HOME
Participants
FAQ
Symposium Committees
Previous Meetings
2007 Symposium
2006 Symposium
2005 Symposium
2004 Meeting
Sponsors
Sponsorship opportunities
Contact Us
News
|
A New Type Enforcement Policy Development Framework and IDE Tool
What is exciting about Security-Enhanced Linux (SELinux) is that it brings a flexible, powerful mandatory access control model, called Type Enforcement (TE) to Linux. However, all of the richness and complexity that makes Linux a compelling operating system can increase the size and complexity of SELinux policies. A typical policy can have tens of thousands of rules, all with subtle semantics. Writing effective TE policies today is often more an art than a science, requiring a policy author with in-depth knowledge of security, SELinux, and the particular system and applications targeted by the policy. These challenges make it difficult for many potential policy authors, like system integrators or application developers, to create policies that achieve their security goals in a consistent and demonstrable manner. As SELinux becomes more popular, the challenge of writing and developing TE policies will become a bottleneck for adoption.
To address these challenges, Tresys has developed a new conceptual Policy Development Framework. The Framework abstracts the TE policy language allowing a policy writer to focus on defining and encoding the security concerns for their application. The Framework encourages strong security engineering and keeps the writer from being distracted by subtle policy and kernel details that may or may not be relevant to the overall security goal of their application.
The Framework is built on three simple abstractions: processing domains, shared resources, and access arrows. These abstractions are more general than what the current TE language supports. For example, the Framework's notion of a processing domain, which includes process types as well as private object resources, is more general than the current TE language domain type concept. These three abstractions, coupled with the ability to stepwise decompose domains into subsets of the three abstractions, provide a simple framework for writing secure TE policies while still providing adequate power to represent sophisticated security properties.
To date we have developed the conceptual framework and are manually applying it to real-world problems. We are also starting a development effort to build an integrated development environment (IDE) to support policy development using this framework. The IDE will allow a writer to design a security policy, using decomposition for sophistication, and automatically generate the associated TE policy. The goal is to not only make writing TE policies more accessible to developers and integrators, but to also make the likelihood of writing "good" TE policies higher. The IDE will not only support the narrow notion of the TE policy itself, but also the associated label policy that associates resource to types.
In this presentation, we will provide an overview of the Policy Development Framework, and demonstrate its utility in making secure TE policy development more practical. We will also present the status of the associated policy development IDE.
|
|
|
