SELinux Security Policy Configuration System with Higher Level Language
スポンサーリンク
概要
- 論文の詳細を見る
Creating security policy for SELinux is difficult because access rules often exceed 10,000 and elements in rules such as permissions and types are understandable only for SELinux experts. The most popular way to facilitate creating security policy is refpolicy which is composed of macros and sample configurations. However, describing and verifying refpolicy based configurations is difficult because complexities of configuration elements still exist, using macros requires expertise and there are more than 100,000 configuration lines. The memory footprint of refpolicy which is around 5MB by default, is also a problem for resource constrained devices. We propose a system called SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes type configurations. SPDL tools generate security policy configurations from access logs and tool user's knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semi-automated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500KB.
- Information and Media Technologies 編集運営会議の論文
著者
-
Sameshima Yoshiki
Hitachi Software Engineering Co., Ltd.
-
Nakamura Yuichi
Hitachi Software Engineering Co., Ltd.
-
Yamauchi Toshihiro
Graduate School of Natural Science and Technology, Okayama University
関連論文
- WriteShield: A Pseudo Thin Client for Prevention of Information Leakage (特集 多様な情報社会に適応するシステム技術)
- SELinux Security Policy Configuration System with Higher Level Language