A logical specification and analysis for SELinux MLS policy

Hicks, Boniface; Rueda, Sandra; Clair, Luke St.; Jaeger, Trent; McDaniel, Patrick

doi:10.1145/1266840.1266854

Cited by 25 publications

(16 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In a policy compliance problem, a policy is said to comply with a goal if all the operations authorized by the policy satisfy the constraints of the goal [25,11,24,15]. The problem is that MAC policies often fail to comply with integrity requirements, as discussed above, so we must repair non-compliant cases.…”

Section: Related Workmentioning

confidence: 99%

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Modern distributed systems are composed from several offthe-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.

show abstract

Section: Related Workmentioning

confidence: 99%

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…SELinux uses type enforcement to label process so we identified a set of subject types that represent the target system TCB. We used PALMS [14] to find this set. PALMS is a tool written in XSB Prolog [37] that verifies the integrity of a TCB by querying an SELinux policy with an initial TCB set.…”

Section: Evaluation Of Enforcementmentioning

confidence: 99%

Justifying Integrity Using a Virtual Machine Verifier

Schiffman

Moyer

Shal

et al. 2009

2009 Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Emerging distributing computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in the computation. While integrity measurement enables systems to generate proofs of their integrity to remote parties, we find that current integrity measurement approaches are insufficient to prove runtime integrity for systems in these architectures. Integrity measurement approaches that are flexible enough have an incomplete view of runtime integrity, possibly leading to false integrity claims, and approaches that provide comprehensive integrity do so only for computing environments that are too restrictive. In this paper, we propose an architecture for building comprehensive runtime integrity proofs for general purpose systems in distributed computing architectures. In this architecture, we strive for classical integrity, using an approximation of the Clark-Wilson integrity model as our target. Key to building such integrity proofs is a carefully crafted host system whose long-term integrity can be justified easily using current techniques and a new component, called a VM verifier, that can enforce our integrity target on VMs comprehensively. We have built a prototype based on the Xen virtual machine system for SELinux VMs, and find distributed compilation can be implemented, providing accurate proofs of our integrity target with less than 4% overhead.

show abstract

“…We encoded the model in Prolog, using the XSB Prolog implementation [6]. XSB has multiple advantages; it uses tabled resolution to improve performance, the encoding of the operators defined in the model is trivial in most cases, Prolog is ideal for implementing search algorithms, and to extend the implemented interface is easier than it would be with any other language, although it does require skills to program in prolog [21,10,6]. To evaluate our approach and its implementation, we check whether a VM-system running SELinux in the VMs, and XSM/Flask on the Xen hypervisor, meets a specific security goal.…”

Section: Implementation and Evaluationmentioning

confidence: 99%

“…We define an approach for constructing such graphs automatically by identifying the information flow mapping that is required between VM and VMM labels. Using our previously-defined compliance analysis [10], we show that performing an inter-VM analysis and VM-local analyses for certain VMs is sufficient to prove compliance for the composite of these policies. We have implemented our approach in a Prolog-based tool.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Analysis of virtual machine system policies

Rueda

Vijayakumar

Jaeger

2009

Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VMsystem) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VMsystem running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.

show abstract

A logical specification and analysis for SELinux MLS policy

Cited by 25 publications

References 11 publications

Transforming commodity security policies to enforce Clark-Wilson integrity

Transforming commodity security policies to enforce Clark-Wilson integrity

Justifying Integrity Using a Virtual Machine Verifier

Analysis of virtual machine system policies

Contact Info

Product

Resources

About