Professional Documents
Culture Documents
Advanced Systems Security - Security-Enhanced Linux (Cse544-Selinux) PDF
Advanced Systems Security - Security-Enhanced Linux (Cse544-Selinux) PDF
Infrastructure Security
Network and Security Research Center
Department of Computer Science and Engineering
Pennsylvania State University, University Park PA
• Verifiability
‣ Code correctness
‣ Policy satisfy a security goal
‣ Not explicitly the focus: Can support MLS for user
data
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
5
Design Tamperproofing Policy
• Do not believe that classical integrity is
achievable in practice
‣ Too many exceptions
‣ Commercial systems will not accept constraints of
classical integrity
• Instead, focus on providing comprehensive control
of access aiming for integrity via least privilege
‣ Integrity of system components
‣ All user processes run with the same label
kernel_t
mount_t inetd_t
Figure 2: SELinux Example Policy’s type transition hierarchy for our proposed TCB subject types.
clude initrc_t and inetd_t because these services the same file, then it must be a low integrity file. Obvi-
initiate many of the services in a UNIX system. ously, the high integrity process can no longer read from
Systems and Internet Infrastructure Security (SIIS) Laboratory
this file and maintain Biba integrity. Page
Biba Integrity Analysis
High Subject
Object Read
Subject
Perm
Low Subject
Can Modify
Input To High
Perm
Subject
Object Write
Low Subject
logfile
logrotate read lastlog lastlog
xdm
read write
‣ Permission classifications:
• Sanitize perm use (allow) – “filtering permissions”
• Deny access to conflicting perms (deny) – “troublemaker perms”
• Modify policy – “major surgery”