From: ramsdell@mitre.org (John D. Ramsdell)
To: "SE Linux" <selinux@tycho.nsa.gov>
Cc: ramsdell@mitre.org
Subject: Information flow models
Date: 05 Dec 2003 15:32:35 -0500 [thread overview]
Message-ID: <ogtfzfzqa3g.fsf@divan.mitre.org> (raw)
In-Reply-To: <BAY1-DAV25idcOHuICu0000353b@hotmail.com>
Karl MacMillan of Tresys and I were having a discussion about
information flow models used for policy analysis, and thought the
people on this list might like to participate.
The Tresys Setools package and MITRE's SLAT analyze SELinux policy
configurations. They both extract an abstraction of a policy that
models information flow within the system. Both models can be
described in terms of graphs. The nodes of the graph say something
about a security context. Each edge in the graph is labeled with a
control requirement, i.e. a class-permission pair. An edge is in the
graph if the policy allows information to flow from one node to
another. If the edge corresponds to a write-like flow, the source of
the edge is the subject, and if the edge corresponds to a read-like
flow, the target of the edge is the subject.
The two tools differ in what constitutes a node in the model. In
SLAT, a node is a security context--a triple consisting of a type, a
role, and a user. In Setools, a node is a type.
Using a security context as a node gives a model that more accurately
reflects the policy being analyzed, however, the graphs are large. As
a result, the SLAT implementors have had to resort to model checkers
to perform their analysis.
If one ignores role-allow, role-type, user-role, and constraint
statements in a policy configuration file, one is left with a model in
which nodes can simply be types. The graphs in this model are
obviously much smaller and easier to analyze, however, it may allow
some flows that are not permitted by a more fine grained analysis.
The question is: from an engineering perspective, is a more detailed
analysis worth the overhead of using techniques that handle the large
graphs? Most likely, there will be times when an analysis based only
on types is appropriate, and others when an analysis based on security
contexts is appropriate, but how does one decide which to use, and when?
John
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-12-05 20:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-05 14:57 Problems loading policy Stephen
2003-12-05 18:36 ` Dale Amon
2003-12-05 20:32 ` John D. Ramsdell [this message]
2003-12-08 17:57 ` Information flow models Karl MacMillan
2003-12-10 13:18 ` John D. Ramsdell
2003-12-10 15:11 ` Karl MacMillan
2003-12-10 15:29 ` John D. Ramsdell
2003-12-10 15:37 ` Karl MacMillan
2003-12-10 19:06 ` Joshua D. Guttman
2003-12-10 20:18 ` Karl MacMillan
2003-12-11 13:10 ` John D. Ramsdell
2003-12-11 16:04 ` Karl MacMillan
2003-12-11 17:43 ` Joshua D. Guttman
2003-12-11 20:23 ` Stephen Smalley
2003-12-11 20:45 ` Stephen Smalley
2003-12-11 20:46 ` Karl MacMillan
2003-12-11 21:00 ` Stephen Smalley
2003-12-23 19:12 ` Trent Jaeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ogtfzfzqa3g.fsf@divan.mitre.org \
--to=ramsdell@mitre.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.