SEEdit: SELinux Security Policy Configuration System with Higher Level Language

Security policy for SELinux is usually created by customizing a sample policy called refpolicy. However, describing and verifying security policy configurations is difficult because in refpolicy, there are more than 100,000 lines of configurations, thousands of elements such as permissions, macros and labels. The memory footprint of refpolicy which is around 5MB, is also a problem for resource constrained devices. We propose a security policy configuration system SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes label configurations. SPDL tools generate security policy configurations from access logs and tool user’s knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semiautomated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and thememory footprint in the embedded system is less than 500KB

Supporting access control policies across multiple operating systems

The evaluation of computer systems has been an important issue for many years, as evidenced by the introduction of in-dustry evaluation guides such as the Rainbow Books and the more recent Common Criteria for IT Security Evaluation. As organizations depend on the Internet for their daily op-erations, the need for evaluation is even more apparent due to new security risks. It is not uncommon for large organi-zations to evaluate different systems, such as operating sys-tems, to identify which would best fit their security policy. Each system would undoubtedly use different methods to represent access control policies. The security policy would therefore need to be translated into specific access control policies that each system understands, which is challenging when large and complex systems are involved. In this pa-per, we focus on the evaluation of operating systems. We describe Chameleos, a policy specification language that is designed to specify the access control policies of multiple op-erating systems. The strength of Chameleos is its flexibility to cater to many operating systems, while remaining suf-ficiently extensible to support the specific features of each system. We describe the design and architecture of Cha-meleos, and demonstrate that Chameleos can flexibly and effectively represent the access control policies of grsecurity and SELinux – two very different systems

An access control model for mobile physical objects

Access to distributed databases containing tuples collected about mobile physical objects requires information about the objects ’ trajectories. Existing access control models can-not encode this information efficiently. This poses a policy management problem to administrators in real-world supply chains where companies want to protect their goods track-ing data. In this paper we propose a new access control model as an extension to attribute-based access control that allows trajectory-based visibility policies. We prove the se-curity properties of our novel authentication protocol for distributed systems that can supply the decision algorithm with the necessary reliable information using only standard passive RFID tags. As a result companies will be able to improve confidentiality protection and governance of their object tracking data and more trustingly engage in data sharing agreements