Some new selinux ideas
July 24th, 2007 By shazkhan

I have come across some talks about enabling selinux to achieve resource utilization using rbac. This sounds as a good research area. Do we have anyone to handle this.

7 Responses to " Some new selinux ideas "
 
alam78
July 24th, 2007

I am doing work in this direction, but not from the RBAC perspective, but from the UCON. I can explain it to you people, if some is interested.

I have sent, the paper to your email. You are working on MAC labels, which implicitly, or explicitly comes under the umbrella of Information Flow Analysis.

The recent paper by Trent Jaegor on Combining Java with SELinux MAC labels is interesting, but this latest one, which combines Java Servlets with MAC labels, is also very interesting.

This is application context, that i was referring to you, in the past meetings. I.e., high-level applications, shall have a tighter link with MAC labels by any specific operating system mechanism such as SELinux, or AppArmour etcetc.

See you tomorrow inshAllah

 
alam78
July 24th, 2007

By the way, every body is welcome in this area.

But in my opinion, the need for verification is very high in the area of security typed languages like JIF (Java Information FLow). Through this language, security labels can be associated with types, variables.

Theoretically, this kind of framework ensures that at run time, there is no integrity violations — the key concepts of BIBA integrity. Plus, the compiler is equipped to monitor the labels of the types, such that, there shall no violation of the security labels policy.

Trent Jaegar in this paper, highlighted the fact that how this kind of framework can be specialized for SELinux MAC labels, in the sense that, one can specify labels in Java, and they are infact enforced at the SELinux levels. Beside that, please note that, compiler is actually responsible for run time measurements. The situation can be easily clarified with the help of the following example:

Application A wants to communicate with Application B, both written in Java. So, now what SELinux can do is that, to ensure that Application A can only access Application B and vice versa. But in the event of communication between A and B, there shall be no other malicious path between A and B. However, once can easily watch a security hole in between — i.e., once SELinux permits, SElinux does not have any control on communication, or at least on the data between A and B. Here, where application A and B compiler will come in to play. It will ensure, that even after SELinux is gone from the scene, there shall no integrity violation.

I thought to work on topic that When a client send a request to a server, how can the client be sure, that the integrity of the data enclosed within its request is securely treated within the Server. However, i noticed that this topic is already explored by SIF paper, i am referring to :) Bad Luck.

Any ways, from the verification perspective, this field has great potential in it. As several people have vested interests now a days in Verification — may be i am wrong!

 
shazkhan
July 24th, 2007

Maybe nauman can also pool in because we have programming language i.e. software engineering involved. It will open up a new MAC perspective to me as well. I have’nt been looking at MAC in such a manner. If recly joins in it will be nice to have someone to talk to because internet is not a feasible channel so it makes a gap in understanding thats why we are not aligning to each other properly. Thus we will have two directions rather than three. Thus we will be working more closely then before. I’ll study the JIF paper tonight and talk to u tomorow inshAllah.

 
alam78
July 24th, 2007

Especially, read it from the brain storming perspective. Prepare questions, for your self and for my self.

 
shazkhan
July 24th, 2007

Thats going to be tough to deviate my mind from my current work but I’ll try my best. I am also working with my bro on his assignment! That is one answer to being slow after visiting another bro at karachi and doing shoping with my mom and not getting any time in karachi for my paper!

 
recluze
July 27th, 2007

Shaz: As for my part in this, I’m not sure right now. I want to verify at least one proper security protocol before even thinking about frameworks and architectures.

 
shazkhan
July 27th, 2007

I have done quite some work on frameworks and it will take u not more that a days work to get the appropriate concepts if I explain it to u as you know I make it very simple for the learner. But again mr mma has been quite about it for sometime now. Maybe because I informed him about the short commings of this research. Its in its very infancy and needs highly critical study to address the shortcommings and then to make it usable for mainline production.

So lets see if it is able to attrack future attention. But believe me it needs a lot of attention to manuever it. At the same time its a very nice line of action.

Leave a Reply


(Required)

(Required)