Guided Policy Generation for Application Authors
February 2006
Brian T. Sniffen, The MITRE Corporation
David R. Harris, The MITRE Corporation
John D. Ramsdell, The MITRE Corporation
ABSTRACT
Polgen is a tool for human-guided semi-automated SE Linux security policy generation. Polgen processes
traces of the dynamic behavior of a target program. In that behavior, it observes instances of information flow
patterns such as Pipeline, Interpreter, and Proxy. Based on the patterns it detects, Polgen creates new SE Linux
types and generates policy rules. Because the dynamic behavior is insufficient to determine security policy, Polgen
presents a wizard-style interface for human interaction. We call the interaction "guided automatic policy
generation." We designed Polgen primarily for security administrators who confront unfamiliar programs and are obliged
to integrate them into existing policy. This paper highlights changes made to Polgen to adapt it to the needs of
application authors, people that are less likely to be well versed in SE Linux policy than are security administrators.
Key changes include an architecture specification
language and a refinement of the wizard-style interface
for application authors. When complete, this tool will
expand the community of policy authors, and further accelerate
the adoption of SE Linux.
Additional Search Keywords
N/A
|
