SELinux security policy configuration system with higher level language

Yuichi Nakamura, Yoshiki Sameshima, Toshihiro Yamauchi

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500 KB.

Original languageEnglish
Pages (from-to)201-212
Number of pages12
JournalJournal of Information Processing
Volume18
DOIs
Publication statusPublished - 2010

Fingerprint

High level languages
Embedded systems
Macros
Data storage equipment

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

SELinux security policy configuration system with higher level language. / Nakamura, Yuichi; Sameshima, Yoshiki; Yamauchi, Toshihiro.

In: Journal of Information Processing, Vol. 18, 2010, p. 201-212.

Research output: Contribution to journalArticle

@article{95a1937904404bcc96be859da2c00e8d,
title = "SELinux security policy configuration system with higher level language",
abstract = "Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500 KB.",
author = "Yuichi Nakamura and Yoshiki Sameshima and Toshihiro Yamauchi",
year = "2010",
doi = "10.2197/ipsjjip.18.201",
language = "English",
volume = "18",
pages = "201--212",
journal = "Journal of Information Processing",
issn = "0387-5806",
publisher = "Information Processing Society of Japan",

}

TY - JOUR

T1 - SELinux security policy configuration system with higher level language

AU - Nakamura, Yuichi

AU - Sameshima, Yoshiki

AU - Yamauchi, Toshihiro

PY - 2010

Y1 - 2010

N2 - Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500 KB.

AB - Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500 KB.

UR - http://www.scopus.com/inward/record.url?scp=84941278363&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84941278363&partnerID=8YFLogxK

U2 - 10.2197/ipsjjip.18.201

DO - 10.2197/ipsjjip.18.201

M3 - Article

VL - 18

SP - 201

EP - 212

JO - Journal of Information Processing

JF - Journal of Information Processing

SN - 0387-5806

ER -