Consistency analysis and flow secure enforcement of SELinux policies

https://doi.org/10.1016/j.cose.2020.101816Get rights and content

Abstract

SELinux policies used in practice contain tens of thousands of rules, making it hard to comprehend their impact on the security and to verify whether they actually meet the intended security goals. In this paper, we describe an approach for reasoning about the consistency of a given SELinux policy by analyzing the information flows caused by it. For this purpose, we model SELinux policy rules using the Readers-Writers Flow Model (RWFM). We have used this approach to implement a static policy analysis tool as well as a run-time monitor. The static policy analysis tool identifies all the possible indirect flows in a given policy and then filters out those indirect flows that pose a high threat. Given an indirect flow, the tool can also identify the sequences of accesses that cause the indirect flow. The tool also ranks the rules and domains based on the number of policy violations they cause. Thus, the static analysis tool is useful for policy writers to develop flow secure policies. The run-time monitor, on the other hand, keeps track of the information flows in an SELinux system and detects indirect flows dynamically. This helps in ensuring flow secure enforcement of a given SELinux policy as per the specification. The efficiency and efficacy of our implementations are demonstrated through experimental analysis on large, real-life policies.

Introduction

In this digital era, protecting data from intentional and unintentional misuse has become a major concern. Security of Operating System (OS) plays a vital role in data protection and privacy. With Linux kernel forming the core of a wide range of computing devices ranging from mobile phones to supercomputers, its security is of paramount importance.

Traditionally, Linux has used Discretionary Access Control (DAC) where it takes access decisions based on the user identity, ownership of the object, and the permission (read, write, and execute) bits of the object. However, DAC is not powerful enough to effectively protect the system because of its drawbacks like coarse-grained access control, all-powerful root, and inability to control the propagation of information. Over the years, several efforts have been made to enhance the security of Linux, SELinux (Peter Loscocco, 2001) being a prominent example.

SELinux introduces Mandatory Access Control (MAC) into the Linux kernel to overcome the drawbacks of DAC and enhance security. It does so by labeling every entity in the system such as files, sockets, users, processes, etc., and specifying an access control policy based on the labels of subjects and objects involved in actions. In this system, every user action, including that of the root must adhere to the specified set of policy rules.

In addition to providing better protection against indirect accesses, SELinux also helps in confining the attack in case of a security breach. Over the years, SELinux has been proven to be effective against several privilege escalation exploits.

From Android 4.3 onward SELinux is also being used in Android (referred to as SEAndroid) (Smalley and Craig, 2013) to provide better application sandboxing and fine-grained access control.

In SELinux systems, a well-written policy is the key to protecting the system resources against security threats. However, as the policies get larger and complex, assuring the consistency of all the rules and information flows caused by them becomes difficult. Currently, the tools (Clemente, Kaba, Rouzaud-Cornabas, Alexandre, Aujay, 2012, Gove, 2016, Reshetova, Bonazzi, Asokan, 2017, Sarna-Starosta, Stoller, 2004, Technology, T.) available for writing and analyzing these policies are not sufficient enough for ensuring whether the policy meets the intended security goals. Some of them (Clemente, Kaba, Rouzaud-Cornabas, Alexandre, Aujay, 2012, Reshetova, Bonazzi, Asokan, 2017) do not support information flow analysis of the policies, which is essential for understanding the complete impact of the policy on the system security. The tools which do support information flow analysis either do not consider the indirect flows (Gove, 2016) or require users to manually query for the flow-related details (Sarna-Starosta, Stoller, 2004, Technology, T.) which is cumbersome, especially in case of large policies.

In this paper, we describe an approach to analyze the consistency of an SELinux policy using Readers-Writers Flow Model (RWFM) (Kumar and Shyamasundar, 2017). This approach can be applied for both static policy analysis as well as run-time monitoring of information flows in an SELinux system.1

Our work on static policy analysis has been motivated by the goal of assisting the policy writers in understanding the information flows caused by a policy, and thereby helping them in developing policies with secure information flows where no unintended indirect flow of information is possible (Denning, 1976). We call such policies as flow-secure policies. Our run-time monitor, on the other hand, ensures the flow secure enforcement of a given SELinux policy i.e., even if the policy is not flow-secure, while enforcing the policy, the run-time monitor prevents the indirect accesses. The main contributions of the paper are:

  • 1.

    Proposed an approach for analyzing the information flows of SELinux policies to verify their consistency.

  • 2.

    Developed a tool for static analysis of a given SELinux policy. The tool performs the following tasks:

    • (a)

      Identifies all the indirect information flows in the policy.

    • (b)

      Among the indirect flows, identifies the flows which violate the neverallow rules specified in the policy.

    • (c)

      For a given indirect flow, identifies the sequences of policy rules that cause the indirect flow.

    • (d)

      Identifies security-critical rules and domains.

  • 3.

    Implemented a run-time monitor prototype that keeps track of the information flows in an SELinux system and prevents the indirect flows.

Rest of the paper is organized as follows: Section 2 provides an overview of the Reference Monitor concept, Linux Security Module (LSM) framework, SELinux, and RWFM. Section 3 explains the need for information flow analysis of an SELinux policy. Section 4 gives a detailed description of the static policy analysis method using RWFM along with the experimental results. Section 5 discusses the details of the RWFM run-time monitor and demonstrates its effectiveness. Section 6 discusses the related work, and conclusions are presented in Section 7.

Section snippets

Background

In this section, we give a brief overview of the Reference Monitor concept, Linux Security Module (LSM) framework, SELinux, and its policy specification. We also give a brief introduction to RWFM, an information flow model which provides the basis for our analysis.

Motivation

In this section, we present the motivation behind the problem that we are trying to address in this paper.

The SELinux policies used in practice contain hundreds of types and tens of thousands of rules. Writing and updating such large policies completely manually is cumbersome and prone to errors. To make this task easier, tools like audit2allow, selinux-polgengui, etc., SELinuxProject can be used. However, the policy obtained in this way may not always be correct or secure. To ensure that the

Static analysis of SELinux policy

In this section, we describe the proposed method for analyzing the information flows in SELinux policies using RWFM. The analysis is done on a policy source file. For ease of understanding, we illustrate the steps used in the approach with the help of a simple policy. We also demonstrate the effectiveness of the method by applying it on two real-life policies.

Flow secure enforcement of SELinux policies

Using the information obtained from the static analysis, a policy writer can make the policy flow secure. However, in many cases, modifying the existing policy may not be possible. Moreover, SELinux policies are not flexible enough to capture information flow requirements, i.e., we cannot specify a policy to block a particular access (read/write) only if it leads to some indirect flow but to allow it otherwise. For example, suppose a policy writer has two requirements: (1) to allow a domain d

Related work

In this section, we discuss some of the works on information flow analysis and works specific to SELinux/SEAndroid policy analysis from the literature and compare our work with them. Majority of the SELinux analysis tools and techniques discussed here perform static policy analysis. To the best of our knowledge, our run-time monitor is the first method to analyze SELinux policy at run-time.

Information flow analysis has been a focus of research for a long time and it has been studied with

Conclusions

Security in an SELinux system is as strong as its policy. In this paper, we have presented an efficient method to analyze information flows in SELinux policies. Our method verifies the consistency of the policies in terms of indirect flows and helps in identifying potential vulnerabilities. Furthermore, we are able to classify the policy rules and rank domains based on their potential to misuse information. Our experimental results in detecting the inconsistency in both the SELinux policies

CRediT authorship contribution statement

B S Radhika: Conceptualization, Methodology, Software, Validation, Investigation, Resources, Data curation, Writing - original draft, Writing - review & editing. N V Narendra Kumar: Conceptualization, Methodology, Writing - original draft, Writing - review & editing. R K Shyamasundar: Conceptualization, Methodology, Writing - original draft, Writing - review & editing, Supervision, Project administration, Funding acquisition. Parjanya Vyas: Software, Investigation, Writing - original draft,

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgement

We thank Asokan N, Elena R and Filippo B for providing valuable insights on SEAndroid policy analysis for providing the SEAndroid policies used in the early stages of this project. We also thank the anonymous reviewers for their valuable comments and suggestions. This work was supported by the Information Security Research and Development Centre (project number: 15DEITY004), Ministry of Electronics and Information Technology (Meity), Government of India.

Radhika B S is a PhD candidate in Information Security Research and Development Centre, Indian Institute of Technology Bombay. She received her bachelor’s degree in Computer Science and Engineering from the Visveswaraya Technological University, Belgaum and her Master’s degree in Computer Science and Engineering (Information Security) from the National Institute of Technology Karnataka. She has worked as a software engineer in Hewlett-Packard GlobalSoft and Sandvine Technologies . Her research

References (46)

  • P. Amthor et al.

    WorSE: a Workbench for model-based security engineering

    Comput. Security

    (2014)
  • P. Amthor

    The entity labeling pattern for modeling operating systems access control

    E-Business and Telecommunications - 12th International Joint Conference, ICETE

    (2015)
  • AOSP, Accessed: Feb 2019XS. Android Platform Manifest2020....
  • D.E. Bell et al.

    Secure Computer Systems: Mathematical Foundations

    Technical Report

    (1973)
  • K.J. Biba

    Integrity Considerations for Secure Computer Systems

    Technical Report

    (1977)
  • D.F.C. Brewer et al.

    The chinese wall security policy

    Proceedings of the IEEE Symposium on Security and Privacy, 1989

    (1989)
  • H. Chen et al.

    Analysis of SEAndroid policies: combining MAC and DAC in android

    Proceedings of the 33rd Annual Computer Security Applications Conference, 2017

    (2017)
  • Y. Chen et al.

    Information flow query and verification for security policy of security-enhanced linux

    Advances in Information and Computer Security, First International Workshop on Security, IWSEC 2006, Proceedings

    (2006)
  • P. Clemente et al.

    SPTrack: visual analysis of information flows within SELinux policies and attack logs

    Active Media Technol.

    (2012)
  • C. Cowan et al.

    Subdomain: parsimonious server security.

    LISA, 2000

    (2000)
  • D.E. Denning

    A lattice model of secure information flow

    Commun. ACM

    (1976)
  • A. Eaman et al.

    Review of existing analysis tools for selinux security policies: challenges and a proposed solution

    E-Technologies: Embracing the Internet of Things - 7th International Conference, MCETECH 2017 Proceedings

    (2017)
  • L. Georget et al.

    Verifying the reliability of operating system-level information flow control systems in linux

    FormaliSE@ICSE, 2017

    (2017)
  • M.I. Gofman et al.

    RBAC-PAT: a policy analysis tool for role based access control

    Proceedings Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009

    (2009)
  • R. Gove

    V3SPA: a visual analysis, exploration, and diffing tool for SELinux and SEAndroid security policies

    IEEE Symposium on Visualization for Cyber Security (VizSec), 2016

    (2016)
  • T. Harada et al.

    Task oriented management obviates your onus on Linux

    Linux Conference, 2004

    (2004)
  • B. Hicks et al.

    A logical specification and analysis for SELinux MLS policy

    ACM Trans. Inf. Syst. Security (TISSEC)

    (2010)
  • J. Hurd et al.

    Policy DSL: high-level specifications of information flows for security policies

    High Confidence Softw. Syst. (HCSS)

    (2009)
  • T. Jaeger

    Operating System Security

    (2008)
  • T. Jaeger et al.

    Consistency analysis of authorization hook placement in the linux security modules framework

    ACM Trans. Inf. Syst.Security (TISSEC)

    (2004)
  • T. Jaeger et al.

    Analyzing integrity protection in the SELinux example policy

    Proceedings of the 12th conference on USENIX Security Symposium-Volume 12, 2003

    (2003)
  • N.V.N. Kumar et al.

    Realizing purpose-based privacy policies succinctly via information-flow labels

    IEEE Fourth International Conference on Big Data and Cloud Computing, BDCloud, 2014

    (2014)
  • N.V.N. Kumar et al.

    A complete generative label model for lattice-based access control models

    Proceedings of SEFM, 2017

    (2017)
  • Radhika B S is a PhD candidate in Information Security Research and Development Centre, Indian Institute of Technology Bombay. She received her bachelor’s degree in Computer Science and Engineering from the Visveswaraya Technological University, Belgaum and her Master’s degree in Computer Science and Engineering (Information Security) from the National Institute of Technology Karnataka. She has worked as a software engineer in Hewlett-Packard GlobalSoft and Sandvine Technologies . Her research interests include Operating System Security, Access Control, Information Flow Control, and Web Security.

    Dr. N V Narendra Kumar is an Assistant Professor at Institute for Development and Research in Banking Technology, Hyderabad, India. He received his bachelor’s degree in Computer Science and Information Technology from the Jawaharlal Nehru Technological University, Andhra Pradesh and PhD in Computer Science from the Tata Institute of Fundamental Research, Mumbai. He has worked as a Senior Project Research Scientist in Indian Institute of Technology Bombay, Mumbai and a Research Scientist in a project (Design and Implementation of DIFC Security Architecture for Securing Linux-like OS) supported by the Defence Research & Development Organisation. His research interests include Malware Detection, Access Control, Information Flow Control, Blockchain, Cryptology.

    Prof. R K Shyamasundar is a distinguished visiting professor in the Department of Computer Science and Engineering, Indian Institute of Technology Bombay. He received his bachelor’s degree in Electrical Engineering from University of Mysore, and master’s degree in Electrical Engineering, and PhD in Computer Science and Automation (1975) from Indian Institute of Science, Bangalore. He was the founder Dean of the School of Technology and Computer Science at the Tata Institute of Fundamental Research (TIFR) and also worked at Eindhoven Technological University (1978-79) as International Research Fellow to work under Edsgar Dijkstra. He has held various assignments at IBM TJ Watson Research Center, Eindhoven University of Technology, State University of Utrecht, Pennsylvania State University, University of Illionois, University of California, ENSMP Sophia Antipolis, IRISA, Rennes and so on. He is a Fellow of IEEE, ACM, Indian Academy of Sciences, Indian National Science Academy, and National Academy of Sciences, India.

    Parjanya Vyas is an M. Tech. student at the Department of Computer Science, Indian Institute of Technology Bombay (IITB), Mumbai, India, which he joined after receiving his B. Tech. degree in Computer Engineering from Nirma University, Ahmedabad, India in 2015. His research interests include Operating System Security, Information Flow Control, and Information Theory. Currently, he is working as a research assistant in Information Security Research and Development Centre, IITB. Previously, he has also worked as a software engineer in Samsung Research Institute, Noida from 2015 to 2016.

    View full text