A Comparative Analysis of Linux Mandatory Access Control Policy Enforcement Mechanisms

被引：1

作者：

Brimhall, Brennon ^{[1
]}

Garrard, Justin ^{[1
]}

De La Garza, Christopher ^{[1
]}

Coffman, Joel ^{[1
,2
]}

机构：

[1] Johns Hopkins Univ, Baltimore, MD 21218 USA

[2] US Air Force, Dept Comp & Cyber Sci, Washington, DC 20330 USA

来源：

PROCEEDINGS OF THE 2023 EUROPEAN WORKSHOP ON SYSTEM SECURITY, EUROSEC 2023 | 2023年

关键词：

mandatory access control (MAC); Linux Security Modules (LSM); Security-Enhanced Linux (SELinux); extended Berkeley Packet Filter (eBPF); kernel runtime security implementation (KRSI);

D O I：

10.1145/3578357.3589454

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Unix-and by extension, Linux-traditionally uses a discretionary access control (DAC) paradigm. DAC mechanisms are decentralized by design, which makes it difficult to audit the security of a computer system. Furthermore, Unix systems have the concept of a root user who can bypass any DAC policies in place. These issues led to the development of mandatory access control (MAC) mechanisms, such as AppArmor, Security-Enhanced Linux (SELinux), and eBPF. We compare and contrast the performance differences between two popular MAC mechanisms for the Linux kernel: SELinux and Berkeley Packet Filter (BPF)/kernel runtime security implementation (KRSI). We demonstrate that BPF policies offer superior performance, have greater expressive power, and are easier to implement than comparable SELinux policies. Our results suggest that BPF/KRSI is the leading MAC mechanism for Linux systems.

引用

页码：1 / 7

页数：7

共 50 条

[1] Design and Implementation of Linux File Mandatory Access Control
Tian, Liye
Rong, Xing
Lu, Tingting
[J]. NETWORK COMPUTING AND INFORMATION SECURITY, 2012, 345 : 15 - +
[2] Enforce mandatory access control policy on XML documents
Li, L
Jiang, XH
Li, JH
[J]. INFORMATION AND COMMUNICATIONS SECURITY, PROCEEDINGS, 2005, 3783 : 336 - 349
[3] Checking Policy Enforcement in an Access Control Aspect Model
Song, Eunjee
France, Robert
Ray, Indrakshi
Kim, Hanil
[J]. INFORMATION-AN INTERNATIONAL INTERDISCIPLINARY JOURNAL, 2008, 11 (05): : 541 - 552
[4] Access Control for Database Applications: Beyond Policy Enforcement
Zhang, Wen
Panda, Aurojit
Shenker, Scott
[J]. PROCEEDINGS OF THE 19TH WORKSHOP ON HOT TOPICS IN OPERATING SYSTEMS, HOTOS 2023, 2023, : 223 - 230
[5] Analysis of access control enforcement in android
Enck, William
[J]. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, 2020, : 117 - 118
[6] Analysis of Access Control Enforcement in Android
Enck, William
[J]. SACMAT'20: PROCEEDINGS OF THE 25TH ACM SYMPOSIUM ON ACCESS CONTROL MODELS AND TECHNOLOGIES, 2020, : 117 - 118
[7] A mandatory access control policy model for information security requirements
Leiwo, J
Gamage, C
Zheng, YL
[J]. PROCEEDINGS OF THE 21ST AUSTRALASIAN COMPUTER SCIENCE CONFERENCE, ACSC'98, 1998, 20 (01): : 527 - 538
[8] Security analysis of Mandatory Access Control Model
Jiang, YX
Lin, CC
Yin, H
Tan, ZX
[J]. 2004 IEEE INTERNATIONAL CONFERENCE ON SYSTEMS, MAN & CYBERNETICS, VOLS 1-7, 2004, : 5013 - 5018
[9] Access Control Policy Enforcement for Zero-Trust-Networking
Vanickis, Romans
Jacob, Paul
Dehghanzadeh, Sohelia
Lee, Brian
[J]. 2018 29TH IRISH SIGNALS AND SYSTEMS CONFERENCE (ISSC), 2018,
[10] Separating access control policy, enforcement, and functionality in extensible systems
Grimm, R
Bershad, BN
[J]. ACM TRANSACTIONS ON COMPUTER SYSTEMS, 2001, 19 (01): : 36 - 70

← 1 2 3 4 5 →