Skip to main content
SpringerLink
Log in

Information Flow Query and Verification for Security Policy of Security-Enhanced Linux

  • Conference paper
Advances in Information and Computer Security (IWSEC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4266))

Included in the following conference series:

Abstract

This paper presents a Colored Petri Nets (CPN) approach to analyze the information flow in the policy file of Security-Enhanced Linux (SELinux). The SELinux access control decisions are based on a security policy file that contains several thousands of security rules. It becomes a challenge for policy administrator to determine whether the modification of the security policy file conforms to the pre-specified security goals. To address this issue, this paper proposes a formal information flow model for SELinux security policy file, and presents a simple query language to help administrators to express the expected/unexpected information flow. We developed a method to transform the SELinux policy and security goal into Policy CPN Diagram and Query CPN Diagram. A tool named SEAnalyzer that can automatically verify the SELinux policy has been developed and two application examples of this tool will be presented in the context.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Loscocco, P.A., Smalley, S.D., Muckelbauer, P.A., Taylor, R.C., Turner, S.J., Farrell, J.F.: The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In: Proceedings of the 21st National Information Systems Security Conference, pp. 303–314 (1998)

    Google Scholar 

  2. NSA SELinux, http://www.nsa.gov/selinux/

  3. TCSEC, http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

  4. Loscocco, P.A., Smalley, S.D.: Meeting critical security objectives with Security- Enhanced Linux. In: Proceedings of the 2001 Ottawa Linux Symposium (2001)

    Google Scholar 

  5. Archer, M., Leonard, E., Pradella, M.: Towards a Methodology and tool for the Analysis of Security-Enhanced Linux Security Policies. NRL Memorandum Report NRL/MR/5540- 02-8629 (2002)

    Google Scholar 

  6. Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: Proc. USENIX Security Symposium, pp. 59–74 (2003)

    Google Scholar 

  7. Jaeger, T., Sailer, R., Zhang, X.: Resolving Constraint Conflicts. In: Proceedings of the 2004 ACM Symposium on Access Control Models and Technologies (2004)

    Google Scholar 

  8. Guttman, J.D., Herzog, A.L., Ramsdell, J.D.: Information Flow in Operating Systems: Eager Formal Methods. In: Workshop on Issues in the Theory of Security (WITS 2003) (2003)

    Google Scholar 

  9. Guttman, J.D., Herzog, A.L., Ramsdell, J.D.: SLAT: Information Flow Analysis in Security Enhanced Linux. Included in the SLAT distribution (2005), available from: http://www.nsa.gov/SELinux

  10. Sarna-Starosta, B., Stoller, S.D.: Policy Analysis for security-Enhanced Linux. In: Workshop on Issues in the Theory of Security (WITS) (2004)

    Google Scholar 

  11. Zanin, G., Mancini, L.V.: Towards a Formal Model for Security Policies Specification and Validation in the SELinux System. In: The Proceeding of SACMAT 2004, Yorktown Heights, New York, USA, pp. 136–145 (2004)

    Google Scholar 

  12. Jensen, K.: Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Basic Concepts. EATCS Monographs on Theoretical Computer Science, vol. 1, pp. 1–234. Springer, Heidelberg (1992)

    MATH  Google Scholar 

  13. Loscocco, P.A., Smalley, S.D.: Integrating Flexible Support for Security Policies into the Linux Operating System. In: USENIX Annual Technical Conference (2001)

    Google Scholar 

  14. Mccarty, B.: SELinux NSA’s Open Source Security Enhanced Linux, 256 pages. O’Reilly, Sebastopol, ISBN: 0-596-00716-7

    Google Scholar 

  15. Stubblebine, T.: Regular Expression Pocket Reference, p. 112. O’Reilly, Sebastopol (2003), ISBN: 0-596-00415-X

    Google Scholar 

  16. Gutnik, G., Kaminka, G.A.: Representing Conversations for Scalable Overhearing. JAIR 25, 349–387 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Management, National Central University, 300, Jungda Rd., Joungli, 32054, Taiwan, ROC

    Yi-Ming Chen & Yung-Wei Kao

Authors
  1. Yi-Ming Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yung-Wei Kao
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Electro-Communication, The University of Electro-Communications, 1-5-1, Chofugaoka, P.O. Box, 182-8585, Chofu, Japan

    Hiroshi Yoshiura

  2. Department of Computer Science, Communication Engineering, Kyushu University, 812-0053, Fukuoka, Japan

    Kouichi Sakurai

  3. Institute of Business Informatics, Goethe University Frankfurt, Frankfurt/Main, Germany

    Kai Rannenberg

  4. Faculty of Software and Information Science, Iwate Prefectural University, 152-52 Sugo, Takizawa, Takizawa-mura, 020-0193, Iwate, Japan

    Yuko Murayama

  5. Toshiba Corporation, 1, Komukai Toshiba-cho, Saiwai-ku, P.O. Box, 212-8582, Kawasaki, Japan

    Shinichi Kawamura

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chen, YM., Kao, YW. (2006). Information Flow Query and Verification for Security Policy of Security-Enhanced Linux. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds) Advances in Information and Computer Security. IWSEC 2006. Lecture Notes in Computer Science, vol 4266. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11908739_28

Download citation

  • DOI: https://doi.org/10.1007/11908739_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-47699-3

  • Online ISBN: 978-3-540-47700-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation