Design and Implementation of Fast Access Control That Supports the Separation of Duty

  • SeongKi Kim
  • EunKyung Jin
  • YoungJin Song
  • SangYong Han
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4318)


The importance of security-enhancing mechanisms at the kernel level, such as an access control, has been increasingly emphasized as the weaknesses and limitation of mechanisms at the user level have been revealed. Among many access controls available, role based access control (RBAC) is mandatory and supports the separation of duty when compared to discretionary access control (DAC). With these advantages, RBAC has been widely implemented at various levels of computing environments, such as the operating system and database management system levels. However, the overheads for supporting all of the RBAC features and flexibility are significant. We designed a fast, simple, and mandatory access control model with some RBAC and DAC characteristics, then implemented a prototype and measured its overheads.


Access control DAC RBAC Flask SELinux 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Computer Security Center: A Guide to Understanding Discretionary Access Control in Trusted Systems (December 30, 1987)Google Scholar
  2. 2.
    Hitchens, M., Varadharajan, V.: Design and specification of role-based access control policies. IEE Proceedings Software 147(4), 117–129 (2000)CrossRefGoogle Scholar
  3. 3.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)CrossRefGoogle Scholar
  4. 4.
    Loscocco, P.A., Smalley, S.D.: Meeting critical security objectives with security-enhanced Linux. In: Proceedings of the 2001 Ottawa Linux Symposium (July 2001)Google Scholar
  5. 5.
    Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track 2001 USENIX Annual Technical Conference (FREENIX 2001) (June 2001)Google Scholar
  6. 6.
    Vance, C., Watson, R.: Security-Enhanced BSD. Technical Report, Rockville, MD (July 9, 2003)Google Scholar
  7. 7.
    Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux security modules: General security support for the Linux kernel. In: Proceedings of the 11th USENIX Security Symposium, August 05–09, 2002, pp. 17–31 (2002)Google Scholar
  8. 8.
    Oracle Corporation: ORACLE7 Server SQL Language Reference Manual. 778-70-1292 (December 1992)Google Scholar
  9. 9.
    Barkley, J.: Comparing simple role-based access control models and access control lists. In: Second ACM Workshop on Role-Based Access Control, pp. 127–132 (1997)Google Scholar
  10. 10.
    Koch, M., Mancini, L.V., Parisi-Presicce, F.: A graph-based formalism for RBAC. ACM Transactions on Information and System Security (TISSEC) Archive 5(3), 332–365 (2002)CrossRefGoogle Scholar
  11. 11.
    Ferraiolo, D.F., Cugini, J., Kuhn, D.R.: Role Based Access Control: Features and Motivations. In: Proceedings of The 11th Annual Computer Security Applications Conference, New Orleans, USA, pp. 241–248 (December 1995)Google Scholar
  12. 12.
    Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The Flask Security Architecture: System Support for Diverse Security Policies. In: Proceedings of the 8th USENIX Security Symposium, Washington, USA, pp. 123–139 (August 1999)Google Scholar
  13. 13.
    Niemi, D.C.: Unixbench 4.1.0,
  14. 14.
    McVoy, L., Staelin, C.: lmbench 2,
  15. 15.
    Mauro, J., McDougall, R.: Solaris Internals Core Kernel Architecture (2001)Google Scholar
  16. 16.
    Samar, V., Lai, C.: Making login services independent of authentication technologies. In: Proceedings of the SunSoft Developer’s Conference (March 1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • SeongKi Kim
    • 1
  • EunKyung Jin
    • 1
  • YoungJin Song
    • 1
  • SangYong Han
    • 1
  1. 1.School of Computer Science and EngineeringSeoul National UniversitySeoulKorea

Personalised recommendations