A number of interesting papers considering security and open source
will be presented at
the 11th USENIX Security Symposium
the week of August 5th in San Francisco, California, USA.
We noticed a few that have already been released by the authors.
Linux Security Modules: General Security Support for the Linux Kernel (HTML format).
"The Linux
Security Modules (LSM) project has developed a lightweight, general purpose,
access control framework for the mainstream Linux kernel that enables many
different access control models to be implemented as loadable kernel modules.
A number of existing enhanced access control implementations, including Linux
capabilities, Security-Enhanced Linux (SELinux), and Domain and Type
Enforcement (DTE), have already been adapted to use the LSM framework. This
paper presents the design and implementation of LSM and discusses the
challenges in providing a truly general solution that minimally impacts the
Linux kernel."
Linux Security Module Framework
(PDF format).
"This
paper presents the design and implementation of the LSM framework, a
discussion of performance and security impact on the kernel, and a brief
overview of existing security modules."
Deanonymizing Users of the SafeWeb Anonymizing Service
(PDF
format).
"The SafeWeb anonymizing system has been lauded by the press and
loved by its users; self-described as "the most widely used online
privacy service in the world," it served over 3,000,000 page views
per day at its peak. SafeWeb was designed to defeat content blocking
by firewalls and to defeat Web server attempts to identify users,
all without degrading Web site behavior or requiring users to
install specialized software. In this paper we describe how these
fundamentally incompatible requirements were realized in SafeWeb's
architecture, resulting in spectacular failure modes under simple
JavaScript attacks."
Secure Execution Via Program Shepherding
(PDF
format).
"
We introduce program shepherding, a method for monitoring control flow
transfers during program execution to enforce security policies. Program
shepherding provides three techniques as building blocks for security
policies. [...]
This system operates on unmodified native binaries, requires no
special hardware or operating system support, and runs on existing IA-32
machines under both Linux and Windows."
Setuid Demystified
(PDF
format).
"Access control in Unix systems is mainly based on user IDs, yet
the system calls that modify users IDs (uid-setting system calls),
such as setuid, are poorly designed, insufficiently documented, and
widely misunderstood and misused. This has caused many security
vulnerabilities in application programs.
[...]
Finally, we provide general
guidelines on the proper usage of the uid-setting system calls, and
we propose a high-level API that is more comprehensible, usable, and
portable than the usual Unix API."
Infranet: Circumventing Web Censorship and Surveillance
(PDF format).
"An increasing number of countries and companies routinely block or monitor
access to parts of the Internet. To counteract these measures, we propose
Infranet, a system that enables clients to surreptitiously retrieve sensitive
content via cooperating Web servers distributed across the global
Internet."
Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing
(PDF
format).
"The security of the vast majority of "secure" Web services rests on SSL
server PKI. However, this PKI doesn't work if the adversary can trick
the browser into appearing to tell the user the wrong thing about the
certificates and cryptography.
[...]
This paper reports the results of our work to systematically defend against
Web spoofing, by creating a trusted path from the browser to the
user."
