Consistency analysis and flow secure enforcement of SELinux policies
Introduction
In this digital era, protecting data from intentional and unintentional misuse has become a major concern. Security of Operating System (OS) plays a vital role in data protection and privacy. With Linux kernel forming the core of a wide range of computing devices ranging from mobile phones to supercomputers, its security is of paramount importance.
Traditionally, Linux has used Discretionary Access Control (DAC) where it takes access decisions based on the user identity, ownership of the object, and the permission (read, write, and execute) bits of the object. However, DAC is not powerful enough to effectively protect the system because of its drawbacks like coarse-grained access control, all-powerful root, and inability to control the propagation of information. Over the years, several efforts have been made to enhance the security of Linux, SELinux (Peter Loscocco, 2001) being a prominent example.
SELinux introduces Mandatory Access Control (MAC) into the Linux kernel to overcome the drawbacks of DAC and enhance security. It does so by labeling every entity in the system such as files, sockets, users, processes, etc., and specifying an access control policy based on the labels of subjects and objects involved in actions. In this system, every user action, including that of the root must adhere to the specified set of policy rules.
In addition to providing better protection against indirect accesses, SELinux also helps in confining the attack in case of a security breach. Over the years, SELinux has been proven to be effective against several privilege escalation exploits.
From Android 4.3 onward SELinux is also being used in Android (referred to as SEAndroid) (Smalley and Craig, 2013) to provide better application sandboxing and fine-grained access control.
In SELinux systems, a well-written policy is the key to protecting the system resources against security threats. However, as the policies get larger and complex, assuring the consistency of all the rules and information flows caused by them becomes difficult. Currently, the tools (Clemente, Kaba, Rouzaud-Cornabas, Alexandre, Aujay, 2012, Gove, 2016, Reshetova, Bonazzi, Asokan, 2017, Sarna-Starosta, Stoller, 2004, Technology, T.) available for writing and analyzing these policies are not sufficient enough for ensuring whether the policy meets the intended security goals. Some of them (Clemente, Kaba, Rouzaud-Cornabas, Alexandre, Aujay, 2012, Reshetova, Bonazzi, Asokan, 2017) do not support information flow analysis of the policies, which is essential for understanding the complete impact of the policy on the system security. The tools which do support information flow analysis either do not consider the indirect flows (Gove, 2016) or require users to manually query for the flow-related details (Sarna-Starosta, Stoller, 2004, Technology, T.) which is cumbersome, especially in case of large policies.
In this paper, we describe an approach to analyze the consistency of an SELinux policy using Readers-Writers Flow Model (RWFM) (Kumar and Shyamasundar, 2017). This approach can be applied for both static policy analysis as well as run-time monitoring of information flows in an SELinux system.1
Our work on static policy analysis has been motivated by the goal of assisting the policy writers in understanding the information flows caused by a policy, and thereby helping them in developing policies with secure information flows where no unintended indirect flow of information is possible (Denning, 1976). We call such policies as flow-secure policies. Our run-time monitor, on the other hand, ensures the flow secure enforcement of a given SELinux policy i.e., even if the policy is not flow-secure, while enforcing the policy, the run-time monitor prevents the indirect accesses. The main contributions of the paper are:
- 1.
Proposed an approach for analyzing the information flows of SELinux policies to verify their consistency.
- 2.
Developed a tool for static analysis of a given SELinux policy. The tool performs the following tasks:
- (a)
Identifies all the indirect information flows in the policy.
- (b)
Among the indirect flows, identifies the flows which violate the neverallow rules specified in the policy.
- (c)
For a given indirect flow, identifies the sequences of policy rules that cause the indirect flow.
- (d)
Identifies security-critical rules and domains.
- (a)
- 3.
Implemented a run-time monitor prototype that keeps track of the information flows in an SELinux system and prevents the indirect flows.
Section snippets
Background
In this section, we give a brief overview of the Reference Monitor concept, Linux Security Module (LSM) framework, SELinux, and its policy specification. We also give a brief introduction to RWFM, an information flow model which provides the basis for our analysis.
Motivation
In this section, we present the motivation behind the problem that we are trying to address in this paper.
The SELinux policies used in practice contain hundreds of types and tens of thousands of rules. Writing and updating such large policies completely manually is cumbersome and prone to errors. To make this task easier, tools like audit2allow, selinux-polgengui, etc., SELinuxProject can be used. However, the policy obtained in this way may not always be correct or secure. To ensure that the
Static analysis of SELinux policy
In this section, we describe the proposed method for analyzing the information flows in SELinux policies using RWFM. The analysis is done on a policy source file. For ease of understanding, we illustrate the steps used in the approach with the help of a simple policy. We also demonstrate the effectiveness of the method by applying it on two real-life policies.
Flow secure enforcement of SELinux policies
Using the information obtained from the static analysis, a policy writer can make the policy flow secure. However, in many cases, modifying the existing policy may not be possible. Moreover, SELinux policies are not flexible enough to capture information flow requirements, i.e., we cannot specify a policy to block a particular access (read/write) only if it leads to some indirect flow but to allow it otherwise. For example, suppose a policy writer has two requirements: (1) to allow a domain d
Related work
In this section, we discuss some of the works on information flow analysis and works specific to SELinux/SEAndroid policy analysis from the literature and compare our work with them. Majority of the SELinux analysis tools and techniques discussed here perform static policy analysis. To the best of our knowledge, our run-time monitor is the first method to analyze SELinux policy at run-time.
Information flow analysis has been a focus of research for a long time and it has been studied with
Conclusions
Security in an SELinux system is as strong as its policy. In this paper, we have presented an efficient method to analyze information flows in SELinux policies. Our method verifies the consistency of the policies in terms of indirect flows and helps in identifying potential vulnerabilities. Furthermore, we are able to classify the policy rules and rank domains based on their potential to misuse information. Our experimental results in detecting the inconsistency in both the SELinux policies
CRediT authorship contribution statement
B S Radhika: Conceptualization, Methodology, Software, Validation, Investigation, Resources, Data curation, Writing - original draft, Writing - review & editing. N V Narendra Kumar: Conceptualization, Methodology, Writing - original draft, Writing - review & editing. R K Shyamasundar: Conceptualization, Methodology, Writing - original draft, Writing - review & editing, Supervision, Project administration, Funding acquisition. Parjanya Vyas: Software, Investigation, Writing - original draft,
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
We thank Asokan N, Elena R and Filippo B for providing valuable insights on SEAndroid policy analysis for providing the SEAndroid policies used in the early stages of this project. We also thank the anonymous reviewers for their valuable comments and suggestions. This work was supported by the Information Security Research and Development Centre (project number: 15DEITY004), Ministry of Electronics and Information Technology (Meity), Government of India.
Radhika B S is a PhD candidate in Information Security Research and Development Centre, Indian Institute of Technology Bombay. She received her bachelor’s degree in Computer Science and Engineering from the Visveswaraya Technological University, Belgaum and her Master’s degree in Computer Science and Engineering (Information Security) from the National Institute of Technology Karnataka. She has worked as a software engineer in Hewlett-Packard GlobalSoft and Sandvine Technologies . Her research
References (46)
- et al.
WorSE: a Workbench for model-based security engineering
Comput. Security
(2014) The entity labeling pattern for modeling operating systems access control
E-Business and Telecommunications - 12th International Joint Conference, ICETE
(2015)- AOSP, Accessed: Feb 2019XS. Android Platform Manifest2020....
- et al.
Secure Computer Systems: Mathematical Foundations
Technical Report
(1973) Integrity Considerations for Secure Computer Systems
Technical Report
(1977)- et al.
The chinese wall security policy
Proceedings of the IEEE Symposium on Security and Privacy, 1989
(1989) - et al.
Analysis of SEAndroid policies: combining MAC and DAC in android
Proceedings of the 33rd Annual Computer Security Applications Conference, 2017
(2017) - et al.
Information flow query and verification for security policy of security-enhanced linux
Advances in Information and Computer Security, First International Workshop on Security, IWSEC 2006, Proceedings
(2006) - et al.
SPTrack: visual analysis of information flows within SELinux policies and attack logs
Active Media Technol.
(2012) - et al.
Subdomain: parsimonious server security.
LISA, 2000
(2000)
A lattice model of secure information flow
Commun. ACM
Review of existing analysis tools for selinux security policies: challenges and a proposed solution
E-Technologies: Embracing the Internet of Things - 7th International Conference, MCETECH 2017 Proceedings
Verifying the reliability of operating system-level information flow control systems in linux
FormaliSE@ICSE, 2017
RBAC-PAT: a policy analysis tool for role based access control
Proceedings Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009
V3SPA: a visual analysis, exploration, and diffing tool for SELinux and SEAndroid security policies
IEEE Symposium on Visualization for Cyber Security (VizSec), 2016
Task oriented management obviates your onus on Linux
Linux Conference, 2004
A logical specification and analysis for SELinux MLS policy
ACM Trans. Inf. Syst. Security (TISSEC)
Policy DSL: high-level specifications of information flows for security policies
High Confidence Softw. Syst. (HCSS)
Operating System Security
Consistency analysis of authorization hook placement in the linux security modules framework
ACM Trans. Inf. Syst.Security (TISSEC)
Analyzing integrity protection in the SELinux example policy
Proceedings of the 12th conference on USENIX Security Symposium-Volume 12, 2003
Realizing purpose-based privacy policies succinctly via information-flow labels
IEEE Fourth International Conference on Big Data and Cloud Computing, BDCloud, 2014
A complete generative label model for lattice-based access control models
Proceedings of SEFM, 2017
Cited by (9)
XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies
2023, Applied Sciences (Switzerland)SELinux-based Operating System Security Research
2023, Proceedings of SPIE - The International Society for Optical EngineeringIFCIL: An Information Flow Configuration Language for SELinux
2022, Proceedings - IEEE Computer Security Foundations SymposiumA Novel Trusted Software Base for Commercial Android Devices Using Secure TF Card
2022, Security and Communication Networks
Radhika B S is a PhD candidate in Information Security Research and Development Centre, Indian Institute of Technology Bombay. She received her bachelor’s degree in Computer Science and Engineering from the Visveswaraya Technological University, Belgaum and her Master’s degree in Computer Science and Engineering (Information Security) from the National Institute of Technology Karnataka. She has worked as a software engineer in Hewlett-Packard GlobalSoft and Sandvine Technologies . Her research interests include Operating System Security, Access Control, Information Flow Control, and Web Security.
Dr. N V Narendra Kumar is an Assistant Professor at Institute for Development and Research in Banking Technology, Hyderabad, India. He received his bachelor’s degree in Computer Science and Information Technology from the Jawaharlal Nehru Technological University, Andhra Pradesh and PhD in Computer Science from the Tata Institute of Fundamental Research, Mumbai. He has worked as a Senior Project Research Scientist in Indian Institute of Technology Bombay, Mumbai and a Research Scientist in a project (Design and Implementation of DIFC Security Architecture for Securing Linux-like OS) supported by the Defence Research & Development Organisation. His research interests include Malware Detection, Access Control, Information Flow Control, Blockchain, Cryptology.
Prof. R K Shyamasundar is a distinguished visiting professor in the Department of Computer Science and Engineering, Indian Institute of Technology Bombay. He received his bachelor’s degree in Electrical Engineering from University of Mysore, and master’s degree in Electrical Engineering, and PhD in Computer Science and Automation (1975) from Indian Institute of Science, Bangalore. He was the founder Dean of the School of Technology and Computer Science at the Tata Institute of Fundamental Research (TIFR) and also worked at Eindhoven Technological University (1978-79) as International Research Fellow to work under Edsgar Dijkstra. He has held various assignments at IBM TJ Watson Research Center, Eindhoven University of Technology, State University of Utrecht, Pennsylvania State University, University of Illionois, University of California, ENSMP Sophia Antipolis, IRISA, Rennes and so on. He is a Fellow of IEEE, ACM, Indian Academy of Sciences, Indian National Science Academy, and National Academy of Sciences, India.
Parjanya Vyas is an M. Tech. student at the Department of Computer Science, Indian Institute of Technology Bombay (IITB), Mumbai, India, which he joined after receiving his B. Tech. degree in Computer Engineering from Nirma University, Ahmedabad, India in 2015. His research interests include Operating System Security, Information Flow Control, and Information Theory. Currently, he is working as a research assistant in Information Security Research and Development Centre, IITB. Previously, he has also worked as a software engineer in Samsung Research Institute, Noida from 2015 to 2016.