Murdoch University Research Repository

Welcome to the Murdoch University Research Repository

The Murdoch University Research Repository is an open access digital collection of research
created by Murdoch University staff, researchers and postgraduate students.

Learn more

Functionality-based application confinement: parameterised hierarchical application restrictions

Schreuders, Z.C. and Payne, C. (2008) Functionality-based application confinement: parameterised hierarchical application restrictions. In: International Conference on Security and Cryptography (SECRYPT 2008), 26 - 29 July, Porto, Portugal

PDF - Published Version
Download (518kB)


Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of applications. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.

Item Type: Conference Paper
Murdoch Affiliation(s): School of Information Technology
Publisher: INSTICC Press
Copyright: Institute for Systems and Technologies of Information
Conference Website:
Notes: Published by INSTICC Press
Item Control Page Item Control Page


Downloads per month over past year