Abstract
Although security policies configuration is crucial for operating systems to constrain applications’ operations and to protect the confidentiality and integrity of sensitive resources inside the systems, it is an intractable work for security administrators to accomplish correctly and consistently solely by hands. Thus policies analysis methods are becoming research hotspots. A great deal of such researches are focused on SELinux, which is a security-enhanced module of open-source and popular Linux. Among various analysis methods for SELinux policies, those based on access control spaces, information flows and colored Petri-nets (CPNs) can be thought as the three most valuable methods and they can be exploited together and complementarily. In this paper, a prototype of SELinux policies Configuration Integrated Analysis Tool, i.e. SCIATool, is designed and implemented by integrating these three methods together. Test results are provided and further researches as to construct a computer-aided configuration tool for SELinux policies are discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a linux security module. NAI labs report #01-043 (2006)
Smalley. S.: Configuring the SELinux policy. NAI Labs Report #02-007 (2005)
Jaeger, T., Zhang, X., Edwards, A.: Policy management using access control space. ACM Trans. Inf. Syst. Secur. 6(3), 327–364 (2003)
Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SELinux system. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 136–145. Association for Computing Machinery (ACM), New York (2004)
Zhai, Gaoshou, Tong, Wu: Algorithms for automatic analysis of SELinux security policy. Int. J. Secur. Appl. 7(1), 71–84 (2013)
Zhai, Gaoshou, Tong, Wu: Automatic analysis method for SELinux security policy. Int. J. Secur. Appl. 6(2), 229–234 (2012)
Guttman, J.D., Herzog, A.L., Ramsdell, J.D.: Information flow in operating systems: eager formal methods. In: Workshop on Issues in the Theory of Security (WITS 2003). IFIP WG 1.7, ACM SIGPLAN and GI FoMSESS. Warsaw, Poland (2003)
Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in security-enhanced linux. J. Comput. Secur. 13, 115–134 (2005)
Chen, Y.-M., Kao, Y.-W.: Information flow query and verification for security policy of security-enhanced linux. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-I. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 389–404. Springer, Heidelberg (2006)
Gu, L., Guo, Y., Yang, Y., Bao, F., Mei, H.: Modeling TCG-based secure systems with colored petri nets. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 67–86. Springer, Heidelberg (2011)
Ahn, G.J., Xu, W., Zhang, X.: Systematic policy analysis for high-assurance services in SELinux. In: Proceedings of 2008 IEEE Workshop on Policies for Distributed Systems and Networks, pp. 3–10. IEEE Computer Society (2008)
Guo, Tao, Zhai, Gaoshou: Automatic analysis of SELinux security policies based on colored petri-net (in Chinese). Inf. Secur. Technol. 4(11), 35–40 (2013)
Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: Proceedings of the 12th USENIX Security Symposium, pp. 59–74. Washington, D.C., USA (2003)
Jaeger, T., Sailer, R., Zhang, X.: Resolving constraint conflicts. In: SACMAT 2004, pp. 105–114. Yorktown Heights, New York, USA (2004)
Guttman, J.D., Herzog, A.L., Ramsdell, J.D.: SLAT: information flow in security enhanced linux. Included in the SLAT distribution, available from http://www.nsa.gov/SELinux (2003)
Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the Workshop on Issues in the Theory of Security (WITS 2004), pp. 1–12. IFIP WG 1.7, ACM SIGPLAN and GI FoMSESS. Barcelona, Spain (2004)
Hicks, B., Rueda, S., St. Clair, L., Jaeger, T., McDaniel, P.: A logical specification and analysis for SELinux MLS policy. ACM Trans. Inf. Syst. Secur. 13(3), 26 (2010)
Kissinger, A., Hale, J.C.: Lopol: a deductive database approach to policy analysis and rewriting. In: Proceedings of the Second Annual Security-enhanced Linux Symposium. Baltimore, Maryland, USA (2006)
Singh, A., Amakrishnan, C.R., Ramakrishnan, I.V.: Security policy analysis using deductive spreadsheets. In: FMSE 2007, pp. 42–50. Fairfax, Virginia, USA (2007)
Amthor, P., Kühnhauser, W.E., Pölck, A.: Model-based safety analysis of SELinux security policies. In: 2011 5th International Conference on Network and System Security (NSS), pp. 208–215. IEEE Press, New York (2011)
Marouf, S., Phuong, D.M., Shehab, M.: A learning-based approach for SELinux policy optimization with type mining. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW 2010). ACM, New York (2010)
Tresys Technology: SETools—policy analysis tools for SELinux. http://oss.tresys.com/projects/setools
Wenjuan, X., Shehab, M., Ahn, G.-J.: Visualization-based policy analysis for SELinux: framework and user study. Int. J. Inf. Secur. 12, 155–171 (2013)
Clemente, P., Kaba, B., Rouzaud-Cornabas, J., Alexandre, M., Aujay, G.: SPTrack: visual analysis of information flows within SELinux policies and attack logs. In: Huang, R., Ghorbani, A.A., Pasi, G., Yamaguchi, T., Yen, N.Y., Jin, B. (eds.) AMT 2012. LNCS, vol. 7669, pp. 596–605. Springer, Heidelberg (2012)
Marouf, S., Shehab, M.: SEGrapher: visualization-based SELinux policy analysis. In: 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), pp. 1–8. Arlington, VA. IEEE Press, New York (2011)
Amthor, P., Kuhnhauser, W.E., Polck, A.: WorSE: a workbench for model-based security engineering. Comput. Secur. 42, 40–55 (2014)
Athey, J., Ashworth, C., Mayer, F., Miner, D.: Towards Intuitive tools for managing SELinux: hiding the details but retaining the power. Tresys Technology. http://www.tresys.com/innovation/papers/Power_of_SELinux.pdf. Accessed 12 March 2007
MacMillan, K., Brindle, J., Mayer, F., Caplan, D., Tang, J.: Design and Implementation of the SELinux policy management server. Tresys Technology. http://www.tresys.com/innovation/papers/Design-And-Implementation-of-PMS.pdf. Accessed 1 March 2006
Singh, S.: Automatic verification of security policy implementations. Doctoral Dissertation in Computer Science, University of Illinois at Urbana-Champaign (2012)
Nakamura, Y., Sameshima, Y., Yamauchi, T.: SELinux security policy configuration system with higher level language. J. Inf. Process. 18, 201–212 (2010)
Acknowledgements
The research presented in this paper was performed with the support of the Fundamental Research Funds for the Central Universities (No. 2009JBM019). This paper was also supported by the State Scholarship Fund of China Scholarship Council (File No. 201307095025).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhai, G., Guo, T., Huang, J. (2015). SCIATool: A Tool for Analyzing SELinux Policies Based on Access Control Spaces, Information Flows and CPNs. In: Yung, M., Zhu, L., Yang, Y. (eds) Trusted Systems. INTRUST 2014. Lecture Notes in Computer Science(), vol 9473. Springer, Cham. https://doi.org/10.1007/978-3-319-27998-5_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-27998-5_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27997-8
Online ISBN: 978-3-319-27998-5
eBook Packages: Computer ScienceComputer Science (R0)