nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

Review of Existing Analysis Tools for SELinux Security Policies: Challenges and a Proposed Solution

verfasst von : Amir Eaman, Bahman Sistany, Amy Felty

Erschienen in: E-Technologies: Embracing the Internet of Things

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Access control policy management is an increasingly hard problem from both the security point of view and the verification point of view. SELinux is a Linux Security Module (LSM) implementing a mandatory access control mechanism. SELinux integrates user identity, roles, and type security attributes for stating rules in security policies. As SELinux policies are developed and maintained by security administrators, they often become quite complex, and it is important to carefully analyze them in order to have high assurance of their correctness. There are many existing analysis tools for modeling and analyzing SELinux policies with the goal of answering specific safety and functionality questions. In this paper, we identify and highlight current gaps in these existing tools for SELinux policy analysis, and propose new tools and technologies with the potential to lead to significant improvements. The proposed solution includes adopting a certified access control policy language such as ACCPL (A Certified Access Core Policy Language). ACCPL comes with formal proofs of important properties, and our proposed solution includes adopting it to facilitate various analyses and proof of reasonability properties. ACCPL is general, and our goal is to design a certified domain-specific policy language based on it, specialized to our task.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Compliance Verification Algorithm for Computer Systems Security Policies

Nächstes Kapitel A Supervised Approach for Spam Detection Using Text-Based Semantic Representation

Amthor, P., Kühnhauser, W.E., Pölck, A.: Model-based safety analysis of SELinux security policies. In: 5th International Conference on Network and System Security (NSS), pp. 208–215 (2011)

Archer, M., Leonard, E.I., Pradella, M.: Modeling security-enhanced Linux policy specifications for analysis. In: 3rd DARPA Information Survivability Conference and Exposition (DISCEX-III), pp. 164–169 (2003)

Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2004)CrossRefMATH

Bishop, M.A.: The Art and Science of Computer Security. Addison-Wesley Longman Publishing Co. Inc., Boston (2002)

Chen, Y.-M., Kao, Y.-W.: Information flow query and verification for security policy of Security-Enhanced Linux. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 389–404. Springer, Heidelberg (2006). doi:10.1007/11908739_28 CrossRef

Clemente, P., Kaba, B., Rouzaud-Cornabas, J., Alexandre, M., Aujay, G.: SPTrack: visual analysis of information flows within SELinux policies and attack logs. In: Huang, R., Ghorbani, A.A., Pasi, G., Yamaguchi, T., Yen, N.Y., Jin, B. (eds.) AMT 2012. LNCS, vol. 7669, pp. 596–605. Springer, Heidelberg (2012). doi:10.1007/978-3-642-35236-2_60 CrossRef

Coq Development Team: The Coq Proof Assistant Reference Manual (Version 8.6) (2016). https://coq.inria.fr/distrib/current/files/Reference-Manual.pdf

Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in Security-Enhanced Linux. J. Comput. Secur. 13(1), 115–134 (2005)CrossRef

Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)CrossRefMATH

10.

Hurd, J., Carlsson, M., Finne, S., Letner, B., Stanley, J., White, P.: Policy DSL: high-level specifications of information flows for security policies. In: High Confidence Software and Systems (HCSS) (2009)

11.

Jaeger, T., Edwards, A., Zhang, X.: Managing access control policies using access control spaces. In: 7th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 3–12. ACM Press (2002)

12.

Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: 12th USENIX Security Symposium (2003)

13.

Kissinger, A., Hale, J.C.: Lopol: a deductive database approach to policy analysis and rewriting. In: Security-Enhanced Linux Symposium, pp. 388–393 (2006)

14.

Loscocco, P., Smalley, S.D.: Meeting critical security objectives with Security-Enhanced Linux. In: Ottawa Linux Symposium, pp. 115–134 (2001)

15.

Marouf, S., Shehab, M.: SEGrapher: visualization-based SELinux policy analysis. In: 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), pp. 1–8 (2011)

16.

Mayer, F., Caplan, D., MacMillan, K.: SELinux by Example: Using Security Enhance Linux. Prentice Hall, Upper Saddle River (2006)

17.

Nakamura, Y., Sameshima, Y., Tabata, T.: SEEdit: SELinux security policy configuration system with higher level language. In: 23rd Large Installation System Administration Conference, pp. 107–117 (2009)

18.

National Security Agency: Security-Enhanced Linux (2016). https://www.nsa.gov/what-we-do/research/selinux/

19.

Reshetova, E., Bonazzi, F., Asokan, N.: SELint: an SEAndroid policy analysis tool. CoRR abs/1608.02339 (2016)

20.

Reshetova, E., Bonazzi, F., Nyman, T., Borgaonkar, R., Asokan, N.: Characterizing SEAndroid policies in the wild. CoRR abs/1510.05497 (2015)

21.

Singh, A., Ramakrishnan, C.R., Ramakrishnan, I.V., Stoller, S.D., Warren, D.S.: Security policy analysis using deductive spreadsheets. In: ACM Workshop on Formal Methods in Security Engineering (FMSE), pp. 42–50 (2007)

22.

Sistany, B.: A certified core policy language. Ph.D. thesis, University of Ottawa (2016). https://www.ruor.uottawa.ca/handle/10393/34865

23.

Stallings, W., Brown, L.: Computer Security, Principles and Practices. Pearson Education, New York (2008)

24.

The Fedora-SELinux Support List: Fedora SELinux Support. https://lists.fedoraproject.org/admin/lists/selinux.lists.fedoraproject.org/

25.

Tresys Technology: APOL (2016). https://github.com/TresysTechnology/setools3

26.

Tschantz, M.C.: The clarity of languages for access-control policies. Ph.D. thesis, Brown University (2005)

27.

Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: 11th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 160–169 (2006)

28.

Wang, R., Enck, W., Reeves, D.S., Zhang, X., Ning, P., Xu, D., Zhou, W., Azab, A.M.: EASEAndroid: automatic policy analysis and refinement for Security-Enhanced Android via large-scale semi-supervised learning. In: 24th USENIX Security Symposium, pp. 351–366 (2015)

29.

Xu, W., Shehab, M., Ahn, G.: Visualization-based policy analysis for SELinux: framework and user study. Int. J. Inf. Secur. 12(3), 155–171 (2013)CrossRef

30.

Xu, W., Zhang, X., Ahn, G.: Towards system integrity protection with graph-based policy analysis. In: 23rd Annual International Federation for Information Processing (IFIP), Data and Applications Security XXIII, pp. 65–80 (2009)

31.

Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SELinux system. In: 9th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 136–145. ACM Press (2004)

32.

Zhai, G., Guo, T., Huang, J.: SCIATool: a tool for analyzing SELinux policies based on access control spaces, information flows and CPNs. In: Yung, M., Zhu, L., Yang, Y. (eds.) INTRUST 2014. LNCS, vol. 9473, pp. 294–309. Springer, Cham (2015). doi:10.1007/978-3-319-27998-5_19

Titel: Review of Existing Analysis Tools for SELinux Security Policies: Challenges and a Proposed Solution
verfasst von: Amir Eaman
Bahman Sistany
Amy Felty
Verlag: Springer International Publishing
Buch: E-Technologies: Embracing the Internet of Things
Print ISBN: 978-3-319-59040-0

Electronic ISBN: 978-3-319-59041-7

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-59041-7_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner