A PROGRAM PARTITIONING TECHNIQUE FOR ENFORCEMENT …

A PROGRAM PARTITIONING TECHNIQUE FOR ENFORCEMENT OF CONFIDENTIALITY POLICIES

BY TEJAS R. KHATIWALA B.E., South Gujarat University at Surat, 2003.

THESIS Submitted as partial fulfillment of the requirements for the degree of Master of Science in Computer Science

in the Graduate College of the University of Illinois at Chicago, 2006

Chicago, Illinois

Copyright by Tejas R. Khatiwala

2006

To my parents and their fathers.

iii

ACKNOWLEDGMENTS

I would like to thank my advisor, Prof. V.N. Venkatakrishnan, for his guidance and patience during the course of the thesis. It would not have been possible to reach this stage but for his support. I would like to thank my thesis committee members - Prof. Jon Solworth and Prof. A. Prasad Sistla - for their time and support.

I would specially like to thank my friend Raj for many engaging discussions and giving a helping hand with development which helped me refine our implementation.

TRK

iv

TABLE OF CONTENTS

CHAPTER

PAGE

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

2 APPROACH OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

2.1

System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2

Security Policy Specifications . . . . . . . . . . . . . . . . . . . . . . . 12

2.3

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 PARTITIONING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1

Introduction and generation of private zone . . . . . . . . . . . . . . . 16

3.2

Generation of public zone . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.3

Analysis for state exchange between zones . . . . . . . . . . . . . . . 19

3.4

Generation of checks that makes use of runtime information. . . . . . 20

3.5

Psuedo code for partition engine . . . . . . . . . . . . . . . . . . . . . 21

4 SERIALIZATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.1

Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.1.1

Basic idea of serialization . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.1.2

Serialization and data types . . . . . . . . . . . . . . . . . . . . . . . . 27

4.1.3

Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.1.4

Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.1.5

Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.1.6

Analysis of recursive structures . . . . . . . . . . . . . . . . . . . . . . 31

4.1.7

The Messaging Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.1.8

The hash-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.1.9

Code generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.2

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 EVALUATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.1

Policy enforcement evaluation . . . . . . . . . . . . . . . . . . . . . . 41

5.1.1

Linux-Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.1.2

Htpasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.1.3

Mediachat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.1.4

chfn, chsh, passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2

Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2.1

Micro benchmark on the domain transfer operation . . . . . . . . . . 43

5.3

Overall performance measurements . . . . . . . . . . . . . . . . . . . 43

5.3.1

Performance Improvements . . . . . . . . . . . . . . . . . . . . . . . . 44

v

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download