Abstract
The need for access control in computer systems is inherent. However, the complexity to configure such systems is constantly increasing which affects the overall security of a system negatively. We think that it is important to define security requirements on a non-technical level while taking the application domain into respect in order to have a clear and separated view on security configuration (i.e. unblurred by technical details). On the other hand, security functionality has to be tightly integrated with the system and its development process in order to provide comprehensive means of enforcement. In this paper, we propose a systematic approach based on model-driven security configuration to leverage existing operating system security mechanisms (SELinux) for realising access control. We use UML models and develop a UML profile to satisfy these needs. Our goal is to exploit a comprehensive protection mechanism while rendering its security policy manageable by a domain specialist.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rsbac - rule set based access control, http://www.rsbac.org (last visited April 2009)
Security-enhanced linux (selinux), http://www.nsa.gov/selinux/
Agreiter, B., Alam, M., Hafner, M., Seifert, J.-P., Zhang, X.: Model Driven Configuration of Secure Operating Systems for Mobile Applications in Healthcare. In: MOTHIS 2007 (2007)
Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: Practical Domain and Type Enforcement for UNIX. In: IEEE Symposium On Security And Privacy, p. 66 (1995)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1), 39–91 (2006)
Breu, R., Hafner, M., Weber, B., Novak, A.: Model Driven Security for Inter-organizational Workflows in e-Government. In: Government: Towards Electronic Democracy: International Conference, TCGOV 2005, proceedings, Bolzano, Italy, March 2-4 (2005)
Day, J.D., Zimmermann, H.: The OSI reference model. Proceedings of the IEEE 71(12), 1334–1340 (1983)
De Win, B.: Engineering application-level security through aspect-oriented software development. PhD thesis, Katholieke Universiteit Leuven (2004)
Guttman, J.D.: Verifying information flow goals in security-enhanced Linux. Journal of Computer Security 13(1), 115–134 (2005)
Hafner, M., Breu, R., Agreiter, B., Nowak, A.: Sectet: an extensible framework for the realization of secure inter-organizational workflows. Internet Research 16(5), 491–506 (2006)
Hafner, M., Memon, M., Alam, M.: Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with SECTET. In: Giese, H. (ed.) MODELS 2008. LNCS, vol. 5002, pp. 132–144. Springer, Heidelberg (2008)
ISO/IEC (ed.): ISO/IEC 10181-3:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ISO/IEC, Geneva, int. standard edn. (1996)
Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: Proceedings of the 12th conference on USENIX Security Symposium, vol. 12, p. 5. USENIX Association Berkeley, CA (2003)
Jawurek, M.: RSBAC-a framework for enhanced Linux system security
Latham, D.C.: Department of Defense Trusted Computer System Evaluation Criteria. Department of Defense (1986)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Loscocco, P., Smalley, S.: Meeting Critical Security Objectives with Security-Enhanced Linux. In: Proceedings of the 2001 Ottawa Linux Symposium, pp. 115–134 (2001)
MacMillan, K.: Madison: A new approach to automated policy generation (March 2007)
Mayer, F., MacMillan, K., Caplan, D.: SELinux by Example: Using Security Enhanced Linux. Prentice Hall, Englewood Cliffs (2006)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. IEEE, Proceedings 63, 1278–1308 (1975)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. Computer, 38–47 (1996)
Selic, B.: A systematic approach to domain-specific language design using UML. In: 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing, ISORC 2007, pp. 2–9 (2007)
Sniffen, B.T., Harris, D.R., Ramsdell, J.D.: Guided policy generation for application authors (February 2006)
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proceedings of the 8th conference on USENIX Security Symposium, table of contents, vol. 8, p. 11 (1999)
Stahl, T., Völter, M.: Modellgetriebene Softwareentwicklung Techniken, Engineering, Management. dpunkt-Verl (2007)
Tresys Technology. Cds framework (last visited, April 2009), http://oss.tresys.com/projects/cdsframework
Walsh, E.: Application of the Flask Architecture to the X Window System Server. In: SELinux Symposium (2007)
Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security modules: general security support for the linux kernel. Foundations of Intrusion Tolerant Systems, 2003 (Organically Assured and Survivable Information Systems), pp. 213–226 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Agreiter, B., Breu, R. (2009). Model-Driven Configuration of SELinux Policies. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-05151-7_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05150-0
Online ISBN: 978-3-642-05151-7
eBook Packages: Computer ScienceComputer Science (R0)