Implementing privilege separation in the Condor system
نویسنده
چکیده
In this paper we discuss, in some depth, our restricted implementation of privilege separation for the Condor system ([1], [2]) (in the Linux environment), and, in addition, we describe our proposed architecture for communication between privilege separated daemons in the Condor system. This architecture, if adopted, would allow each daemon to conform to principle of least privilege, thus significant lowering the attack surface of the Condor system.
منابع مشابه
Preventing Privilege Escalation
Many operating system services require special privilege to execute their tasks. A programming error in a privileged service opens the door to system compromise in the form of unauthorized acquisition of privileges. In the worst case, a remote attacker may obtain superuser privileges. In this paper, we discuss the methodology and design of privilege separation, a generic approach that lets part...
متن کاملA Matchmaking Approach for Distributed Policy Specification and Interpretation
In a distributed system, the separation of policy and mechanism is a vital principle. This separation can be achieved by devising a language for specifying policy and an engine for interpreting policy. In the Condor [52] high throughput distributed system the ClassAd language [57] is used to specify resource selection policy and matchmaking is used to interpret that policy. ClassAds and matchma...
متن کاملDynamic Virtual Address Range Adjustment for Intra-Level Privilege Separation on ARM
Privilege separation has long been considered as a fundamental principle in software design to mitigate the potential damage of a security attack. Much effort has been given to develop various privilege separation schemes where a monolithic OS or hypervisor is divided into two privilege domains where one domain is logically more privileged than the other even if both run at an identical process...
متن کاملLeast Privilege in Separation Kernels
We extend the separation kernel abstraction to represent the enforcement of the principle of least privilege. In addition to the inter-block flow control policy prescribed by the traditional separation kernel paradigm, we describe an orthogonal, finer-grained flow control policy by extending the protection of elements to subjects and resources, as well as blocks, within a partitioned system. We...
متن کاملA Privilege Separation Method for Security Commercial Transactions
Privilege user is needed to manage the commercial transactions, but a super-administrator may have monopolize power and cause serious security problem. Relied on trusted computing technology, a privilege separation method is proposed to satisfy the security management requirement for information systems. It authorizes the system privilege to three different managers, and none of it can be inter...
متن کامل