Abstract
To meet tightening security requirements, modern operating systems enforce mandatory access control based on formal security policies. To ensure the critical property of policy correctness, formal methods and models for both their specification and verification are used. The variety of these approaches reflects the diversity and heterogeneity of policy semantics, which makes policy engineering an intricate and error-prone process. Therefore, a common formal framework is needed that unifies both diverse access control systems on the one hand and diverse formal criteria of correctness on the other hand.
This paper presents a step towards this goal. We propose to leverage core-based model engineering, a uniform approach to policy formalization, and refine it by adding typical semantic abstractions of contemporary policy-controlled operating systems. This results in a simple, yet highly flexible framework for formalization, specification and analysis of operating system security policies. We substantiate this claim by applying our method to the SELinux system and demonstrating the practical usage of the resulting model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
To distinguish from SELinux “constraints” mentioned in Sect. 3.2, we will keep calling them policy constraints, while the term model constraints exclusively refers to the abstract EL component discussed here.
- 2.
For a minimal example, we did not include MLS and policy constraints in this model. To do this, additional label sets and label assignments for “classification” and “category”, an authorization rule for the MLS dominance relation and another set of model constraints for expressing policy constraints is needed.
- 3.
In practice, there is another choice to make here: either modeling library wrapper functions only, or including the syscall interface of the Linux kernel. Again, the decision depends on whether our respective analysis scenario includes applications that directly use syscalls. We will not further go into detail on when to prefer which degree of detail, and assume in the following that both are modeled.
- 4.
SELinux uses the term “parent entity” to generalize the concept of label inheritance: whenever a process is created, e is its parent process; whenever a file or directory is created, it is the respective parent directory.
- 5.
Technically, there is another, isomorphic mapping of file types to object classes that yields \( cl _{q_0}(i)\) based on \( ft \).
References
Amthor, P., Kühnhauser, W.: An information flow view on privacy in social networks. ACM Trans. Internet Technol., 0: 1–0: 17 (2015). (under review)
Amthor, P., Kühnhauser, W.E., Pölck, A.: Model-based safety analysis of SELinux security policies. In: Samarati, P., Foresti, S., Hu, J., Livraga, G. (eds.) Proceedings of 5th International Conference on Network and System Security, pp. 208–215. IEEE (2011)
Amthor, P., Kühnhauser, W.E., Pölck, A.: Heuristic safety analysis of access control models. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 137–148. ACM, New York (2013). http://doi.acm.org/10.1145/2462410.2462413
Amthor, P., Kühnhauser, W.E., Pölck, A.: WorSE: a workbench for model-based security engineering. Comput. Secur. 42, 40–55 (2014). http://www.sciencedirect.com/science/article/pii/S0167404814000066
Barker, S.: The next 700 access control models or a unifying meta-model? In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 187–196. ACM, New York (2009)
Bell, D., LaPadula, L.: Secure Computer System: Unified Exposition and Multics Interpretation. Technical report AD-A023 588, MITRE, March 1976
Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: 22nd USENIX Security Symposium (USENIX Security 2013), USENIX, August 2013
Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crêpe: a system for enforcing fine-grained context-related policies on android. IEEE Trans. Inf. Forensics Secur. 7(5), 1426–1438 (2012)
Faden, G.: Multilevel filesystems in solaris trusted extensions. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 121–126. ACM, New York (2007). http://doi.acm.org/10.1145/1266840.1266859
Ferraiolo, D., Atluri, V., Gavrila, S.: The policy machine: a novel architecture and framework for access control policy specification and enforcement. J. Syst. Archit. EUROMICRO J. 57(4), 412–424 (2011)
Ferrara, A.L., Madhusudan, P., Parlato, G.: Policy analysis for self-administrated role-based access control. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 432–447. Springer, Heidelberg (2013)
Fong, P.W., Siahaan, I.: Relationship-based access control policies and their policy languages. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 51–60. ACM, New York (2011). http://doi.acm.org/10.1145/1998441.1998450
Grimes, R.A., Johansson, J.M.: Windows Vista Security: Securing Vista Against Malicious Attacks. John Wiley & Sons Inc, New York (2007)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976). http://doi.acm.org/10.1145/360303.360333
Kafura, D., Gracanin, D.: An information flow control meta-model. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 101–112. ACM, New York (2013). http://doi.acm.org/10.1145/2462410.2462414
Kuhn, D., Coyne, E., Weil, T.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)
Kühnhauser, W.E., Pölck, A.: Towards access control model engineering. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 379–382. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-25560-1_27
Loscocco, P.A., Smalley, S.D.: Integrating flexible support for security policies into the linux operating system. In: Cole, C. (ed.) 2001 USENIX Annual Technical Conference, pp. 29–42 (2001)
Naldurg, P., Raghavendra, K.: SEAL: a logic programming framework for specifying and verifying access control models. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 83–92. ACM, New York (2011). http://doi.acm.org/10.1145/1998441.1998454
Park, S.M., Chung, S.M.: Privacy-preserving attribute-based access control for grid computing. Int. J. Grid Util. Comput. 5(4), 286–296 (2014). http://dx.org/10.1504/ijguc.2014.065372
PeBenito, C.J., Mayer, F., MacMillan, K.: Reference policy for security enhanced linux. In: Proceedings of the 3rd Annual SELinux Symposium (2006)
Pölck, A.: Small TCBs of Policy-controlled Operating Systems. Universitätsverlag Ilmenau, May 2014
Russello, G., Conti, M., Crispo, B., Fernandes, E.: MOSES: Supporting operation modes on smartphones. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 3–12. ACM, New York (2012). http://doi.acm.org/10.1145/2295136.2295140
Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: Proceedings 5th ACM Workshop on Role-Based Access Control, pp. 47–63. ACM, New York (2000). ISBN 1-58113-259-X
Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, SP 1992, pp. 122–136. IEEE Computer Society, Washington, DC (1992). http://dl.acm.org/citation.cfm?id=882488.884182
Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security (WITS) (2004)
Shebaro, B., Oluwatimi, O., Bertino, E.: Context-based access control systems for mobile devices. IEEE Trans. Dependable Secure Comput. PP(99), 1 (2014)
Shen, H.: A semantic-aware attribute-based access control model for web services. In: Hua, A., Chang, S.-L. (eds.) ICA3PP 2009. LNCS, vol. 5574, pp. 693–703. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-03095-6_65
Smalley, S., Craig, R.: Security Enhanced (SE) android: bringing flexible MAC to android. In: 20th Annual Network & Distributed System Security Symposium (NDSS), February 2013
Smalley, S.D.: Configuring the SELinux Policy. Technical report 02–007, NAI Labs, February 2005
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proceedings 8th USENIX Security Symposium (1999)
Stoller, S.D., Yang, P., Gofman, M., Ramakrishnan, C.R.: Symbolic reachability analysis for parameterized administrative role based access control. Comput. Secur. 30(2–3), 148–164 (2011)
Tripunitara, M.V., Li, N.: The foundational work of harrison-ruzzo-ullman revisited. IEEE Trans. Dependable Secur. Comput. 10(1), 28–39 (2013). http://dx.org/10.1109/TDSC.2012.77
Watson, R., Vance, C.: Security-Enhanced BSD. Technical report, Network Associates Laboratories, Rockville, MD, USA, July 2003
Watson, R.N.M.: A decade of OS access-control extensibility. ACM Queue 11(1), 20:20–20:41 (2013). http://doi.acm.org/10.1145/2428616.2430732
Xu, W., Shehab, M., Ahn, G.J.: Visualization-based policy analysis for SELinux: framework and user study. Int. J. Inf. Secur. 12(3), 155–171 (2013). http://dx.org/10.1007/s10207-012-0180-7
Yuan, E., Tong, J.: Attributed Based Access Control (ABAC) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS 2005, pp. 561–569. IEEE Press, Washington, DC (2005)
Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SELinux system. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 136–145, ACM (2004)
Zhang, X., Li, Y., Nalla, D.: An attribute-based access matrix model. In: Proceedings 2005 ACM Symposium on Applied Computing, SAC 2005, pp. 359–363. ACM, New York (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Amthor, P. (2016). The Entity Labeling Pattern for Modeling Operating Systems Access Control. In: Obaidat, M., Lorenz, P. (eds) E-Business and Telecommunications. ICETE 2015. Communications in Computer and Information Science, vol 585. Springer, Cham. https://doi.org/10.1007/978-3-319-30222-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-30222-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30221-8
Online ISBN: 978-3-319-30222-5
eBook Packages: Computer ScienceComputer Science (R0)