ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Visualization based policy analysis: case study in SELinux
Full text PdfPdf (955 KB)
Source
Symposium on Access Control Models and Technologies archive
Proceedings of the 13th ACM symposium on Access control models and technologies table of contents
Estes Park, CO, USA
SESSION: Access control in systems table of contents
Pages 165-174  
Year of Publication: 2008
ISBN:978-1-60558-129-3
Authors
Wenjuan Xu  University of North Carolina at Charlotte, Charlotte, NC
Mohamed Shehab  University of North Carolina at Charlotte, Charlotte, NC
Gail-Joon Ahn  University of North Carolina at Charlotte, Charlotte, NC
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 14,   Downloads (12 Months): 156,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1377836.1377863
What is a DOI?

ABSTRACT

Determining whether a given policy meets a site's high-level security goals can be difficult, due to the low-level nature and complexity of the policy language, and the multiple policy violation patterns. In this paper, we propose a visualization-based policy analysis framework that enables system administrators to visually query and visualize SELinux security policies and to easily identify the policy violations. We propose and formalize both a semantic substrate and adjacency matrix visualization techniques for policy visualization. Furthermore, we propose a visual query language for expressing policy queries in a visual form. Our framework is targeted towards enabling the average administrator by providing an intuitive cognitive sense about the policy, policy queries and policy violations. We also describe our implementation of a visualization-based policy analysis tool that provides the functionalities discussed in our framework.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
System Management Concepts: Operating System and Devices. IBM Corporation, 1 Ed., 1999.
 
2
P. Loscocco and S. Smalley. Meeting critical security objectives with security-enhanced linux. In Proceedings of the Ottawa Linux Symposium, 2001.
 
3
Ben Shneiderman , Aleks Aris, Network Visualization by Semantic Substrates, IEEE Transactions on Visualization and Computer Graphics, v.12 n.5, p.733-740, September 2006  [doi>10.1109/TVCG.2006.166]
 
4
Human Computer Interaction Lab at University of Maryland. Piccolo. Available from http://www.cs.umd.edu/hcil/jazz/download/index.shtml.
 
5
D. E. Bell and L. J. LaPadula. Secure computer systems: Unified exposition and multics interpretation. MITRE Corporation, 1976.
 
6
K. J. Biba. Integrity considerations for secure computer systems. MTR-3153, MITRE Corporation, April 1977.
 
7
D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy, 1987.
 
8
M. Abrams and M. Joyce. Trusted computing update. Computers & Security, 14(1):57--68, 1995.
9
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
 
10
J. Guttman, A. Herzog, and J. Ramsdell. Information flow in operating systems: Eager formal methods. In In Workshop on Issues in the Theory of Security (WITS), 2003.
 
11
R.F. Erbacher. Intrusion behavior detection through visualization. In IEEE International Conference on Systems, Man and Cybernetics, pages 2507--2513, Oct 2003.
 
12
M. Green. Toward a perceptual science of multidimensional data visualization: Bertin and beyond. Available from http://www.ergogero.com/dataviz/dviz2.html, 1998.
 
13
J. Guttman, A. Herzog, and J. Ramsdell. Information flow in operating systems: Eager formal methods. In Workshop on Issues in the Theory of Security (WITS), 2003.
 
14
Ivan Herman , Guy Melançon , M. Scott Marshall, Graph Visualization and Navigation in Information Visualization: A Survey, IEEE Transactions on Visualization and Computer Graphics, v.6 n.1, p.24-43, January 2000  [doi>10.1109/2945.841119]
 
15
Takayuki Itoh , Hiroki Takakura , Atsushi Sawada , Koji Koyamada, Hierarchical Visualization of Network Intrusion Detection Data, IEEE Computer Graphics and Applications, v.26 n.2, p.40-47, March 2006  [doi>10.1109/MCG.2006.34]
16
Trent Jaeger , Reiner Sailer , Umesh Shankar, PRIMA: policy-reduced integrity measurement architecture, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA  [doi>10.1145/1133058.1133063]
 
17
Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy, Proceedings of the 12th conference on USENIX Security Symposium, p.5-5, August 04-08, 2003, Washington, DC
18
Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Resolving constraint conflicts, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA  [doi>10.1145/990036.990053]
19
Trent Jaeger , Xiaolan Zhang , Antony Edwards, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003  [doi>10.1145/937527.937528]
20
René Keller , Claudia M. Eckert , P. John Clarkson, Matrices or node-link diagrams: which visual representation is better for visualising connectivity models?, Information Visualization, v.5 n.1, p.62-76, March 2006  [doi>10.1057/palgrave.ivs.9500116]
 
21
Chris P. Lee , Jason Trost , Nicholas Gibbs , Raheem Beyah , John A. Copeland, Visual Firewall: Real-time Network Security Monito, Proceedings of the IEEE Workshops on Visualization for Computer Security, p.16, October 26-26, 2005  [doi>10.1109/VIZSEC.2005.20]
 
22
Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
23
S. Mathew , R. Giomundo , S. Upadhyaya , M. Sudit , A. Stotz, Understanding multistage attacks by attack-track based visualization of heterogeneous event streams, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179576.1179578]
 
24
S. Nidhi. Fireviz: A personal firewall visualizing tool. In Thesis (M. Eng.), Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.
25
Steven Noel , Sushil Jajodia, Managing attack graph complexity through visual hierarchical aggregation, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA  [doi>10.1145/1029208.1029225]
 
26
H. Reiterer and G. Muler. A visual information seeking system for web search. In Proceedings of the Oberquelle H, Oppermann R, Krause J (eds) Mensch & Computer conference, pages 297--306, March 2001.
 
27
H. Reiterer, G. Tullius, and T. Mann. Insyder: a content-based visual-informationseeking system for the web. Springer-Verlag GmbH , International Journal on Digital Libraries, 2005.
28
Reiner Sailer , Trent Jaeger , Xiaolan Zhang , Leendert van Doorn, Attestation-based policy enforcement for remote access, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030125]
 
29
J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278--1308, Sept 1975.
 
30
B. S.-Starosta and S. D. Stoller. Policy analysis for security-enhanced linux. In Proceedings of the 2004 Workshop on Issues in the Theory of Security (WITS), pages 1--12, April 2004.
 
31
B. S.-Starosta and S. D. Stoller. Policy analysis for security-enhanced linux. In Proceedings of the Workshop on Issues in the Theory of Security (WITS), pages 1--12, April 2004.
 
32
Z. Shen and K. Ma. Path visualization for adjacency matrices. In Proceedings of Eurographics/IEEE Symposium on Visualization (EuroVis), May 2007.
 
33
S. Smalley. Configuring the selinux policy. http://www.nsa.gov/SELinux/docs.html, 2003.
 
34
A. G. Sutcliffe , M. Ennis , S. J. Watkinson, Empirical studies of end-user information searching, Journal of the American Society for Information Science, v.51 n.13, p.1211-1231, Nov. 2000  [doi>10.1002/1097-4571(2000)9999:9999<::AID-ASI1033>3.0.CO;2-5]
 
35
Tresys Technology. Apol. Available from http://www.tresys.com/selinux/.
36
Ramona Su Thompson , Esa M. Rantanen , William Yurcik , Brian P. Bailey, Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA  [doi>10.1145/1240624.1240807]
 
37
Tung Tran , Ehab Al-Shaer , Raouf Boutaba, PolicyVis: firewall security policy visualization and inspection, Proceedings of the 21st conference on Large Installation System Administration Conference, p.1-16, November 11-16, 2007, Dallas
 
38
Danfeng Yao , Michael Shin , Roberto Tamassia , William H. Winsborough, Visualization of Automated Trust Negotiation, Proceedings of the IEEE Workshops on Visualization for Computer Security, p.8, October 26-26, 2005  [doi>10.1109/VIZSEC.2005.21]
39
Xiaoxin Yin , William Yurcik , Michael Treaster , Yifan Li , Kiran Lakkaraju, VisFlowConnect: netflow visualizations of link relationships for security situational awareness, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA  [doi>10.1145/1029208.1029214]
 
40
William Yurcik, Visualizing NetFlows for security at line speed: the SIFT tool suite, Proceedings of the 19th conference on Large Installation System Administration Conference, p.16-16, December 04-09, 2005, San Diego, CA
41
William Yurcik, Tool update: visflowconnect-IP with advanced filtering from usability testing, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179576.1179588]

INDEX TERMS

Primary Classification:
  D. Software
  D.1 PROGRAMMING TECHNIQUES
      D.1.7 Visual Programming

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls


General Terms:
Security, Verification

Collaborative Colleagues:
Wenjuan Xu: colleagues
Mohamed Shehab: colleagues
Gail-Joon Ahn: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player