129 research outputs found
An Historical Analysis of the SEAndroid Policy Evolution
Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013.
Since then, billions of Android devices have benefited from mandatory access
control security policies. These policies are expressed in a variety of rules,
maintained by Google and extended by Android OEMs. Over the years, the rules
have grown to be quite complex, making it challenging to properly understand or
configure these policies.
In this paper, we perform a measurement study on the SEAndroid repository to
understand the evolution of these policies. We propose a new metric to measure
the complexity of the policy by expanding policy rules, with their abstraction
features such as macros and groups, into primitive "boxes", which we then use
to show that the complexity of the SEAndroid policies has been growing
exponentially over time. By analyzing the Git commits, snapshot by snapshot, we
are also able to analyze the "age" of policy rules, the trend of changes, and
the contributor composition. We also look at hallmark events in Android's
history, such as the "Stagefright" vulnerability in Android's media facilities,
pointing out how these events led to changes in the MAC policies. The growing
complexity of Android's mandatory policies suggests that we will eventually hit
the limits of our ability to understand these policies, requiring new tools and
techniques.Comment: 16 pages, 11 figures, published in ACSAC '1
Practical assessment of Biba integrity for TCG-enabled platforms
Checking the integrity of an application is necessary to determine if the latter will behave as expected.
The method defined by the Trusted Computing Group consists in evaluating the fingerprints of the platform hardware and software components required for the proper functioning of the application to be assessed.
However, this only ensures that a process was working correctly at load-time but not for its whole life-cycle.
Policy-Reduced Integrity Measurement Architecture (PRIMA) addresses this problem by enforcing a security policy that denies information flows from potentially malicious processes to an application target of the evaluation and its dependencies (requirement introduced by CW-Lite, an evolution of the Biba integrity model).
Given the difficulty of deploying PRIMA (as platform administrators have to tune their security policies to satisfy the CW-Lite requirements) we propose in this paper Enhanced IMA, an extended version of the Integrity Measurement Architecture (IMA) that, unlike PRIMA, works almost out of the box and just reports information flows instead of
enforcing them.
In addition, we introduce a model to evaluate the information reported by Enhanced IMA with existing technique
Improving the Policy Specification for Practical Access Control Systems
Access control systems play a crucial role in protecting the security of information systems by ensuring that only authorized users are granted access to sensitive resources, and the protection is only as good as the access control policies. For enabling a security administrator to express her desired policy conveniently, it is paramount that a policy specification is expressive, comprehensible, and free of inconsistencies. In this dissertation, we study the policy specifications for three practical access control systems (i.e., obligation systems, firewalls, and Security-Enhanced Linux in Android) and improve their expressiveness, comprehensibility, and consistency. First, we improve the expressiveness of obligation policies for handling different types of obligations. We propose a language for specifying obligations as well as an architecture for handling access control policies with these obligations, by extending XACML (i.e., the de facto standard for specifying access control policies). We also implement our design into a prototype system named ExtXACML to handle various obligations. Second, we improve the comprehensibility of firewall policies enabling administrators to better understand and manage the policies. We introduce the tri-modularized design of firewall policies for elevating them from monolithic to modular. To support legacy firewall policies, we also define a five-step process and present algorithms for converting them into their modularized form. Finally, we improve the consistency of Security-Enhanced Linux in Android (SEAndroid) policies for reducing the attack surface in Android systems. We propose a systematic approach as well as a semiautomatic tool for uncovering three classes of policy misconfigurations. We also analyze SEAndroid policies from four Android versions and seven Android phone vendors, and in all of them we observe examples of potential policy misconfigurations
Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls
Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use.
This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls.
An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model
Assured Android Execution Environments
Current cybersecurity best practices, techniques, tactics and procedures are insufficient to ensure the protection of Android systems. Software tools leveraging formal methods use mathematical means to assure both a design and implementation for a system and these methods can be used to provide security assurances. The goal of this research is to determine methods of assuring isolation when executing Android software in a contained environment. Specifically, this research demonstrates security properties relevant to Android software containers can be formally captured and validated, and that an implementation can be formally verified to satisfy a corresponding specification. A three-stage methodology called The Formal Verification Cycle is presented. This cycle focuses on the iteration over a set of security properties to validate each within a specification and their verification within a software implementation. A security property can be validated when its functional language prototype (e.g. a Haskell coded version of the property) is converted and processed by a formal method (e.g. a theorem proof assistant). This validation of the property enables the definition of the property in a software specification, which can be implemented separately in an imperative programming language (e.g. the Go programming language). Once the implementation is complete another formal method can be used (e.g. symbolic execution) to verify the imperative implementation satisfies the validated specification. Successful completion of this cycle shows a given implementation is equivalent to a functional language prototype, and this cycle assures a specification for the original desired security properties was properly implemented. This research shows an application of this cycle to develop Assured Android Execution Environments
Small TCBs of policy-controlled operating systems
IT Systeme mit qualitativ hohen Sicherheitsanforderungen verwenden zur
Beschreibung, Analyse und Implementierung ihrer Sicherheitseigenschaften
zunehmend problemspezifische Sicherheitspolitiken, welche ein
wesentlicher Bestandteil der Trusted Computing Base (TCB) eines IT
Systems sind. Aus diesem Grund sind die Korrektheit und Unumgehbarkeit
der Implementierung einer TCB entscheidend, um die geforderten
Sicherheitseigenschaften eines Systems herzustellen, zu wahren und zu
garantieren.
Viele der heutigen Betriebssysteme zeigen, welche Herausforderung die
Realisierung von Sicherheitspolitiken darstellt; seit mehr als 40 Jahren
unterstützen sie wahlfreie identitätsbasierte Zugriffssteuerungspolitiken
nur rudimentär. Dies führt dazu, dass große Teile der
Sicherheitspolitiken von Anwendersoftware durch die Anwendungen selbst
implementiert werden. Infolge dessen sind die TCBs heutiger
Betriebssysteme groĂź, heterogen und verteilt, so dass die exakte
Bestimmung ihres Funktionsumfangs sehr aufwendig ist. Im Ergebnis sind
die wesentlichen Eigenschaften von TCBs - Korrektheit, Robustheit und
Unumgehbarkeit - nur schwer erreichbar.
Dies hat zur Entwicklung von Politik gesteuerten Betriebssystemen
gefĂĽhrt, die alle Sicherheitspolitiken eines Betriebssystems und seiner
Anwendungen zentral zusammenfassen, indem sie Kernabstraktionen fĂĽr
Sicherheitspolitiken und Politiklaufzeitumgebungen anbieten. Aktuelle
Politik gesteuerte Betriebssysteme basieren auf monolithischen
Architekturen, was dazu fĂĽhrt, dass ihre Komponenten zur Durchsetzung
ihrer Politiken im Betriebssystemkern verteilt sind. Weiterhin verfolgen
sie das Ziel, ein möglichst breites Spektrum an Sicherheitspolitiken zu
unterstĂĽtzen. Dies hat zur Folge, dass ihre Laufzeitkomponenten fĂĽr
Politikentscheidung und -durchsetzung universal sind. Im Ergebnis sind
ihre TCB-Implementierungen groĂź und komplex, so dass der TCB-
Funktionsumfang nur schwer identifiziert werden kann und wesentliche
Eigenschaften von TCBs nur mit erhöhtem Aufwand erreichbar sind.
Diese Dissertation verfolgt einen Ansatz, der die TCBs Politik
gesteuerter Betriebssysteme systematisch entwickelt. Die Idee ist, das
Laufzeitsystem fĂĽr Sicherheitspolitiken so maĂźzuschneidern, dass nur die
Politiken unterstützt werden, die tatsächlich in einer TCB vorhanden
sind. Dabei wird der Funktionsumfang einer TCB durch kausale
Abhängigkeiten zwischen Sicherheitspolitiken und TCB-Funktionen bestimmt.
Das Ergebnis sind kausale TCBs, die nur diejenigen Funktionen enthalten,
die zum Durchsetzen und zum Schutz der vorhandenen Sicherheitspolitiken
notwendig sind. Die präzise Identifikation von TCB-Funktionen erlaubt,
die Implementierung der TCB-Funktionen von nicht-vertrauenswĂĽrdigen
Systemkomponenten zu isolieren. Dadurch legen kausale TCBs die Grundlage
für TCB-Implementierungen, deren Größe und Komplexität eine Analyse und
Verifikation bezüglich ihrer Korrektheit und Unumgehbarkeit ermöglichen.
Kausale TCBs haben ein breites Anwendungsspektrum - von eingebetteten
Systemen ĂĽber Politik gesteuerte Betriebssysteme bis hin zu
Datenbankmanagementsystemen in groĂźen Informationssystemen.Policy-controlled operating systems provide a policy decision and enforcement environment to protect and enforce their security policies. The trusted computing base (TCB) of these systems are large and complex, and their functional perimeter can hardly be precisely identified. As a result, a TCB's correctness and tamper-proofness are hard to ensure in its implementation.
This dissertation develops a TCB engineering method for policy-controlled operating systems that tailors the policy decision and enforcement environment to support only those policies that are actually present in a TCB. A TCB's functional perimeter is identified by exploiting causal dependencies between policies and TCB functions, which results in causal TCBs that contain exactly those functions that are necessary to establish, enforce, and protect their policies. The precise identification of a TCB's functional perimeter allows for implementing a TCB in a safe environment that indeed can be isolated from untrusted system components. Thereby, causal TCB engineering sets the course for implementations whose size and complexity pave the way for analyzing and verifying a TCB's correctness and tamper-proofness.Auch im Buchhandel erhältlich:
Small TCBs of policy-controlled operating systems / Anja Pölck
Ilmenau : Univ.-Verl. Ilmenau, 2014. - xiii, 249 S.
ISBN 978-3-86360-090-7
Preis: 24,40
Recommended from our members
Information flow audit for PaaS clouds
© 2016 IEEE. With the rapid increase in uptake of cloud services, issues of data management are becoming increasingly prominent. There is a clear, outstanding need for the ability for specified policy to control and track data as it flows throughout cloud infrastructure, to ensure that those responsible for data are meeting their obligations. This paper introduces Information Flow Audit, an approach for tracking information flows within cloud infrastructure. This builds upon CamFlow (Cambridge Flow Control Architecture), a prototype implementation of our model for data-centric security in PaaS clouds. CamFlow enforces Information Flow Control policy both intra-machine at the kernel-level, and inter-machine, on message exchange. Here we demonstrate how CamFlow can be extended to provide data-centric audit logs akin to provenance metadata in a format in which analyses can easily be automated through the use of standard graph processing tools. This allows detailed understanding of the overall system. Combining a continuously enforced data-centric security mechanism with meaningful audit empowers tenants and providers to both meet and demonstrate compliance with their data management obligations.This work was supported by UK Engineering and Physical Sciences Research Council grant EP/K011510 CloudSafetyNet: End-to-End Application Security in the Cloud. We acknowledge the support of Microsoft through the Microsoft Cloud Computing Research Centre
- …