TY - GEN
T1 - WatchIT
T2 - 26th ACM Symposium on Operating Systems Principles, SOSP 2017
AU - Shalev, Noam
AU - Keidar, Idit
AU - Weinsberg, Yaron
AU - Moatti, Yosef
AU - Ben-Yehuda, Elad
N1 - Publisher Copyright: © 2017 Association for Computing Machinery.
PY - 2017/10/14
Y1 - 2017/10/14
N2 - System administrators have unlimited access to system resources. As the Snowden case highlighted, these permissions can be exploited to steal valuable personal, classified, or commercial data. This problem is exacerbated when a third party administers the system. For example, a bank outsourcing its IT would not want to allow administrators access to the actual data. We propose WatchIT: a strategy that constrains IT personnel’s view of the system and monitors their actions. To this end, we introduce the abstraction of perforated containers – while regular Linux containers are too restrictive to be used by system administrators, by “punching holes” in them, we strike a balance between information security and required administrative needs. Following the principle of least privilege, our system predicts which system resources should be accessible for handling each IT issue, creates a perforated container with the corresponding isolation, and deploys it as needed for fixing the problem. Under this approach, the system administrator retains superuser privileges, however only within the perforated container limits. We further provide means for the administrator to bypass the isolation, but such operations are monitored and logged for later analysis and anomaly detection. We provide a proof-of-concept implementation of our strategy, which includes software for deploying perforated containers, monitoring mechanisms, and changes to the Linux kernel. Finally, we present a case study conducted on the IT database of IBM Research in Israel, showing that our approach is feasible.
AB - System administrators have unlimited access to system resources. As the Snowden case highlighted, these permissions can be exploited to steal valuable personal, classified, or commercial data. This problem is exacerbated when a third party administers the system. For example, a bank outsourcing its IT would not want to allow administrators access to the actual data. We propose WatchIT: a strategy that constrains IT personnel’s view of the system and monitors their actions. To this end, we introduce the abstraction of perforated containers – while regular Linux containers are too restrictive to be used by system administrators, by “punching holes” in them, we strike a balance between information security and required administrative needs. Following the principle of least privilege, our system predicts which system resources should be accessible for handling each IT issue, creates a perforated container with the corresponding isolation, and deploys it as needed for fixing the problem. Under this approach, the system administrator retains superuser privileges, however only within the perforated container limits. We further provide means for the administrator to bypass the isolation, but such operations are monitored and logged for later analysis and anomaly detection. We provide a proof-of-concept implementation of our strategy, which includes software for deploying perforated containers, monitoring mechanisms, and changes to the Linux kernel. Finally, we present a case study conducted on the IT database of IBM Research in Israel, showing that our approach is feasible.
KW - Perforated Container
KW - Privileged Insider Threat
UR - http://www.scopus.com/inward/record.url?scp=85041666742&partnerID=8YFLogxK
U2 - 10.1145/3132747.3132752
DO - 10.1145/3132747.3132752
M3 - منشور من مؤتمر
T3 - SOSP 2017 - Proceedings of the 26th ACM Symposium on Operating Systems Principles
SP - 515
EP - 530
BT - SOSP 2017 - Proceedings of the 26th ACM Symposium on Operating Systems Principles
Y2 - 28 October 2017 through 31 October 2017
ER -