SELinux Symposium Notes: Session 7

[Editor's note: It's almost over! Since I had to bail on Session 8 to catch my flight back to Indiana, this is the last set of notes I was able to take. My handwriting gets worse and the content gets more terse with each set. Insert disclaimer here. Enjoy.]

Lessons Learned Developing Cross-Domain Solutions on SELinux (Karl MacMillan et. al., Tresys Technology)

for high-security or untrusted compartmentalized environments
primary goals: confidentiality (H -/-> L) & integrity (L -/-> H); use information flow pipeline
CDS breaks BLP, Biba models — want to control flows, not prohibit outright
let SELinux do the heavy lifting; minimize what app has to do; but apps do need to do transfer policy (e.g. “documents have no executable content” done by app, but SELinux can force filter to be used)
control access to domains to prevent uncontrolled information flows
use multiple localhost aliases (separately labeled) for network-based IPC among local compartments
one-way IPC w/o covert back channels (e.g. timing)? most design for bidi IPC
existing policies often more permissive than strictly necessary — not consider narrow flows
TE works very well for CDS & assured pipelines

Lopol: A Deductive Database Approach to Policy Analysis and Rewriting (Aleks Kissinger et. al., University of Tulsa)

lightweight, interactive, iterative, based on logic programming (Datalog)
operates on policy.conf, translate rules into relations
Datalog evaluation on binary decision diagrams
analysis by forming rules & running queries (primitive rules: reads, writes, [transitive] flows)
generic rules: privileged types, trusted intermediaries, …

Attack-based Domain Transition Analysis .(Susan Hinrichs et. al., University of Illinois at Urbana – Champaign)

what happens if a domain is coopted? information flows, domain transitions (transitively)
look at what a domain can read and write, considering transitions
global domain transition graphs large — domain not bounded as much as we’d like
graph shallow and very wide
consider subgraphs starting at suspect domains & end at sensitive domains
edges: cut edges along paths, or log more carefully, or disable when under threat (via boolean)
nodes: study domain & verify it can’t be misused, insert high-assurance proxy, split domain

Comments are closed.