The User is Not the Enemy: Fighting Malware by Tracking User Intentions

Jeff Shirley and David Evans
New Security Paradigms Workshop (NSPW 2008)
Lake Tahoe, California
22-25 September 2008

Abstract

Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to access control, focusing on single-user systems, in which the complete history of user and program actions can be used to improve the precision and expressiveness of access control policies. We describe mechanisms for securely capturing user actions, mapping those actions onto likely user intents, and a language for defining access control policies that incorporate user intentions. We implemented a prototype for capturing user intentions, and present results from experiments on malware mitigation using the prototype. Our results show that a very simple MAC policy can prevent a significant amount of system damage caused by malware while not interfering with most benign software.

Categories and Subject Descriptors
D.4.6 [Operating Systems]: Security and Protection User intent, access control, security policies.

Keywords User intent, access control, security policies.

Paper

Full paper (13 pages): [PDF]