Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium. USENIX."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1542207.1542244"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380220805"},{"key":"e_1_2_1_26_1","unstructured":"Microsoft.com. 2007. The advantages of running applications on Windows Vista. http:\/\/msdn2.microsoft.com\/en-us\/library\/bb188739.aspx. Microsoft.com . 2007. The advantages of running applications on Windows Vista. http:\/\/msdn2.microsoft.com\/en-us\/library\/bb188739.aspx."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/292540.292561"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/268998.266669"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/363516.363526"},{"key":"e_1_2_1_30_1","unstructured":"NCSC. 1987. National computer security center: A guide to understanding discretionary access control in trusted systems. NCSC-TG-003. NCSC . 1987. National computer security center: A guide to understanding discretionary access control in trusted systems. NCSC-TG-003."},{"volume-title":"Proceedings of the Network and Distributed Systems Security Symposium. ACM.","author":"Newsome J.","key":"e_1_2_1_31_1","unstructured":"Newsome , J. and Song , D . 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software . In Proceedings of the Network and Distributed Systems Security Symposium. ACM. Newsome, J. and Song, D. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium. ACM."},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the USENIX Security Symposium. USENIX. 252--272","author":"Provos N.","year":"2003","unstructured":"Provos , N. 2003 . Improving host security with system call policies . In Proceedings of the USENIX Security Symposium. USENIX. 252--272 . Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. USENIX. 252--272."},{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX, 231--242","author":"Provos N.","key":"e_1_2_1_33_1","unstructured":"Provos , N. , Friedl , M. , and Honeyman , P . 2003. Preventing privilege escalation . In Proceedings of the USENIX Security Symposium. USENIX, 231--242 . Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing privilege escalation. In Proceedings of the USENIX Security Symposium. USENIX, 231--242."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"volume-title":"Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM.","author":"Shankar U.","key":"e_1_2_1_35_1","unstructured":"Shankar , U. , Jaeger , T. , and Sailer , R . 2006. Toward automated information-flow integrity verification for security-critical applications . In Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM. Shankar, U., Jaeger, T., and Sailer, R. 2006. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the ISOC Networked and Distributed Systems Security Symposium. ACM."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_9"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.35"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314299.1314302"},{"volume-title":"Proceedings of the 13th National Computer Security Conference. National Computer Security Center","author":"Wichers D. R.","key":"e_1_2_1_39_1","unstructured":"Wichers , D. R. , Cook , D. M. , Olsson , R. A. , Crossley , J. , Kerchen , P. , Levitt , K. N. , and Lo , R . 1990. PACL\u2019s: An access control list approach to anti-viral security . In Proceedings of the 13th National Computer Security Conference. National Computer Security Center , Washington, DC, 340--349. Wichers, D. R., Cook, D. M., Olsson, R. A., Crossley, J., Kerchen, P., Levitt, K. N., and Lo, R. 1990. PACL\u2019s: An access control list approach to anti-viral security. In Proceedings of the 13th National Computer Security Conference. National Computer Security Center, Washington, DC, 340--349."},{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX, 17--31","author":"Wright C.","key":"e_1_2_1_40_1","unstructured":"Wright , C. , Cowan , C. , Morris , J. , Smalley , S. , and Kroah-Hartman , G . 2002. Linux security modules: General security support for the Linux kernel . In Proceedings of the USENIX Security Symposium. USENIX, 17--31 . Wright, C., Cowan, C., Morris, J., Smalley, S., and Kroah-Hartman, G. 2002. Linux security modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium. USENIX, 17--31."},{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX.","author":"Xu W.","key":"e_1_2_1_41_1","unstructured":"Xu , W. , Bhatkar , S. , and Sekar , R . 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks . In Proceedings of the USENIX Security Symposium. USENIX. Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. USENIX."},{"volume-title":"Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX.","author":"Zeldovich N.","key":"e_1_2_1_42_1","unstructured":"Zeldovich , N. , Boyd-Wickizer , S. , Kohler , E. , and Mazires , D . 2006. Making information flow explicit in HiStar . In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazires, D. 2006. Making information flow explicit in HiStar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2043621.2043624","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2043621.2043624","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T09:54:19Z","timestamp":1750240459000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2043621.2043624"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,11]]},"references-count":42,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2011,11]]}},"alternative-id":["10.1145\/2043621.2043624"],"URL":"https:\/\/doi.org\/10.1145\/2043621.2043624","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2011,11]]},"assertion":[{"value":"2010-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2011-04-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2011-11-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}