Abstract
Identifying and protecting the trusted computing base (TCB) of a system is an important task, which is typically performed by designing and enforcing a system security policy and verifying whether an existing policy satisfies security objectives. To efficiently support these, an intuitive and cognitive policy analysis mechanism is desired for policy designers or security administrators due to the high complexity of policy configurations in contemporary systems. In this paper, we present a graph-based policy analysis methodology to identify TCBs with the consideration of different system applications and services. Through identifying information flows violating the integrity protection of TCBs, we also propose resolving principles to using our developed graph-based policy analysis tool.
Chapter PDF
Similar content being viewed by others
References
Tresys Technology Apol., http://www.tresys.com/selinux/
Trusted Computer System Evaluation Criteria. United States Government Department of Defense (DOD), Profile Books (1985)
Ahn, G., Xu, W., Zhang, X.: Systematic policy analysis for high-assurance services in selinux. In: Proc. of IEEE Workshop on Policies for Distributed Systems and Networks (2008)
Anderson, A.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, II (1972)
Aris, A.: Network visualization by semantic substrates. IEEE Transactions on Visualization and Computer Graphics 12(5), 733–740 (2006); Senior Member-Ben Shneiderman
H. C. I. L. at University of Maryland. Piccolo, http://www.cs.umd.edu/hcil/jazz/download/index.shtml
Biba, K.J.: Integrity consideration for secure compuer system. Technical report, Mitre Corp. Report TR-3153, Bedford, Mass (1977)
Green, M.: Toward a perceptual science of multidimensional data visualization: Bertin and beyond (1998), http://www.ergogero.com/dataviz/dviz2.html
Guttman, J., Herzog, A., Ramsdell, J.: Information flow in operating systems: Eager formal methods. In: Workshop on Issues in the Theory of Security (WITS) (2003)
Herman, I., Melancon, G., Marshall, M.: Graph visualization and navigation in information visualization: A survey. IEEE Transactions on Visualization and Computer Graphics 6(1), 24–43 (2000)
Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the selinux example policy. In: Proc. of USENIX Security Symposium (2003)
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: USENIX Annual Technical Conference, FREENIX Track (2001)
Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: 12th USENIX Security Symposium, August 2003, p. 11 (2003)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security Symposium (2004)
Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)
Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security (2004)
Shankar, U., Jaeger, T., Sailer, R.: Toward automated information-flow integrity verification for security-critical applications. In: NDSS. The Internet Society (2006)
Smalley, S.: Configuring the selinux policy (2003), http://www.nsa.gov/SELinux/docs.html
Fraser, T.: Lomac: Low water-mark integrity protection for cots environment. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2000)
WIKIPEDIA. Trusted computing base, http://en.wikipedia.org/wiki/Tusted_Computing_Base
Xu, W., Shehab, M., Ahn, G.: Visualization based policy analysis: case study in selinux. In: Proc. of ACM Symposium of Access Control Models and Technologies (2008)
Wang, H., Osborn, S.: Discretionary access control with the administrative role graph model. In: Proc. of ACM Symposium of Access Control Models and Technologies (2007)
Osborn, S.: Information flow analysis of an RBAC system. In: Proc. of ACM Symposium of Access Control Models and Technologies (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Xu, W., Zhang, X., Ahn, GJ. (2009). Towards System Integrity Protection with Graph-Based Policy Analysis. In: Gudes, E., Vaidya, J. (eds) Data and Applications Security XXIII. DBSec 2009. Lecture Notes in Computer Science, vol 5645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03007-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-03007-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03006-2
Online ISBN: 978-3-642-03007-9
eBook Packages: Computer ScienceComputer Science (R0)