Technical Report Number
Popular security techniques such as public-private key encryption, ﬁrewalls, and role-based access control offer signiﬁcant protec-tion of system data, but offer only limited protection of the computations using that data from signiﬁcant interference due to accident or adversarial attack. However, in an increasing number of modern systems, ensuring the reliable execution of system activities is every bit as important as ensuring data security. This paper makes three contributions to the state of the art in protection of the execution of system activities from accidental or adversarial interference. First, we consider the motivating problem of CPU-focused denial of service attacks, and explain how limitations of current approaches to these kinds of attacks make it difﬁcult to offer sufﬁciently rigorous and ﬁne-grained assurances of protection for the execution of system computations. Second, we describe a novel solution approach in which we have integrated ﬁne-grained scheduling decision functions with system call hooks from the Security Enhanced Linux (SELinux) framework within the Linux 2.6 kernel. Third, we present empirical evaluations of the efﬁcacy of our approach in controlling the CPU utilization of competing greedy computations that are either completely CPU bound, or that interleave I/O and CPU access, across a range of relative allocations of the CPU.
Migliaccio, Armando; Tidwell, Terry; Gill, Christopher; Aswathanarayana, Tejasvi; and Niehaus, Douglas, "Group Scheduling in SELinux to Mitigate CPU-Focused Denial of Service Attacks" Report Number: WUCSE-2005-55 (2005). All Computer Science and Engineering Research.