System Configuration as a Privilege∗
نویسندگان
چکیده
We present a new approach for separating configuration privilege from traditional root privilege. We limit this new configuration privilege to a single (new) system daemon, configd. This daemon reads requests for changes in system configuration, either allowing or denying each request based on various criteria (possibly including user input). We do not allow any other application to run with configuration permission, forcing all requests for a change in system configuration to be processed by configd. We discuss the basic functionality required for configd to protect system configuration, and some preliminary improvements to a basic prototype design. We concentrate on only those system configuration changes performed through the modification of a file on disk.
منابع مشابه
Tarski Number and Configuration Equations
The concept of configuration of groups which is defined in terms of finite partitions and finite strings of elements of the group is presented by Rosenblatt and Willis. To each set of configurations, a finite system of equations known as configuration equations, is associated. Rosenblatt and Willis proved that a discrete group G is amenable if and only if every possible instance of its configur...
متن کاملA Graph-Based Network-Vulnerability Analysis System
This report presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The analysis system requires as input a database of common attacks, broken into atomic steps,...
متن کاملResilient Configuration of Distribution System versus False Data Injection Attacks Against State Estimation
State estimation is used in power systems to estimate grid variables based on meter measurements. Unfortunately, power grids are vulnerable to cyber-attacks. Reducing cyber-attacks against state estimation is necessary to ensure power system safe and reliable operation. False data injection (FDI) is a type of cyber-attack that tampers with measurements. This paper proposes network reconfigurati...
متن کاملSecurity Policy Generation through Package Management
Generation and maintenance of security policies is too complex and needs simplification for it to be widely adopted and thus truly make a difference in delivering the promise of more secure computing systems (rather than just being ignored by administrators). In practice, one of the great obstacles to the adoption of security measures in system software is the complexity of configuration that i...
متن کاملReliable Designing of Capacitated Logistics Network with Multi Configuration Structure under Disruptions: A Hybrid Heuristic Based Sample Average Approximation Algorithm
We consider the reliable multi configuration capacitated logistics network design problem (RMCLNDP) with system disruptions, concerned with facilities locating, transportation links constructing, and also allocating their limited capacities to the customers in order to satisfy their demands with a minimum expected total cost (including locating costs, link constructing costs, as well as expecte...
متن کامل