The Design and Implementation of a Linux Kernel Module for File Descriptor Revocation

5 Pages Posted: 31 Jul 2019

See all articles by Arjun TU

Arjun TU

Amrita Vishwa Vidyapeetham

Hari NN

Amrita Vishwa Vidyapeetham

Date Written: July 31, 2019

Abstract

Privilege separation systems that are implemented in applications such as Chromium and OpenSSH Dae- mon(SSHD) are complex, cumbersome because they have to be built on top of traditional Access Control List(ACL) systems. Properties such as least privilege operations along with effective solutions to problems that plague ACL based implementations, such as the Confused Deputy problem makes Capabilities much more capable when compared with the current Mandatory Access Control (MAC)/ Discretionary Access Control(DAC) systems in use within the POSIX systems for implementing privilege separated applications. While some work has been done on integrating a capability system into Linux, the final implementation provided solution for a specific subset of problems that a typical Capability based systems addresses. We provide a kernel module that enhances the Linux File Descriptors (FD) with revocation property, that while providing as a starting point for future refinements and improvements for creating a Capability system, also provides sufficient advantages to existing work flows that involves privilege separation.

Keywords: Privilege Separation, Capability, File Descrip-tor, Revocation, Kernel Module

Suggested Citation

TU, Arjun and NN, Hari, The Design and Implementation of a Linux Kernel Module for File Descriptor Revocation (July 31, 2019). Proceedings of International Conference on Recent Trends in Computing, Communication & Networking Technologies (ICRTCCNT) 2019, Available at SSRN: https://ssrn.com/abstract=3429667 or http://dx.doi.org/10.2139/ssrn.3429667

Arjun TU (Contact Author)

Amrita Vishwa Vidyapeetham

Amritapuri
India

Hari NN

Amrita Vishwa Vidyapeetham

Amritapuri
India

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
17
Abstract Views
223
PlumX Metrics