Consistency analysis and flow secure enforcement of SELinux policies

Abstract SELinux policies used in practice contain tens of thousands of rules, making it hard to comprehend their impact on the security and to verify whether they actually meet the intended security goals. In this paper, we describe an approach for reasoning about the consistency of a given SELinux policy by analyzing the information flows caused by it. For this purpose, we model SELinux policy rules using the Readers-Writers Flow Model (RWFM). We have used this approach to implement a static policy analysis tool as well as a run-time monitor. The static policy analysis tool identifies all the possible indirect flows in a given policy and then filters out those indirect flows that pose a high threat. Given an indirect flow, the tool can also identify the sequences of accesses that cause the indirect flow. The tool also ranks the rules and domains based on the number of policy violations they cause. Thus, the static analysis tool is useful for policy writers to develop flow secure policies. The run-time monitor, on the other hand, keeps track of the information flows in an SELinux system and detects indirect flows dynamically. This helps in ensuring flow secure enforcement of a given SELinux policy as per the specification. The efficiency and efficacy of our implementations are demonstrated through experimental analysis on large, real-life policies.

[1]  Jie Huang,et al.  SCIATool: A Tool for Analyzing SELinux Policies Based on Access Control Spaces, Information Flows and CPNs , 2014, INTRUST.

[2]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Trent Jaeger,et al.  A logical specification and analysis for SELinux MLS policy , 2010 .

[4]  Bahman Sistany,et al.  Review of Existing Analysis Tools for SELinux Security Policies: Challenges and a Proposed Solution , 2017, MCETECH.

[5]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[6]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[7]  Robert Gove,et al.  V3SPA: A visual analysis, exploration, and diffing tool for SELinux and SEAndroid security policies , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[8]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[9]  Elisa Bertino,et al.  Information Flow Control in Object-Oriented Systems , 1997, IEEE Trans. Knowl. Data Eng..

[10]  Ninghui Li,et al.  Analysis of SEAndroid Policies: Combining MAC and DAC in Android , 2017, ACSAC.

[11]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[12]  Vijayalakshmi Atluri,et al.  Preventing Unauthorized Data Flows , 2017, DBSec.

[13]  Peter Amthor,et al.  The Entity Labeling Pattern for Modeling Operating Systems Access Control , 2015, ICETE.

[14]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[15]  R. K. Shyamasundar,et al.  An Experimental Flow Secure File System , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[16]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[17]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[18]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[19]  Trent Jaeger Operating System Security , 2008, Operating System Security.

[20]  Yi-Ming Chen,et al.  Information Flow Query and Verification for Security Policy of Security-Enhanced Linux , 2006, IWSEC.

[21]  N. Asokan,et al.  SELint: An SEAndroid Policy Analysis Tool , 2017, ICISSP.

[22]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[23]  Patrice Clemente,et al.  SPTrack: Visual Analysis of Information Flows within SELinux Policies and Attack Logs , 2012, AMT.

[24]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[25]  Winfried E. Kühnhauser,et al.  WorSE: A Workbench for Model-based Security Engineering , 2014, Comput. Secur..

[26]  R. K. Shyamasundar,et al.  FlowConSEAL: Automatic Flow Consistency Analysis of SEAndroid and SELinux Policies , 2018, DBSec.

[27]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[28]  Frédéric Tronel,et al.  Verifying the reliability of operating system-level information flow control systems in linux , 2017 .

[29]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[30]  Sylvia L. Osborn Information flow analysis of an RBAC system , 2002, SACMAT '02.

[31]  Luigi V. Mancini,et al.  Towards a formal model for security policies specification and validation in the selinux system , 2004, SACMAT '04.

[32]  Mikhail I. Gofman,et al.  RBAC-PAT: A Policy Analysis Tool for Role Based Access Control , 2009, TACAS.

[33]  R. K. Shyamasundar,et al.  A Complete Generative Label Model for Lattice-Based Access Control Models , 2017, SEFM.

[34]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.