SELinux Security Policy Configuration System with Higher Level Language
スポンサーリンク
概要
- 論文の詳細を見る
Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user's knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500KB.
- 2010-09-15
著者
-
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
-
Yoshiki Sameshima
Hitachi Software Engineering Co., Ltd.
-
Toshihiro Yamauchi
Graduate School of Natural Science and Technology, Okayama University
-
Yoshiki Sameshima
Hitachi Software Engineering Co. Ltd.
-
Toshihiro Yamauchi
Graduate School Of Natural Science And Technology Okayama University
-
Yuichi Nakamura
Hitachi Software Engineering Co. Ltd.
関連論文
- SELinux Security Policy Configuration System with Higher Level Language
- Secure and Fast Log Transfer Mechanism for Virtual Machine (Preprint)