Research on User Permission Isolation for Multi-Users Service-Oriented Program


For the super user privilege control problem in system services, a user permission isolation method is proposed. Based on virtualization technology, the permission limited environments are constructed for different users. According to privilege sets, the users, mapping relations are built among users, isolated domains and program modules. Besides, we give an algorithm for division of program permissions based on Concept Lattices. And the security strategies are designed for different isolated domains. Finally, we propose the implications of least privilege, and prove that the method eliminates the potential privileged users in system services.

Share and Cite:

L. Yu, J. Wei, L. Li, Z. Jing, L. Peng, Y. Lai and S. Bu, "Research on User Permission Isolation for Multi-Users Service-Oriented Program," International Journal of Communications, Network and System Sciences, Vol. 5 No. 2, 2012, pp. 105-110. doi: 10.4236/ijcns.2012.52014.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] R. Stevens, “Advanced Programming in the UNIX Environment,” Addison-Wesley Publishing Company, 1992.
[2] H. Chen, D. Wagner and D. Dean, “Setuid Demystified,” Proceedings of the11th USENIX Security Symposium, San Francisco, 05-09 August 2002, pp. 171-190.
[3] Sendmail Inc. Sendmail Workaround for Linux Capabilities Bug, 2009.
[4] D. Price and A. Tucker, “Solaris Zones: Operating System Support for Consolidating Commercial Workloads,” USENIX 18th Large Installation System Administration Conference (LISA’04), Atlanta, 14-19 November 2004, pp. 241-254.
[5] C. Lindig and G. Snelting, “Assessing Modular Structure of Legacy Code Based on Mathematical Concept Analysis,” Proceedings of the 19th International Conference on Software Engineering, Boston, May 1997, pp. 349-359.
[6] K. Buyens, B. D. Win, and W. Joosen, “Resolving Least Privilege Violations in Software Architectures,” Proceedings of the 5th International Workshop on Software Engineering for Secure Systems, Vancouver, 19 May 2009, pp. 9-16.
[7] T. E. Levin, C. E. Irvine and T. D. Nguyen, “A Least Privilege Model for Static Separation Kernels,” Technical Report NPS-CS-05-003, Center of Information Systems Security Studies and Research, Naval Postgraduate School, October 2004.
[8] J. H. Saltzer and M. D. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE, Vol. 63, No. 9, 1975, pp. 1278-1308. doi:10.1109/PROC.1975.9939
[9] S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities,” Proceedings of Network and Distributed System Security Symposium, San Diego, 3-4 February 2005, pp. 42-53.
[10] K. Buyens, R. Scandariato and W. Joosen, “Composition of Least Privilege Analysis Results in Software Architectures,” Proceeding of the 7th International Workshop on Software Engineering for Secure Systems, Waikiki, 22 May 2011, pp. 29-35.
[11] D. Kilpatrick, “Privman: A Library for Partitioning Applications,” Proceedings of Freenix, San Antonio, 12-14 June 2003, pp. 273-284.
[12] D. Brumley and D. Song, “Privtrans: Automatically Partitioning Programs for Privilege Separation,” Proceedings of the 13th conference on USENIX Security Symposium, San Diego, 9-13 August 2004, p. 5.
[13] P. H. Kamp and R. N. Watson, “Jails: Confining the Omnipotent Root,” 2nd International System Administration and Network Engineering Conference (SANE’00), Maastricht, 2000, pp. 1-15.
[14] S. Evan, “Securing FreeBSD Using Jail,” System Administration, Vol. 10, No. 5, 2001, pp. 31-37.
[15] Y. Yu, F.-L. Guo, S. Nanda, L.-C. Lam and T.-C. Chiueh, “A Feather-Weight Virtual Machine for Windows Applications,” Proceedings of the Second ACM/USENIX Conference on Virtual Execution Environments (VEE’06), Ottawa, 14-16 June 2006, pp. 24-34.

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.