Policy Specialization to Support Domain Isolation

Simone Mutti, Enrico Bacis, Stefano Paraboschi

In Proc. of the 2015 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig)
Denver, Colorado, USA, October 12, 2015

Get the paper Cite

The exponential growth of modern information systems has introduced several new challenges in the management of security requirements. Nowadays, the technological scenario has evolved and the introduction of MAC models provides a better isolation among software components and reduces the damages that the malicious or defective ones can cause to the systems. On one hand it is important to confine applications and limit the privileges that they can request. On the other hand we want to let applications benefit from the flexibility given by MAC models, such as SELinux.

In this paper we show how the constructs already available in SELinux and the specialization of security domains can confined but still able to introduce sophisticated security patterns, such as application isolation and the least privilege principle. After defining the proposed model, we describe how it can be integrated into real systems through the use of examples on Android and Apache Web Server.

@inproceedings{10.1145/2809826.2809832,
	author = {Mutti, Simone and Bacis, Enrico and Paraboschi, Stefano},
	title = {Policy Specialization to Support Domain Isolation},
	doi = {10.1145/2809826.2809832},
	booktitle = {Proceedings of the 2015 Workshop on Automated Decision Making
	             for Active Cyber Defense (SafeConfig)},
	location = {Denver, Colorado, USA},
	day = {12},
	month = {October},
	year = {2015},
}