Verifying information flow goals in Security-Enhanced Linux

Guttman, Joshua D.; Herzog, Amy L.; Ramsdell, John D.; Skorupka, Clement W.

doi:10.3233/jcs-2005-13105

Cited by 62 publications

(59 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Guttman et al used model checking to find violations of information-flow requirements in SELinux policies [13]. They modeled the SELinux policy enforcement engine and the ways in which information may flow between multiple processes via a file system.…”

Section: Related Workmentioning

confidence: 99%

Automated Discovery of Mimicry Attacks

Giffin¹,

Jha²,

Miller³

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Model-based anomaly detection systems restrict program execution by a predefined model of allowed system call sequences. These systems are useful only if they detect actual attacks. Previous research developed manuallyconstructed mimicry and evasion attacks that avoided detection by hiding a malicious series of system calls within a valid sequence allowed by the model. Our work helps to automate the discovery of such attacks. We start with two models: a program model of the application's system call behavior and a model of security-critical operating system state. Given unsafe OS state configurations that describe the goals of an attack, we then find system call sequences allowed as valid execution by the program model that produce the unsafe configurations. Our experiments show that we can automatically find attack sequences in models of programs such as wu-ftpd and passwd that previously have only been discovered manually. When undetected attacks are present, we frequently find the sequences with less than 2 seconds of computation.

show abstract

Section: Related Workmentioning

confidence: 99%

Automated Discovery of Mimicry Attacks

Giffin¹,

Jha²,

Miller³

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Guttman, Herzog, Ramsdell and Skorupka [18] present a systemic way to analyse access control policies in the Security-Enhanced Linux system (SELinux). They develop a highly abstract model of the SELinux operating system access control mechanism.…”

Section: Related Workmentioning

confidence: 99%

Synthesising verified access control systems through model checking

Zhang

Ryan

Guelev

2008

JCS

View full text Add to dashboard Cite

We present a framework for evaluating and generating access control policies. The framework contains a modelling formalism called RW, which is supported by a model checking tool. RW is designed for modelling access control policies, and verifying their properties. The RW language is very expressive, allowing us to model complex access conditions which can depend on data values, other permissions, and agent roles.A property expresses the capability of a coalition of agents to achieve a goal, which may include reading and overwriting certain information. Given a model built based on a policy and a property, the model-checking algorithm decides whether the goal defined by the property is achievable by the coalition within the permissions the policy provides. In the case that the goal is achievable, the algorithm outputs strategies which may be used by the coalition to achieve the goal.The unachievability of legitimate goals may suggest that the policy does not provide the users enough permissions to carry out their actions. The achievability of malicious goals may reveal certain security holes in the policy. When malicious goals are achievable, the resulting strategies help to provide clues on amending the policy. The tool implements the algorithm and thus performs the RW model-checking. It can also convert a policy written in the RW language into a policy file in XACML. An access control system can then be built on the converted policy file.

show abstract

“…To create the graph we use SLAT's [9], and PAL's [21] definition of information flow. First, we classify all permissions in two categories: read_like and write_like.…”

Section: Definition 21 (Information Flow Graphmentioning

confidence: 99%

“…First, many policy analyses have been constructed to evaluate security goals for a single MAC policy [9,21,27,22]. These analyses convert MAC policies into an information flow [7] graphs that represent which MAC labels can operate on (i.e., read or write) other MAC labels.…”

Section: Introductionmentioning

confidence: 99%

Analysis of virtual machine system policies

Rueda

Vijayakumar

Jaeger

2009

Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VMsystem) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VMsystem running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.

show abstract

Verifying information flow goals in Security-Enhanced Linux

Cited by 62 publications

References 10 publications

Automated Discovery of Mimicry Attacks

Automated Discovery of Mimicry Attacks

Synthesising verified access control systems through model checking

Analysis of virtual machine system policies

Contact Info

Product

Resources

About