Characterizing SEAndroid Policies in the Wild

Starting from the 5.0 Lollipop release all Android processes must be run inside confined SEAndroid access control domains. As a result, Android device manufacturers were compelled to develop SEAndroid expertise in order to create policies for their device-specific components. In this paper we analyse SEAndroid policies from a number of 5.0 Lollipop devices on the market, and identify patterns of common problems we found. We also suggest some practical tools that can improve policy design and analysis. We implemented the first of such tools, SEAL.

[1]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[2]  Aruna Raja,et al.  Domain Specific Languages , 2010 .

[3]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[4]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[5]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[6]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[7]  W. Taha,et al.  Plenary talk III Domain-specific languages , 2008, 2008 International Conference on Computer Engineering & Systems.

[8]  Mohamed Shehab,et al.  SEGrapher: Visualization-based SELinux policy analysis , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[9]  Mick Bauer,et al.  Paranoid penguin: an introduction to Novell AppArmor , 2006 .

[10]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Casey Schaufler Smack in Embedded Computing , 2010 .

[14]  Patrice Clemente,et al.  SPTrack: Visual Analysis of Information Flows within SELinux Policies and Attack Logs , 2012, AMT.

[15]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[16]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[17]  Winfried E. Kühnhauser,et al.  Model-based safety analysis of SELinux security policies , 2011, 2011 5th International Conference on Network and System Security.