Check out the new USENIX Web site. next up previous
Next: Related Work Up: Discussion Previous: Effectiveness of Our Approach


Possible CQUAL Extension

A possible extension to CQUAL would enable us to correctly verify mediation between the controlled operations and all security-sensitive operations. The CQUAL team has an interim solution and are looking into a general solution [8]. We describe the problem here.

Currently, structures in CQUAL are treated as a collection of fields, so there is no relationship between a structure and its member fields. For example, in the code below, var->bar would not have type checked even though var does. Since structures are used extensively in the kernel, we believe it would greatly enhance the tool if CQUAL supports user-defined rules for inferring the types of member fields from the types of structures.

struct foo {
  int bar;
};

$checked struct foo *var;

For instance, for case 3 in Section 3.2.5, we would want the inode that is extracted from a checked dentry to be checked as well. In the case that a dentry is unchecked, the inode of the dentry is implicitly unchecked as well.

In addition, with current version of CQUAL, all instances of a structure type share the same qualifer type. For example, if bar is qualified as a checked type, all instances of foo would have a checked field for bar. What we want is to assign qualifier types to members on a per-instance basis.

For verifying that the controlled operations mediate the security-sensitive operations, we would also want any structure field accessed through a checked type to be checked as well. This would enable us to propagate authorizations through the structure completely. Then, we could find any members of a security-sensitive data type that is not accessed through a controlled data type.

Note that this approach is not always applicable depending on the semantics of the qualifications. This would not be appropriate for the type of qualifiers used by Wagner et. al. [14].


next up previous
Next: Related Work Up: Discussion Previous: Effectiveness of Our Approach
Catherine Zhang 2002-05-13