Simplifying security policy descriptions for internet servers in secure operating systems

Secure operating systems (secure OSes) are widely used to limit the damage caused by unauthorized access to Internet servers. However, writing a security policy based on the principle of least privilege for a secure OS is a challenge for an administrator. Considering that remote attackers can never attack a server before they establish connections to it, we propose a novel scheme that exploits phases to simplify security policy descriptions for Internet servers. In our scheme, the entire system has two execution phases: an initialization phase and a protocol processing phase. The initialization phase is defined as the phase before the server establishes connections to its clients, and the protocol processing phase is defined as the phase after it establishes connections. The key observation is that access control should be enforced by the secure OS only in the protocol processing phase to defend against remote attacks. Thus, we can omit the access-control policy in the initialization phase, which effectively reduces the number of policy rules. Our experimental results demonstrate that our scheme effectively reduces the number of descriptions; it eliminates 47.2%, 27.5%, and 24.0% of policy rules for HTTP, SMTP, and POP servers respectively, compared with an existing SELinux policy that includes the initialization of the server.

[1]  Lujo Bauer,et al.  Detecting and resolving policy misconfigurations in access-control systems , 2008, SACMAT '08.

[2]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[3]  Trent Jaeger,et al.  Managing access control policies using access control spaces , 2002, SACMAT '02.

[4]  Chad Hanson SELinux and MLS : Putting the Pieces Together , 2006 .

[5]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[6]  Trent Jaeger,et al.  A logical specification and analysis for SELinux MLS policy , 2007, SACMAT '07.

[7]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[10]  S. Stoller,et al.  Policy Analysis for Security-Enhanced Linux ∗ , 2003 .

[11]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[12]  王莹 使用Security—Enhanced Linux增强系统安全 , 2003 .

[13]  Todd C. Miller,et al.  Security-Enhanced Darwin: Porting SELinux to Mac OS X , 2007 .

[14]  Luigi V. Mancini,et al.  Towards a formal model for security policies specification and validation in the selinux system , 2004, SACMAT '04.

[15]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].