Title :
SEGrapher: Visualization-based SELinux policy analysis
Author :
Marouf, Said ; Shehab, Mohamed
Author_Institution :
Dept. of Software & Inf. Syst., Univ. of North Carolina at Charlotte, Charlotte, NC, USA
fDate :
Oct. 31 2011-Nov. 1 2011
Abstract :
Performing SELinux policy analyses can be difficult due to the complexity of the policy language and the sheer number of policy rules and attributes involved. For example, the default policy on most SELinux-enabled systems has over 1; 500; 000 flat rules, involving over 1; 780 types. Simple analyses between types can result in a large amount of data, which is poorly presented to administrators in existing analysis tools. We propose and implement a policy analysis tool “SEGrapher” that addresses the above challenges. SEGrapher visually presents analysis results as a simplified directed graph, where nodes are types, and edges are corresponding policy rules between types. Graphs are generated via a proposed clustering algorithm that clusters types based on their accesses. Clusters provide an abstraction layer that removes undesired data, and focuses on analysis attributes specified by the administrator.
Keywords :
Linux; data visualisation; directed graphs; pattern clustering; security of data; SEGrapher; abstraction layer; clustering algorithm; directed graph; policy attributes; policy language; policy rules; security enhanced Linux; visualization-based SELinux policy analysis; Access control; Algorithm design and analysis; Clustering algorithms; Linux; Optimization; Servers;
Conference_Titel :
Configuration Analytics and Automation (SAFECONFIG), 2011 4th Symposium on
Conference_Location :
Arlington, VA
Print_ISBN :
978-1-4673-0401-6
Electronic_ISBN :
978-1-4673-0400-9
DOI :
10.1109/SafeConfig.2011.6111675
