PHPportmap

SEEdit:SELinuxSecurityPolicyCongurationSystemwithHigherLevelLanguageYuichiNakamuraHitachiSoftwareEngineeringCo.
,Ltd.
ynakam@hitachisoft.
jpYoshikiSameshimaHitachiSoftwareEngineeringCo.
,Ltd.
same@hitachisoft.
jpToshihiroTabataOkayamaUniversitytabata@cs.
okayama-u.
ac.
jpAbstractSecuritypolicyforSELinuxisusuallycreatedbycus-tomizingasamplepolicycalledrefpolicy.
However,describingandverifyingsecuritypolicycongurationsisdifcultbecauseinrefpolicy,therearemorethan100,000linesofcongurations,thousandsofelementssuchaspermissions,macrosandlabels.
Thememoryfootprintofrefpolicywhichisaround5MB,isalsoaproblemforresourceconstraineddevices.
WeproposeasecuritypolicycongurationsystemSEEditwhichfacilitatescreatingsecuritypolicybyahigherlevellanguagecalledSPDLandSPDLtools.
SPDLreducesthenumberofpermissionsbyintegratedpermissionsandremoveslabelcongurations.
SPDLtoolsgeneratesecuritypolicycongurationsfromaccesslogsandtooluser'sknowledgeaboutapplications.
Ex-perimentalresultsonanembeddedsystemandaPCsys-temshowthatpracticalsecuritypoliciesarecreatedbySEEdit,i.
e.
,describingcongurationsissemiautomated,createdsecuritypoliciesarecomposedoflessthan500linesofcongurations,100congurationelements,andthememoryfootprintintheembeddedsystemislessthan500KB.
Tags:security,securitypolicy,conguration,SELinux1IntroductionAttackerscandoeverythingintraditionalLinuxwhentheyobtainthealmightyrootprivilegebyexploitingse-curityholesinservicesrunningasroot,orbyexploitingvulnerabilitiesleadingtoprivilegeescalation[3][4].
Torestrictsuchbehaviorofroot,Security-EnhancedLinux(SELinux)[1][2]hasmandatoryaccesscontrolfeature;allprocessesincludingrootprocessescanaccessre-sourcesonlywhenasecuritypolicypermitstheaccess.
ThemandatoryaccesscontrolmodeliscalledTE(Type-Enforcement)[5].
InTE,processesareassigneddomainlabels,andresourcessuchaslesandportsareassignedtypelabels,andwhatkindofdomaincanaccesswhatkindoftypeisdescribedinasecuritypolicy.
Ifthesecuritypolicyisproperlycongured,allprocessesin-cludingroot,attackersprocessesandviruseshaveonlylimitedaccessrights.
Asaresult,thedamagebyat-tackersandvirusesisconned.
Becauseofthiscon-nementfeature,SELinuxisincludedinmajorLinuxdistributions[6],andisusedforserversthatrequirehighlevelsecurity.
SELinuxisalsousefulfornetworkcon-nectedembeddeddevicessuchascellphonesandTVs.
Actually,someLinuxdistributionsforembeddedsystemincludeSELinux[7].
TodeploySELinuxtoasystem,asecuritypolicymustbecreated.
Thesecuritypolicyisusuallycreatedbycustomizingasamplepolicycalledrefpolicy(ReferencePolicy)[8][9].
Refpolicycanbeappliedwithalmostnocustomizationwhencongurationsforapplicationsinatargetsystemareincludedinrefpolicy.
Forexample,ref-policyisalmostperfectlyconguredfordefaultappli-cationsincludedinFedoraandCentOS.
However,cus-tomizingrefpolicyisrequiredforsystemswhererefpol-icyisnotconguredenough,suchasembeddedsys-temsandsystemswherecommercialapplicationsarede-ployed.
Therearethreeproblemsinthecustomization.
First,itisdifculttodescribecongurationsbecausetherearemorethan700permissionsand1,000macros.
Inaddi-tion,typelabelsmustbeassociatedwithlenamesandnetworkresources.
Second,itisdifculttoverifyrefpol-icy.
Sincerefpolicyisintendedformultipleusecases,manycongurations,morethan100,000lines,arein-cluded.
Whenengineersverifyrefpolicybeforereuse,theyhavetoreviewsuchalotofcongurations.
Thirdisaproblemofresourceconsumption.
WhenSELinuxisappliedtoresourceconstrainedsystemssuchasembed-dedsystems,thelesusedandmemoryconsumedbythesecuritypolicyareaproblembecauserefpolicyislarge.
ThispaperproposesasecuritypolicycongurationsystemSELinuxPolicyEditor(SEEdit)thatfacilitatescreatingsecuritypolicybyahigherlevellanguagecalledSimpliedPolicyDescriptionLanguage(SPDL)andSPDLtools.
SPDLInsteadofcomplicatedmacros,weproposeahigherlevellanguagecalledSPDL.
SPDLsimpliesde-scribingandverifyingSELinuxsecuritypolicycon-gurationswithtwofeatures.
Firstly,integratedpermissionsinSPDLreducethenumberofper-missionsbygroupingrelatedSELinuxpermissions.
Secondly,itremovestypecongurationsbyidenti-fyingresourceswithnamessuchaspathnameandportnumber.
SPDLtoolsTosolvethevericationandsizeproblemsofref-policy,thesecuritypolicyiscreatedbywritingonlythenecessarycongurationsinSPDLwithoutref-policy.
SPDLtoolshelpthewritingprocessbygen-eratingcongurationsusingaccesslogsandknowl-edgeofusersaboutapplications.
Theremainingofthispaperisorganizedasfollows.
Problemsincreatingsecuritypolicy(section2),ap-proachesofSEEdittofacilitatecreatingsecuritypolicy(section3)areexplained.
ThedetailofSEEdit(section4),experimentalresults(section5)areshown.
Finally,relatedworks(section6),summary(section7)andfu-tureworks(section8)aredescribed.
2ProblemsincreatingsecuritypolicyInthissection,problemsincreatingasecuritypolicyforatargetsystembasedonrefpolicyaredescribedafteranoverviewofSELinuxpolicylanguageandrefpolicy.
2.
1SELinuxpolicylanguageThesecuritypolicyisloadedtoSELinuxkernelinbinaryrepresentation.
However,itishardtohandlethebinarysecuritypolicybecauseitisunreadableforhumans.
Torepresentthesecuritypolicyintext,SELinuxhasabasicpolicylanguage[10],whichismainlycomposedofthefollowingfoursyntaxelements.
(1)AssigningtypesInSELinux,typelabelsmustbeassignedtore-sourcestoidentifythem.
Forexample,thefollow-ingstatementiswrittentoassigntypestoles.
systemu:objectr:Similarstatementsareusedtoassigntypestonet-workresourcessuchasportnumbersandNICs.
(2)LabeldeclarationDomainsandtypesmustbedeclaredbytypestate-mentsasshownbelow.
type,;isusedtoinheritcongurationswhicharedescribedfor.
Forexample,inthefollowingstatements,admintcanreadbothhttp-contenttandftpcontentt.
typehttpcontent_t,content;typeftpcontent_t,content;allowadmin_tcontent:fileread;(3)AllowingaccessTheallowstatementpermitsadomaintoaccessatypeasinthefollowingsyntax.
allow;iscomposedofobjectclassesandaccessvectorpermissions.
Objectclassmeansclas-sicationofresourcessuchasle(normalle),dir(directory)andtcpsocket(TCPsocket).
Foreachobjectclass,accessvectorpermissionssuchasreadandwritearedened.
Forexample,permissionlereadmeansreadingnormalles,dirreadmeansreadingdirectories.
(4)ConditionalpolicyexpressionTosupportmultipleusecasesinonesecuritypolicy,SELinuxpolicylanguagehasconditionalpolicyex-pressionsasfollows.
if(){}Whenistrue,thenisenabled.
Forexample,whenCGIisnecessary,theparameterhttpdenablecgiissettrue,andthenac-cessesrelatedtousingCGIarepermitted.
Changeofsuchparametersareappliedwithoutreloadingse-curitypolicy,becauseisembeddedinthesecuritypolicy.
2.
2OverviewofrefpolicyTograntenoughpermissionsforapplicationstoworkcorrectly,alotofaccessrulesshouldbedescribed.
Infact,thetotalnumberofaccessrulesinasystemof-tenbecomesmorethan10,000,andsometimesexceeds100,000.
Therefore,itisnotrealistictocreatesecuritypolicybywritingcongurationsinSELinuxpolicylan-guagefromnothing.
Tofacilitatecreatingsecuritypol-icy,asamplepolicycalledrefpolicyisdevelopedand2maintainedbytheSELinuxcommunity.
Refpolicyiscomposedofmacrosandcongurationsfortypicalap-plications.
(1)MacrosM4[11]macrosaredenedtodescribefrequentlyusedphrasesinshortwords.
Belowisanexample.
allowhttpd_tcontents_tr_file_perms;define('r_file_perms','file{readgetattrlockioctl}')rlepermsisamacro,whichisexpandedtoper-missionsrelatedtoreadingregularles.
(2)CongurationsfortypicalapplicationsCongurationsforapplicationsshippedwithLinuxdistributionsarepreparedbytheSELinuxcommu-nityandLinuxdistributors,andtheyareincludedinrefpolicy.
Figure1ispartofthecongurationforthehttpdaemon.
Therearemanymacros,suchasinitdaemondomain,apachecontenttemplateandsoon.
Inthegure,conditionalexpressionsareomitted,butinfact,manyconditionalexpressionsarealsoincludedbecauserefpolicyisintendedtosupportasmanyusecasesaspossible,suchasCGI,PHPandDBconnection.
2.
3Problemsincreatingsecuritypolicyus-ingrefpolicyCustomizingrefpolicyisnecessarywhentheusecaseofthesystemoritsinstalledapplicationsarebeyondtheex-pectationsofrefpolicy.
Forexample,embeddedsystemsandcommercialapplicationsarenotwithinthescopeofrefpolicy.
However,therearethreeproblemsincus-tomizingrefpolicy.
Oneisthedifcultyindescribingcongurations,secondisthedifcultyofverifyingref-policyandthirdisresourceconsumption.
2.
3.
1DifcultyindescribingcongurationsThemajordifcultyindescribingcongurationsiscom-plicatedcongurationelementssuchaspermissions,macrosandtypes.
Themainreasonofdifcultyisthenumberofcongurationelements.
Forexample,therearemorethan700permissionsandmorethan1,000macrosand1,000types.
Inaddition,nestedmacrode-nitionsmakeunderstandingmacrosharder.
Therearetwomoredifcultiesintypes.
First,en-gineershavetogetusedtotypesbecauseintraditionalLinux,theyhavebeenidentifyinglesbylenamesnottypes.
Secondly,thereisalsoaproblemofdependencyinassigningnewtypes.
Thisproblemisexplainedwithanexample.
Whenthefoottypeisassignedunder/foodi-rectoryandthebartdomainisallowedtoreadthefoot#Assignhttpd_tdomaintohttpdaemon1typehttpd_t;2typehttpd_exec_t;3rolesystem_rtypeshttpd_t;4init_daemon_domain(httpd_t,httpd_exec_t)5/usr/sbin/httpd--gen_context(system_u:object_r:httpd_exec_t,s0)#Permithttpd_ttoread/var/www6apache_content_template(sys)7/var/www(/.
*)gen_context(system_u:object_r:httpd_sys_content_t,s0)8allowhttpd_thttpd_sys_content_t:dirlist_dir_perms;9read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)10read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)#Permithttpd_ttowaitconnectionontcpport8011corenet_all_recvfrom_unlabeled(httpd_t)12corenet_all_recvfrom_netlabel(httpd_t)13corenet_tcp_sendrecv_all_if(httpd_t)14corenet_udp_sendrecv_all_if(httpd_t)15corenet_tcp_sendrecv_all_nodes(httpd_t)16corenet_udp_sendrecv_all_nodes(httpd_t)17corenet_tcp_sendrecv_all_ports(httpd_t)18corenet_udp_sendrecv_all_ports(httpd_t)19corenet_tcp_bind_all_nodes(httpd_t)20corenet_tcp_bind_http_port(httpd_t)21gen_context(system_u:object_r:http_port_t,s0)Figure1:Partofthecongurationforthehttpdaemoninrefpolicytype,thebartdomaincanreadalllesunderthe/foodirectory.
Next,ifthefoo2ttypeisnewlycreated,andassignedtothele/foo/foo2.
thebartdomaincannotaccess/foo/foo2becausethebartdomainisnotallowedtoaccessfoo2t.
Inthisway,thebartdomainwasabletoread/foo/foo2beforeassigningthenewtypefoo2t,butbartcannotaccess/foo/foo2afterthenewtypeisassignedto/foo/foo2.
2.
3.
2DifcultyinverifyingrefpolicyForthepurposeofQualityAssuranceforasecuritypol-icywhichiscreatedbasedonrefpolicy,refpolicyshouldbeveried.
Inthiscontext,verifymeansunderstandwhatiscongured,thenndmiscongurationsandmodifythem.
However,itisdifculttoverifybecauseofthecomplexityofthecongurationelementsasstatedbe-fore.
Inaddition,thefollowingpointsmakevericationmoredifcult.
Amountofcongurations3Thesizeofrefpolicymakesvericationmoredif-cult.
Forexample,refpolicyincludedinFe-dora9hascongurationsforalmostallapplica-tionsshippedwithFedora9andiscomposedofmorethan2,000typesandmorethan150,000ac-cessrules.
ConditionalexpressionsManyconditionalexpressionsareembeddedinref-policy,andtheyaresometimesincludedinmacrodenitions.
Thus,itisdifculttogureoutwhichcongurationsareenabled.
AttributesAttributesareoftenusedfortypesandtheyincreasethetimenecessarytounderstandwhatcongura-tionsmean,asshowninthenextexample.
Thelineallowhttpdthttpdcontent:leread;isincludedinrefpolicy.
httpdtisadomainfortheapachedae-mon,andhttpdcontentisanattribute.
Tounderstandwhatkindofleshttpdtcanaccessfromtheline,typesthathavethehttpdcontentattributehavetobefoundbysearchingfortypedeclarationstatements,whicharesometimesembeddedinmacrodeni-tions.
2.
3.
3ResourceconsumptionAsecuritypolicyissavedaslesinstorage,thenitisloadedtoRAMatsystemboot.
Therefore,thesecu-ritypolicyconsumesstorageandRAM.
Sincerefpolicyisintendedformultipleusecases,manyconditionalex-pressionsandcongurationsformanyapplicationsareincluded.
Asaresult,thesizeofrefpolicybecomeslarge.
ForexampletherefpolicyincludedinFedoraCore6consumes1.
4MBstorageand5.
4MBRAM.
Inresourceconstrainedsystemssuchasembeddedsystems,thisisaproblembecausetheyoftenhavelessthan64MBRAMandstorage.
3ApproachtocreatingsecuritypolicyWeproposeasecuritypolicycongurationsystemSEEdit,whichfacilitatesdescribingcongurations,veri-fyingacreatedsecuritypolicyandcreatingasmallsecu-ritypolicy.
Theideaoftheproposedsystemisexplainedinthissection.
3.
1Higherlevellanguage:SPDLThedifcultyindescribingcongurationsiscausedbythelargenumberofpermissions,complicatedmacrosandtypecongurations.
Sophisticatedmacroscanpartlysolvesuchproblems,i.
e.
,creatingasmallnumberof1{#Assignhttpd_tdomaintohttpdaemon2domainhttpd_t;3program/usr/sbin/httpd;#Permithttpd_ttoread/var/www4allow/var/www/**s,r;#Permithttpd_ttowaitconnectionontcpport805allowcom-protocoltcp-port80server;6}Figure2:AcongurationexampleofSPDLforhttpdae-mon.
macrosandremovingnestedmacrodenitions.
How-ever,typecongurationsarestillnecessaryinsuchmacros.
Insteadofmacros,weproposeahigherlevellanguageSPDLontopofSELinuxpolicylanguage.
SPDLaimstoreducethenumberofcongurationele-mentsbyintegratedpermissionswhererelatedSELinuxpermissionsaregrouped.
Inaddition,SPDLremovestypecongurationsbyidentifyingresourceswiththeirnames.
AnexampleofcongurationbySPDLisshowninFigure2.
TheconguredaccessrulesarealmostthesameasFigure1,butSPDLissimpler.
Permissionsre-latedtoreadinglesanddirectoriesaremergedtointe-gratedpermissionrandpermissionstowaitforconnec-tiononportsaremergedtoserver.
Additionally,namessuchas/var/wwwandport80areusedtoidentifyre-sourcesandassigningtypestoresourcesisnotneces-sary.
ToapplySPDLcongurations,theSPDLconvertertranslatesthesecongurationstoSELinuxpolicylan-guage,i.
e.
SPDLconvertergeneratesthenecessarytypecongurations,andexpandsintegratedpermissionstore-latedSELinuxpermissions.
Thedifcultyinverifyingrefpolicyiscausedbytwofactors.
Firstisthecomplicatedcongurationelementssuchasmacros,permissions,attributesandconditionalexpressions.
ThiscomplexityissolvedbySPDL.
Secondisthatmanylinesofcongurationsforaccessrulesforapplicationsnotinstalledinthesystemandforrulesdis-abledbyconditionalexpressionsareincluded.
Ourap-proachtosolvetheproblemofmanycongurationlinesistodescribeonlynecessarycongurationsbySPDLwithoutrefpolicy,i.
e.
writecongurationsonlyforap-plicationsinstalledinthetargetsystem.
Sinceneitherconditionalcongurationsnorcongurationsforunusedapplicationsareincluded,thenumberofcongurationlinesareexpectedtobereduced.
Thisalsocontributestoreducingresourceusagebythesecuritypolicy.
4Figure3:Typicalprocessofcreatingasecuritypolicy3.
2SPDLtoolsInordertosupportwritingcongurationsbySPDLwith-outrefpolicy,weproposeSPDLtoolscomposedoftem-plategeneratorandallowgenerator.
SPDLtoolsaimtoreducethenumberofcongurationswrittenbyhandduringtheprocessofcreatingasecuritypolicy.
Figure3showsatypicalprocessofcreatingasecuritypolicyandthisprocessisiteratedforeachtargetapplica-tions.
(1)CongurationstoassignadomaintoatargetapplicationaredescribedasinFigure2lines2and3.
(2)Inordertogureoutwhatkindofaccessrulesshouldbedescribed,accesslogsareobtainedbyrunningthetargetapplication.
(3)Accessrulesaredescribedusingtheac-cesslogs.
Forexample,whenanaccesslogentryshowsfootdomainreadaccessedlenamebarthenanaccessrulethatallowsfoottoreadbarisdescribed.
(4)Runtheapplicationagainandseewhetheritworkscorrectly.
Iftheapplicationdoesnotworkcorrectly,runtheap-plicationagainandaddcongurationelementsuntiltheapplicationworkscorrectly.
Allowgeneratorsupportswritingcongurationsal-lowingaccessinFigure3step(3).
Weadoptanap-proachofaudit2allow[12]toautomatedescribingcong-urations,i.
e.
generatecongurationsthatallowaccessesappearinginaccesslogs.
Templategeneratoroutputscongurationsingure3step(1)byusingcongurationstypicaltoapplicationcategories.
Forexample,mostdaemonprogramsrequireaccessrightstocreatetemporarylesunder/var/runandcommunicatewithsyslog.
Toproducemorecongura-Figure4:ThearchitectureofSEEdittions,templategeneratorusestheknowledgeofthetooluseraboutthetargetapplication,suchaswhatkindoflesandnetworkresourcestheapplicationaccesses.
4DesignandimplementationofSEEditWedesignedandimplementedSEEditfollowingtheap-proachesdiscussedintheprevioussection.
SEEditiscomposedofSPDLtoolsandSPDLconverterasshowninFigure4.
ThesecuritypolicywritteninSPDL,calledsimpliedpolicy,iscreatedbyatexteditororSPDLtoolscomposedofallowgeneratorandtemplategener-ator.
SPDLconvertergeneratesthesecuritypolicywrit-teninSELinuxpolicylanguagefromsimpliedpolicy.
ThedesignofSPDLandtheimplementationofSPDLconverterandSPDLtoolsaredescribedinthefollowingsubsections.
4.
1DesignofSPDLThemainfeaturesofSPDLareintegratedpermissionstoreducethenumberofpermissions,andcongurationsus-ingresourcenamestoremovetypecongurations.
SPDLalsohasanincludestatementtoreducethenumberoflines.
Thedetailisexplainedinthissection.
4.
1.
1IntegratedpermissionsWhileintegratedpermissionsreducethenumberofper-missionsbygroupingpermissions,permissionsimpor-tantforsecurityshouldbekept.
Inordertoincludesuchimportantpermissions,integratedpermissionsaredesignedfromtheviewpointofprotectiongtheconden-tiality,integrityandavailabilityofatargetsystem.
Com-promisingcondentialityhappenswhenanunexpectedinformationgoesout,andcompromisingintegrityhap-penswhenanunexpectedinformationcomesintothe5system.
Thus,permissionsrelatedtoinputandout-puttoles,networkresourcesandIPCshavetobein-cludedinintegratedpermissions.
Theotherpermissionsareprivilegeswhichcanbeabusedtocompromiseavail-abilityandtofacilitateattacks.
Forexample,setrlimitpermissionthatcontrolstheresourceusagelimitofpro-cessescanleadtocompromisedavailability.
capinsmodpermissioncanresultininstallationofmaliciouskernelmodules.
Therefore,privilegeshavetobeincludedinintegratedpermissions.
Thedetailofintegratedpermis-sionsareshownasfollows.
(1)IntegratedpermissionsforlesIntegratedpermissionsforlesaretakenfrompre-viousresearchbyYamaguchiet.
al[13]becausetheyaredesignedtocontrolinputandoutputtolesanddirectories.
Theintegratedpermissionsare,r(read),x(execute),s(listdirectory),o(overwrite),t(changeattribute),a(append),c(create),e(erase)andw(=o+t+a+c+e).
(2)IntegratedpermissionsfornetworkTwointegratedpermissionsrelatedtoinputandout-putaredesignedforportnumbers,NIC,IPaddressandRAWsocket.
Forexample,integratedpermis-sionsforportnumbersareserver(waitforaconnec-tionfromoutside)andclient(beginaconnectiontooutside).
(3)IntegratedpermissionsforIPCIntegratedpermissionsforSysvIPCsaresendandrecvtocontrolinputandoutputtoprocesses.
Inte-gratedpermissionsforsignalsaredesignedtocon-trolsendingeachsignalbecauseSELinuxcanonlycontrolsendingsignals.
Forexample,integratedpermissionkallowssendingsigkill.
(4)Integratedpermissionsforotherprivileges46integratedpermissionsforotherprivilegesaredesigned.
Almostallpermissionsaboutprivilegesareincludedtopreventattackersfromcompromis-ingavailabilityandfacilitatingattacks.
However,overlappedpermissionsaremergedasanexcep-tion.
Forexample,SELinuxpermissioncapabil-itynetadminandnetlinkroutesocketnlmsgwriteoverlapeachotherbecausetheyarerelatedtochangekernelcongurationofnetwork.
Thus,theyaremergedtotheintegratedpermissionnetadmin.
4.
1.
2CongurationsusingresourcenamesToremovetypecongurations,SPDLenablescongura-tionsusingresourcenames.
SPDLstatementsallowandallownetaredesignedasshowninTable1toenablenamebasedcongurationsforlesandnetworkresourcessuchasportnumber,NICandIPaddress.
TocongureIPCsdomainhttpd_t;allow/var/www/**r;Figure5:SimpliedPolicytobeconvertedbySPDLconverter#Declareandassigntype1typevar_www_t;2/var/www(|/.
*)system_u:object_r:var_www_t#Allowspermissionsrelatedtointegratedpermissionr3allowhttpd_tvar_www_t:lnk_file{iotcllockread};4allowhttpd_tvar_www_t:file{iotcllockread};5allowhttpd_tvar_www_t:fifo_file{iotcllockread};6allowhttpd_tvar_www_t:sock_file{iotcllockread};Figure6:OutputofSPDLconverterandotherprivileges,allowcomandallowprivarealsodesigned.
AssigningtypesforIPCsandprivilegesisnotrequiredinSELinux,buttheyareshownforreferenceinTable1.
4.
1.
3IncludestatementInordertoreducethenumberofcongurationlines,theincludestatementimportscongurationfromale.
#includelename;Forexample,whentheledaemon.
teincludesaccessrulescommonlyusedfordaemonapplications,describ-ing#includedaemon.
te;importsthoseaccessrules.
4.
2ImplementationofSPDLconverterSPDLconvertertranslatesSPDLtoSELinuxpolicylan-guage.
ThetranslationprocessisshownwithanexampleofconvertingSimpliedPolicyinFigure5tocongura-tionsinFigure6.
Thehttpdtdomainisallowedtoreadlesanddirec-toriesunder/var/wwwinFigure5.
SPDLconvertergen-eratestypesfromresourcenames.
Forexample,itgener-atesvarwwwttypefromlename/var/www,thenout-putscongurationtoassignvarwwwtunder/var/wwwinthersttwolinesinFigure6.
Next,itgeneratescon-gurationtoallowaccesstothegeneratedtypeasline3-6inFigure6.
Whendifferenttypesaregeneratedforlesordirec-toriesunder/var/www,accessestosuchtypesareal-lowed.
Forexample,whensomedomainsarecongured6StatementMeaningExampleallowlenameintegratedpermission;Allowsaccesstolenameusinginte-gratedpermission.
allow/foo/bar/**r;permitstoreadlesunder/foo/bardirectory.
allownetresourcenameintegratedper-mission;Allowsaccesstoresourcenameusingintegratedpermission.
allownet-protocoltcp-port80server;permitstowaitconnectionontcpport80.
allowcomIPCnamedomainintegrat-edpermission;AllowsaccesstodomainusingIPCIPCnameandcommunicateusinginte-gratedpermission.
allowcom-unixfootr;permitstoreaddatafromprocessrunningasfootdo-mainviaunixdomainsocket.
allowprivintegratedpermission;Allowsusageofprivilegeintegratedpermissionallowprivcapsyschroot;permitstousechrootsystemcall.
Table1:StatementsinSPDLtoallowaccesstoresourcesallow/var/www/cgi/**r;,thencongurationthatassignsvarwwwcgitto/var/www/cgiisgenerated.
SPDLcon-verteralsogeneratescongurationforhttpdtthatallowsreadingvarwwwcgit.
However,congurationsusingresourcenamesdonotworkwellforlesdynamicallycreatedbyprocesses.
Dynamicallycreatedlesmeanlesthatareremovedandcreatedagain.
InSELinux,whenaleisremovedandcreatedagain,thetypeoftheleisthesameasthedirectorywhereitbelongs.
Thisbehaviorissometimesaproblem.
Forexample,allow/tmp/foor;isconguredinfootdomain.
Atrst,/tmp/fooisassignedtmpfoottype,butwhen/tmp/fooisremovedandcreatedagain,thenthetypeistmpt.
Therefore,thefootdomaincannolongeraccess/tmp/foo.
Tohandlesuchcases,SPDLhasallowtmptocongureassign-ingtypescorrectly.
Thesyntaxofallowtmpisasfollows.
allowtmp-dirdirectory-nametypeintegratedper-mission;Thismeanslescreatedunderdirectoryareassignedtype.
Whentypeisauto,typeisnamedautomatically.
Forexample,whenfootdomaincreatestemporarylesunder/tmp,wehavetodescribeallowtmp-dir/tmp-nameautor;infootdomain,thentypefootmptisgeneratedandassignedtotemporaryles.
4.
3ImplementationofSPDLtools4.
3.
1AllowgeneratorAllowgeneratoroutputscongurationsthatpermitac-cessesrecordedintheaccesslog.
Theprocessisex-plainedbyanexamplebelow.
First,allowgeneratorreadsSELinuxaccesslog,thenextractsdomain,resourcenameandpermissionfromanaccesslogentry.
Whenalogentryisrecordedthatsayshttpdtdomainprocessaccessedlename/foo/barwhosetypeisfoobartwithpermissionleread,httpdt,/foo/bar/andlereadis#Integratedpermission#CorrespondingSELinuxpermissions.
.
.
.
.
Figure7:Anexampleofpermissionmappingleextracted.
TheextractedinformationisnotenoughtocreateSPDLbasedconguration,becausethepermis-sionisnotanintegratedpermission.
Inordertoob-tainanintegratedpermission,allowgeneratorconvertsSELinuxpermissionstointegratedpermissionsbyper-missionmapping,whichcontainsmappingofintegratedpermissiontoSELinuxpermissionsasillustratedinFig-ure7.
Intheexample,recordedSELinuxpermissionisleread,thenpermissionmapppingisloookedupandcorrespondingintegratedpermissionallowlermean-ingintegratedpermissionrforleisfound.
Asaresult,allowgeneratorisabletooutputSPDLbasedcongura-tionsallow/foo/bar/r;,fromobtaineddomain,resourcenameandintegratedpermission.
4.
3.
2TemplategeneratorTemplategeneratorisimplementedasaGUI.
Figure8isaGUItogeneratetypicalcongurations.
Userschoosetheproleofapplications,andcongurationsaregener-atedbasedontheprole.
Figure9isaGUItogener-atecongurationsfromtheuser'sknowledge.
TheycaninputtheirknowledgetothetemplategeneratorwithouttypingSPDLmanually.
7Figure8:TemplategeneratorGUItogeneratetypicalcongurationsFigure9:TemplategeneratorGUItogenerateusingknowledgeofusers5Evaluation5.
1ExperimentalsetupInordertomakesurewhetherSEEditworks,weusedtwotypicalsystemsforexperiment.
Oneisanembeddedsystemconguredforasmallserver,theotherisaPCsystemconguredforPCserverasshownbelow.
(1)EmbeddedsystemCPU:SH7751R(SH4)240MHzRAM:64MBStorage:FlashROM64MBLinuxdistribution:notusedSELinux:Linux2.
6.
22Runningservices:httpd,vsftpd,syslogd,klogd,portmap(2)PCsystemVirtualmachine(VMware5.
5)isused.
Linuxdistribution:CentOS5usedforPCserversRunningservices:auditd,avahidaemon,crond,cupsd,dhclient,gdm,httpd,klogd,mc-stransd,named,ntpd,portmap,samba,send-mail,sshd,syslogdFivedomainsareconguredforservicesrunningontheembeddedsystem,16domainsareconguredforser-vicesonthePCsystem.
Accessrulesarewrittenfortheseservicestoworkproperly.
Memoryusageofthese-curitypolicyontheembeddedsystemwasalsomeasuredtoevaluatewhetherSELinuxisapplicabletoembeddedsystems.
ThememoryconsumptionbySELinuxwasdenedasthedifferencebetweenmemoryusagewhenSELinuxenabledandthatwhenSELinuxisdisabled.
5.
2ResultandconsiderationIntheexperiment,wehavesuccessfullycreatedsecuritypoliciesforboththeembeddedandthePCsystem.
Theprocessofdescribingcongurations,verifyingcongu-rationsandresourceconsumptionarereviewedandcon-sidered.
Atlast,trade-offsinSEEditarealsodiscussed.
5.
2.
1DescribingcongurationsTherststeptodescribecongurationisusingtemplategenerator.
Toevaluatetemplategenerator,theassump-tionofknowledgeonthepartofthetooluserisnec-essarybecausegeneratedcongurationsdependontheuser'sknowledge.
Forevaluation,itisassumedthatusersknowhowtomanageapplications,i.
e:theyknowlepathofcongurationlesforapplications,namesoflogles,namesofcontentleswhichapplicationsdeliverandportnumbersforapplications.
Assumingthis,tem-plategeneratorproduced52%ofthelinesofcongura-tionfortheevaluationsystems.
Forexample,total24linesofcongurationsweredescribedforhttpserviceinthePCsystem,and12linesweregeneratedbytemplategenerator.
Nextstepistoproducecongurationsfromaccesslogsbyallowgenerator.
Mostofthecongurationsgen-eratedbyallowgeneratorwereabletobeusedwithoutmodicationexceptforthefollowingtwocases.
Firstisallowstatementsgeneratedfordynamicallycreatedles.
Theseallowstatementshavetobereplacedwithallowtmpstatements.
Forexample,footdomaindy-namicallycreatesandremoves/tmp/foo,thenlogentryfootdomainwrite/tmp/fooisrecorded.
Allowgenera-toroutputsallow/tmp/foow;fromthelogentry.
How-ever,itshouldbereplacedwithallowtmp-dir/tmp-nameautow;asshowninsection4.
2.
Secondiscon-gurationsgeneratedfromlogentrieswhichrecordac-cesstonormalles.
Allowgeneratoroutputsallow/var/www/index.
htmlr;forhttpdtfromlogentryhttpdtread/var/www/index.
html.
Whentheuserknowshttptdomainaccesses/var/wwwdirectory,itisbettertoper-mitaccesstodirectorylikeallow/var/www/**r;.
Fortheabovetwocases,thegeneratedintegratedpermissionsstillcanbeusedwithoutmodication.
8refpolicySPDLFile1309Network45314IPC457Privilege8046Total70876Table2:NumberofpermissionsinrefpolicyandSPDLAsshownabove,SPDLtoolsgeneratemostpartsofthecongurations.
Inaddition,tomodifyageneratedSPDLcongurationiseasierthanmodifyingrefpolicybecausethenumberofpermissionsarereducedasshowninFigure2,complicatedmacrosarenotnecessary,andtypecongurationsareremoved.
5.
2.
2VerifyingcongurationsToverifycreatedsecuritypolicy,thedifcultydependsonthenumberofcongurationlines.
Thenumberofcongurationlinesinrefpolicyismorethan100,000withcomplicatedpermissions,macrosandtypes,thusvericationofrefpolicybasedsecuritypolicyisdifcult.
Ontheotherhand,intheexperiment,thetotallinesofcongurationare174fortheembeddedsystem,401forthePCsystem,andtheyaredescribedwithSPDL.
There-fore,itiseasiertoverifycongurationsinSPDLthancongurationsinrefpolicy.
NotethatverifyingcongurationswritteninSPDLismeaningfulaslongastheoutputofSPDLconverteriscorrect.
AnotherworkisnecessarytoensuretheresultofSPDLconverter.
Onepossiblewayisatesttool.
ThetoolinputscongurationsinSPDLandisrunforeachdomaindenedinthecongurations.
Nextthetooltriesallaccesspatternstoseeifonlyaccessesconguredinthepolicyarepermitted.
5.
2.
3ResourceconsumptionThelesizeofthesecuritypolicyintheembeddedsys-temis71KBandRAMusageis465KB.
Inthesystemusedintheexperiment,storageis64MB,RAMis64MB.
TheconsumptionofstorageandRAMislessthan1%.
Thus,thecreatedsecuritypolicyisusableforthere-sourceconstrainedembeddeddevices.
5.
2.
4Trade-offsTherearetwousability-securitytrade-offsinSEEdit.
Thersttrade-offisintegratedpermissionsusedinSPDLbecauseintegratedpermissionsreducegranular-ity.
Forexample,integratedpermissionforlermeansreadpermissionsforle,symlinkandsocketle.
There-fore,allowingreadaccesstosymlinkbutnottoleanddirectorycannotbeconguredbyrpermission.
Thiscanbeaproblemintheembeddedsystemsusedineval-uation.
Intheembeddedsystem,busybox[14]wasusedforsystemcommands.
Inasystemwherebusyboxisinstalled,commandsareexecutedviasymboliclinksto/bin/busybox(busyboxexecutable).
When/bin/lsissym-boliclinkto/bin/busyboxand/bin/lsisexecuted,lsfunc-tionsin/bin/busyboxarecalled.
Ifadomainfootneedsaccesstobusyboxcommandsandisconguredallow/bin/**r;,footdomaincanaccesssymboliclinksunder/bin,andfootcanusebusyboxcommands.
However,ifacondentialcommandle/bin/secretexists,footcanalsoaccess/bin/secret.
Ifaccesstosymboliclinkswereconguredseparately,footwouldnotbeabletoaccess/bin/secret.
Tosolvethisproblem,thesecuritypolicygeneratedbySPDLconverterhastobeedited.
AnothersolutionistocreateanewstatementinSPDLthaten-ablesconguringSELinuxpermissionsdirectly.
Thesecondtrade-offistheaudit2allowapproachinallowgenerator.
Ifthereisabugormaliciouscodeinaprogram,andtheprogramaccesseslesunnecessaryfortheprogramtoworkcorrectly,allowgeneratoroutputscongurationstopermitaccesstosuchles.
Forexam-ple,ifcodethataccessescondentialdataisembeddedinaCGIprogrambyanevilprogrammer,thenacon-gurationthatpermitsaccesstothecondentialdataisoutputtedbyallowgeneratorafterrunningtheCGI.
Topreventsuchadangerouscongurationtobeincludedinthesecuritypolicy,generatedcongurationsshouldbecheckedbytheSEEdituser.
Tohelpthecheckprocess,atoolthatevaluatesgeneratedcongurationswouldbeuseful.
6RelatedworkLinuxdistributionFedoraincludessecuritypolicycon-gurationtoolscalledsetroubleshoot[15],SLIDE[16]andsystem-cong-selinux[17].
Setroubleshootanalyzesaccesslogsandpresentscongurationswhenanapplica-tiondoesnotworkduetoSELinuxaccessdenial.
SLIDEisanIntegratedDevelopmentEnvironment(IDE)tocon-gurerefpolicy.
Ithasfeaturestoaiddescribingcongu-rationssuchasinputcompletion.
system-cong-selinuxisatooltogeneratetemplatesofcongurationsfornewapplications.
Itcangeneratetemplatesusingawizard.
Theabovetoolsareintendedtoaidcongurationsusingrefpolicy.
ThepurposeisdifferentfromSEEditbecauseSEEditdoesnotuserefpolicy.
polgen[18]isasecuritypolicygeneratorwithahigherlevellanguage.
Usersofpolgenrstdescribetemplatecongurationsforthetargetapplicationsusingthelan-guage,thenruntheapplication.
Next,polgengener-atesrecommendedsecuritypolicyfromaccesslogs.
Thepurposeofthehigherlevellanguageofpolgenistode-9scribetemplatecongurations,andusershavetohandletypesandSELinuxpermissionsafterwritingatemplate.
ThepurposeisdifferentfromSEEditbecauseSPDLinSEEditisintendedtodescribewholecongurations.
SENG[19]isahigherlevellanguageforSELinuxse-curitypolicy.
Itisintendedtoreplacem4macros,nottoreducethenumberofcongurationsandremovetypecongurations.
Sellersetal.
[20]alsoimplementedahigherlevellan-guageandIDEcalledCDSFramework[21].
ItisalsousedintheFMAC[22]projectinOpenSolaris.
Iten-ablescongurationfromtheviewpointofinformationowcontrol,butisnotintendedtosimplifycongura-tions.
Thereisalsoworkrelatedtothevericationofsecu-ritypolicy.
Apolincludedinsetools[23]hasfeaturestoquerysecuritypolicy,suchasqueryingwhatkindoftypesadomaincanaccess.
SLAT[24][25]isasys-temtoanalyzethesecuritypolicybasedoninforma-tionowgoals.
Analyzersdescribeaninformationgoal,thenSLATndsviolationsoftheinformationowgoal.
Gokyo[26]analyzesthesecuritypolicybasedonAccessControlSpaces,thensuggestscongurationswhichvio-lateconstraints.
ThesetoolsareforSELinuxpolicylan-guage,buttheycanbeappliedtocongurationswhichareconvertedfromSPDL.
7SummarySecuritypolicyforSELinuxisusuallycreatedbycus-tomizingasamplepolicycalledrefpolicy.
However,cre-atingsecuritypolicybasedonrefpolicyhasproblemsindescribingandverifyingcongurations,andinresourceconsumption.
Wehaveproposedasecuritypolicycongurationsys-temSEEditwhichmakescreatingsecuritypolicyeas-ierwithahigherlevellanguagecalledSPDLandSPDLtools.
SPDLreducesthenumberofpermissionsbyinte-gratedpermissions,andremovestypecongurationsbynamebasedcongurations.
SPDLtoolshelpinwritingcongurationbygeneratingcongurationsbasedonac-cesslogsandtheknowledgeoftoolusersaboutapplica-tions.
ExperimentalresultsonanembeddedsystemandaPCsystemhaveshownthatSEEditresolvestheproblemscreatingsecuritypolicyandpracticalsecuritypolicycanbecreatedwithSEEdit.
8FutureworkThereareremainingissuesinensuringtheresultsofSPDLconverter(section5.
2.
2)andtrade-offsinSEEdit(section5.
2.
4).
Anotherissueisco-existingwithref-policy.
CurrentlySEEditcannotbeusedwithrefpol-icybecausetypecongurationsgeneratedbySPDLcon-verterconictwithexistingtypecongurationsinrefpol-icy.
SPDLconverterhastobeimprovedtoresolvesuchconicts.
9AvailabilitySEEditisavailablefromsourceforge[27].
ItislicensedundertheGPL.
References[1]Security-EnhancedLinux,http://www.
nsa.
gov/research/selinux/[2]Loscocco,P.
andSmalley,S.
:IntegratingFlexibleSupportforSecurityPoliciesintotheLinuxOper-atingSystem:Proc.
FREENIXTrackofthe2001USENIXAnnualTechnicalConference,pp.
29-42(2001)[3]CVE-2008-0600:CommonVulnerabilitiesandExposures(2008),http://cve.
mitre.
org/cgi-bin/cvename.
cginame=CVE-2008-0600[4]CVE-2007-5964:CommonVulnerabilitiesandExposures(2007),http://cve.
mitre.
org/cgi-bin/cvename.
cginame=CVE-2007-5964[5]Boebert,W.
E.
andKain,R.
Y.
:APracticalAlter-nativetoHierarchicalIntegrityPolicies.
Proc.
theEighthNationalComputerSecurityConference,pp.
225-237(1985)[6]Coker,F.
,Coker,R.
:TakingadvantageofSELinuxinRedHatEnterpriseLinux:RedhatmagazineIssue6April2005(2005),http://www.
redhat.
com/magazine/006apr05/features/selinux/[7]Linuxdevices.
com:MontaVistareadiesnewLinuxmobilephoneOS(2007),http://www.
linuxdevices.
com/news/NS4364061392.
html[8]SELinuxReferencePolicy,http://oss.
tresys.
com/projects/refpolicy/[9]PeBenito,C.
,Mayer,F.
,andMacMillan,K.
:ReferencePolicyforSecurityEnhancedLinux.
Proc.
2006SecurityEnhancedLinuxSym-posium(2006),http://selinux-symposium.
org/2006/papers/05-refpol.
pdf[10]Smalley,S.
:ConguringtheSELinuxpolicy,NAILabsReport#02-007,http://www.
nsa.
gov/research/selinux/docs.
shtml10[11]GNUm4,http://www.
gnu.
org/software/m4/m4.
html[12]Linuxmanpagesforaudit2allow(1),http://linuxcommand.
org/manpages/audit2allow1.
html[13]Yamaguchi,T.
,Nakamura,Y.
andTabata,T:In-tegratedAccessPermission:SecureandSimplePolicyDescriptionbyIntegrationofFileAccessVectorPermission:Proc.
The2ndInternationalConferenceonInformationSecurityandAssur-ance(ISA2008),pp.
40-45(2008)[14]Wells,N.
:BusyBox:ASwissArmyKnifeforLinux,LinuxJournal,vol.
2000,n.
78es(2000)[15]Denis,J.
:Setroubleshoot:AUserFriendlyTooltoDiagnoseAVCDenials:Proc.
2007SecurityEnhancedLinuxSymposium(2007),http://selinux-symposium.
org/2007/papers/09-setroubleshoot.
pdf[16]SLIDE:http://oss.
tresys.
com/projects/slide[17]Walsh,D.
:Astep-by-stepguidetobuildinganewSELinuxpolicymodule:Redhatmagazine(2007),http://magazine.
redhat.
com/2007/08/21/[18]Sniffen,B.
,Ramsdell,J.
andHarris,D.
:GuidedPolicyGenerationforApplicationAu-thors:Proc2006SecurityEnhancedLinuxSympo-sium(2006),http://selinux-symposium.
org/2006/papers/14-guided-polgen.
pdf[19]Kuliniewicz,P.
:SENG:AnEnhancedPol-icyLanguageforSELinux:Proc2006Se-curityEnhancedLinuxSymposium(2006),http://selinux-symposium.
org/2006/papers/09-SENG.
pdf[20]Sellers,C.
,Athey,J.
,Shimko,S.
,Mayer,F.
andMacMillan,K.
:ExperiencesImplementingaHigher-LevelPolicyLanguageforSELinux:Proc2006SecurityEnhancedLinuxSymposium(2006),http://selinux-symposium.
org/2006/papers/08-higher-level-experience.
pdf[21]CDSFrameworkIDE,http://oss.
tresys.
com/projects/cdsframework[22]OpenSolarisProject:FlexibleMandatoryAccessControl,http://www.
opensolaris.
org/os/project/fmac/[23]SETools,http://oss.
tresys.
com/projects/setools[24]Guttman,J.
,Herzog,A.
,Ramsdell,J.
andSko-rupka,C.
:Verifyinginformationgoalsinsecurity-enhancedlinux:JournalofComputerSecurity.
,13(1),pp115-134(2005)[25]MITRESecurity-EnhancedLinux,http://www.
mitre.
org/tech/selinux/[26]Jaeger,T.
,Edwards,A.
andZhang,X.
:Managingaccesscontrolpoliciesusingaccesscontrolspaces:ProctheseventhACMsymposiumonAccesscon-trolmodelsandtechnologies(SACMAT02),pp.
3-12(2002)[27]SELinuxPolicyEditorWebsite,http://seedit.
sourceforge.
net/11