论文信息 - Towards a formal model for security policies specification and validation in the selinux system

Towards a formal model for security policies specification and validation in the selinux system

This paper presents a formal model, called SELAC, for analyzing an arbitrary security policy configuration for the SELinux system. A security policy for SELinux is complex and large: it is made by many configuration rules that refer to the access control sub-models implemented in the system. Among the rules composing a security policy configuration, many relationships occur and it is extremely difficult to understand their overall effects in the system. Our aim is to define semantics for the constructs of the SELinux configuration language and to model the relationships occurring among sets of configuration rules. Finally, we develop an algorithm based upon SELAC, which can verify whether, given an arbitrary security policy configuration, a given subject can access a given object in a given mode.

Luigi V. Mancini | Giorgio Zanin | L. Mancini | G. Zanin

[1] Mike Hibler,et al. The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[2] Trent Jaeger,et al. Policy management using access control spaces , 2003, TSEC.

[3] Daniel F. Sterne,et al. Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[4] James P Anderson,et al. Computer Security Technology Planning Study , 1972 .

[5] Sylvia L. Osborn,et al. The role graph model and conflict of interest , 1999, TSEC.

[6] Daniel F. Sterne,et al. A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[7] Trent Jaeger,et al. Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[8] Peter Loscocco,et al. Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[9] D. Richard Kuhn,et al. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[10] Stephen Smalley,et al. Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.