Review of Existing Analysis Tools for SELinux Security Policies: Challenges and a Proposed Solution.

There are many existing analysis tools for modeling and analyzing SELinux policies with the goal of answering specific safety and functionality questions. ... In this paper, we identify and highlight current gaps in these existing tools for SELinux policy analysis, and propose new tools and technologies with the potential to lead to significant improvements. ... Financial support from the Network of Centres of Excellence (MITACS) and Irdeto Canada is gratefully acknowledged. ...

doi:10.1007/978-3-319-59041-7_7 fatcat:5bbqdqjasrg7jn4qq2rhj577iy

by complicated analysis tools. ... We argue that it has a number of properties that are better from the usability point of view. We implemented this approach as a patch for the 2.6 Linux kernel. ... Thanks We would like to thank George Bakos for many useful discussions. This research program is a part of the Institute for Security ...

doi:10.1109/ares.2007.114 dblp:conf/IEEEares/BratusFMS07 fatcat:qrk6xdxffzhzdhzrm3iuboz6um

In this work, we propose a novel approach to policy-based provenance pruning -leverage the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify subdomains of system ... We go on to identify the design challenges in implementing such a mechanism. ... Acknowledgements We would like to thank Rob Cunningham, Alin Dobra, Patrick McDaniel, Daniela Oliveira, Nabil Schear, and Patrick Traynor for their valuable comments and insight, as well as Devin Pohly ...

dblp:conf/tapp/BatesBM15 fatcat:opxr3bhkwzfuplgsjtfxfs2viy

In this paper, we propose EASE-Android, the first SEAndroid analytic platform for automatic policy analysis and refinement. ... Given an existing policy and a small set of known access patterns, EASEAndroid continually expands the knowledge base as new audit logs become available, producing suggestions for policy refinement. ... We also like to thank the paper shepherd and anonymous reviewers for their support to publish this paper. This work is done in Samsung Research America. ...

dblp:conf/uss/WangERZNXZA15 fatcat:ut3c4bn6nzgwdpgowdwntaj6tu

We also establish a set of policies and guidelines focused on the aforementioned architectures, in order to mitigate security threads and provide more effective solutions for existing vulnerabilities in ... VoIP is based on existing layers and protocols and therefore inherits their security issues. In relation to signalization, different protocols have been proposed for VoIP. ... For each of the scenario, we propose a set of policies and guidelines to mitigate security issues. ...

doi:10.7763/ijcte.2018.v10.1197 fatcat:geml5n3rb5fg3mrfjlwgxko3nu

In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. ... By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide. ... However, using a capability system presents a challenge to programmers because they must reason about both the functionality and security of their programs concurrently. ...

doi:10.1145/2613087.2613111 dblp:conf/sacmat/VijayakumarGJ14 fatcat:7zgjk2qz3ncgvp2zzkb3fbovw4

Given the growing complexity of policy languages and access control systems, verifying that such systems enforce the desired invariants is recognized as a security problem of crucial importance. ... We develop a formal semantics for grsecurity's RBAC system, based on a labelled transition system, and a sound abstraction of that semantics providing a bounded approximation, amenable to model checking ... Security analysis Policies in grsecurity are much more concise and readable than policies for other access control systems as, e.g., SELinux [14] . ...

doi:10.1109/csf.2012.29 dblp:conf/csfw/BugliesiCFS12 fatcat:nsonkssr3nh4nbsk7rdmftpr7m

This paper investigates various security issues in container based systems and proposes a solution for securing the container using a novel access control model. ... Containerization enables the creation of isolated, multiple user-space instances and effectual consumption of resources and rapid provisioning. ... The most prevalent MAC technologies for Linux are SELinux and AppArmor and are realized using Linux Security Modules (LSM) framework. a) SELinux [14] SELinux administers policy-based security controls ...

doi:10.26483/ijarcs.v9i2.5733 fatcat:ipw7idhedrduromtwgwmlpt3f4

Open Access

Specifically, we propose a mandatory access control-based defense to blocking malware that launch attacks through creating new processes for execution. ... To combat more elaborated malware which redirect program flows of normal applications to execute malicious code within a legitimate security domain, we further propose using artificial intelligence (AI ... ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their valuable comments. This work was supported in part by grants NSF-0643906 and NSF-0721579. ...

doi:10.1109/srds.2009.21 dblp:conf/srds/XieZCJZ09 fatcat:qjabllpaxrathbpyqwwy7eacsm

This paper presents Margrave, a software suite for analyzing role-based access-control policies. ... It also provides semantic differencing information between versions of policies. We have implemented these techniques and applied them to policies from a working software application. ... We thank Robin Fairbairns for the moreverb package for L A T E X. ...

doi:10.1145/1062455.1062502 dblp:conf/icse/FislerKMT05 fatcat:heqf7arsgbcw5b6ol4p3snbxrm

In this paper, we discuss the current state of smartphone research, including e↵orts in designing new OS protection mechanisms, as well as performing security analysis of real apps. ... Smartphone security research has become very popular in response to the rapid, worldwide adoption of new platforms such as Android and iOS. ... [25] propose ded to reverse Android applications to their original Java form, for which sophisticated static program analysis tools already exist. ...

doi:10.1007/978-3-642-25560-1_3 fatcat:q6xhlwtow5geplbbx5dlgef6pi

LSM (Linux Security Modules) has been developed as a lightweight, general purpose, access control framework for the mainstream Linux kernel, many tools employ LSM to implement mandatory access control ... In this paper, a practical, efficient, secure mechanism, namely RTA (Real-Time Authentication) is proposed to add real-time user authentication support for traditional LSM. ... , and Huan Liu for discussing the design of the architecture of EWL. ...

doi:10.12783/dtcse/cst2017/12515 fatcat:nbf33tgzvneblg4ulton6bjscq

a proper SELinux policy. ... For example, we ported a SELinux into Android and activated a security policy for enhanc-ing the protection of system processes. 10 Moreover, we enabled a NetFilter-based firewall that users can easily ... Asaf Shabtai, CISSP, is a PhD student at Ben-Gurion ...

doi:10.1109/msp.2010.2 fatcat:xwh3y4lrxzhytau6zuu5nywqoe

While common issues exist across all three domains, unique challenges arise for each of them, which we discuss. ... The evolution of technologies from traditional operating systems to mobile and cloud computing brings about new security challenges. It is perhaps timely that we review the work that has been done. ... In these ways, SELinux does not serve as a practical information confinement solution for an average user. ...

doi:10.3745/jips.2013.9.2.189 fatcat:4zcwhg5divefrn56wjfgjg7ake

This paper provides the first analysis of sandbox policies defined for Flatpak and Snap applications, covering 283 applications contained in both platforms. ... When studying the set of matching applications that appear in both Flatpak and Snap app stores, we frequently found policy mismatches: e.g., the Flatpak version has a broad privilege (e.g., file access ... Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. ...

doi:10.1145/3532105.3535016 fatcat:3c2yjnq53ndqxhgyhjru6bvn5q

Review of Existing Analysis Tools for SELinux Security Policies: Challenges and a Proposed Solution [chapter]

Preserved Fulltext

Pastures: Towards Usable Security Policy Engineering

Preserved Fulltext

Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs

Preserved Fulltext

EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning

Preserved Fulltext

A Set of Policies and Guidelines for Deploying Safer VoIP Solutions

Preserved Fulltext

Policy models to protect resource retrieval

Preserved Fulltext

Gran: Model Checking Grsecurity RBAC Policies

Preserved Fulltext

AN APPROACH TO IMPROVE ISOLATION AND SECURITY IN CONTAINER BASED CLOUD SYSTEMS

Preserved Fulltext

Designing System-Level Defenses against Cellphone Malware

Preserved Fulltext

Verification and change-impact analysis of access-control policies

Preserved Fulltext

Defending Users against Smartphone Apps: Techniques and Future Directions [chapter]

Preserved Fulltext

Thin Hypervisor-Based User Authentication Mechanism for Linux Security Modules

Preserved Fulltext

Google Android: A Comprehensive Security Assessment

Preserved Fulltext

The Confinement Problem: 40 Years Later

Preserved Fulltext

A Study of Application Sandbox Policies in Linux

Preserved Fulltext