ABSTRACT
In this paper, we present an approach for analyzing the integrity protection in the SELinux example policy. The SELinux example policy is intended as an example from which administrators customize to create a policy for their site's security goals, but the complexity of the model and size of the policy make this quite complex. Our aim is to provide an access control model to express site security goals and resolve them against the SELinux policy. Ultimately, we aim to define a minimal trusted computing base (TCB) that satisfies Clark-Wilson integrity, by first testing for the more restrictive Biba integrity policy and resolving conflicts using Clark-Wilson semantics. Our policy analysis tool, Gokyo, implements the following approach: (1) it represents the SELinux example policy and our integrity goals; (2) it identifies conflicts between them; (3) it estimates the resolutions to these conflicts; and (4) provides information for deciding upon a resolution. Using Gokyo, we derive a proposal for a minimal TCB for SELinux includes 30 subject types, and we identify the work remaining to ensure that TCB is integrity-protected. Our analysis is performed on the SELinux example policy for Linux 2.4.19.
- {1} L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. A Domain and Type Enforcement UNIX Prototype. In Proceedings of the 1995 USENIX Security Symposium, 1995. Also available from TIS online archives. Google Scholar
- {2} D. Bell and L. La Padula. Secure Computer Systems: Mathematical Foundations (Volume 1). Technical Report ESD-TR-73-278, Mitre Corporation, 1973.Google Scholar
- {3} E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A logical framework for reasoning about access control models. ACM Transactions on Information and System Security (TISSEC), 5(4), Nov 2002. Google Scholar
- {4} K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre Corporation, Mitre Corp, Bedford MA, June 1975.Google Scholar
- {5} W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In Proceedings of the 8th National Computer Security Conference , Gaithersburg, Maryland, 1985.Google Scholar
- {6} D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. Proceedings of the 1987 IEEE Symposium on Security and Privacy, 1987.Google Scholar
- {7} A. Herzog. Personal communication. November 2002.Google Scholar
- {8} E. Ferrari and B. Thuraisingham. Secure database systems. In O. Diaz and M. Piattini, editors, Advanced Databases: Technology and Design, 2000.Google Scholar
- {9} T. Fraser. LOMAC: Low Water-Mark Integrity Protection for COTS Environments. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 2000. Google Scholar
- {10} M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19(8), August 1976. Google Scholar
- {11} T. Jaeger and J. E. Tidswell. Practical safety in flexible access control models. ACM Transactions on Information and System Security (TISSEC), 4(2), May 2001. Google Scholar
- {12} T. Jaeger, A. Edwards, and X. Zhang. Managing access control policies using access control spaces. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, June 2002. Google Scholar
- {13} T. Jaeger, A. Edwards, and X. Zhang. Policy management using access control spaces. ACM Transactions on Information and System Security (TISSEC) , to appear. Google Scholar
- {14} S. Jajodia, P. Samarati and V. Subrahmanian. A Logical Language for Expressing Authorizations. Proceedings of the IEEE Symposium on Security and Privacy, 1997. Google Scholar
- {15} P. Karger and R. Schell. Thirty years later: Lessons from the Multics security evaluation. IBM Technical Report, RC 22534, Revision 2, September 2002. Google Scholar
- {16} P. Loscocco, S. Smalley, P. Muckelbauer, R. Taylor, J. Turner, and J. Farrell. The inevitability of failure: The flawed assumption of computer security in modern computing environments. Proceedings of the 21st National Information Systems Security Conference, October 1998.Google Scholar
- {17} S. Minear. Providing policy control over objects in a Mach-based system. Proceedings of the Fifth USENIX Security Symposium, 1995. Google Scholar
- {18} National Security Agency. Security-Enhanced Linux (SELinux). http://www.nsa.gov/selinux, 2001.Google Scholar
- {19} W. Salamon. Core policy, second pass. SELinux mailing list archives, http://www.nsa.gov/selinux/list-archive/3941.html, 2003.Google Scholar
- {20} S. Smalley. Configuring the SELinux policy. NAI Labs Report #02-007, available at www.nsa.gov/selinux, June 2002.Google Scholar
- {21} R. Spencer, S. Smalley, P. Loscocco, M. Hibler, and J. Lapreau. The Flask security architecture: System support for diverse policies. Proceedings of the Eighth USENIX Security Symposium, August 1999. Google Scholar
- {22} C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. Proceedings of the Eleventh USENIX Security Symposium, August 2002. Google Scholar
- {23} Tresys Technology. Security-Enhanced Linux research. www.tresys.com/selinux.html, 2001.Google Scholar
Index Terms
- Analyzing integrity protection in the SELinux example policy
Recommendations
A logical specification and analysis for SELinux MLS policy
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesThe SELinux mandatory access control (MAC) policy has recently added a multi-level security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of this policy makes it ...
A logical specification and analysis for SELinux MLS policy
The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of the SELinux MLS model makes ...
Comments