The user is not the enemy: Fighting malware by tracking user intentions

Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to access control, focusing on single-user systems, in which the complete history of user and program actions can be used to improve the precision and expressiveness of access control policies. We describe mechanisms for securely capturing user actions, mapping those actions onto likely user intents, and a language for defining access control policies that incorporate user intentions. We implemented a prototype for capturing user intentions, and present results from experiments on malware mitigation using the prototype. Our results show that a very simple MAC policy can prevent a significant amount of system damage caused by malware while not interfering with most benign software.