Mandatory Access Control Method for Windows Embedded OS Security

Abstract

The Windows Embedded operating system (OS) adopts a discretionary access control (DAC)-based policy, but underlying vulnerabilities exist because of external hacker attacks and other factors. In this study, we propose a system that improves the security of the Windows Embedded OS by applying a mandatory access control (MAC) policy in which the access rights of objects, such as files and folders, and subjects’ privileges, such as processes, are compared. We conducted access control tests to verify whether the proposed system could avoid the vulnerabilities of DAC-based systems. Our results indicate that the existing DAC-based security systems could be neutralized if a principal’s security policy is removed. However, in the proposed MAC-based Windows Embedded OS, even if the clearance and category values of a subject’s files are given the highest rating, all accesses are automatically denied. Therefore, the execution of all files that were not previously registered on the whitelist was denied, proving that security was improved relative to DAC-based systems.