Characterizing SEAndroid Policies in the Wild
Elena Reshetova, Filippo Bonazzi, Thomas Nyman, Ravishankar Borgaonkar, N. Asokan
2016
Abstract
Starting from the 5.0 Lollipop release all Android processes must be run inside confined SEAndroid access control domains. As a result, Android device manufacturers were compelled to develop SEAndroid expertise in order to create policies for their device-specific components. In this paper we analyse SEAndroid policies from a number of 5.0 Lollipop devices on the market, and identify patterns of common problems we found. We also suggest some practical tools that can improve policy design and analysis. We implemented the first of such tools, SEAL.
References
- Amthor, P., Kuhnhauser, W., and Polck, A. (2011). Modelbased safety analysis of selinux security policies. In NSS, pages 208-215. IEEE.
- Badger, L., Sterne, D., Sherman, D., Walker, K., Haghighat, S., et al. (1995). Practical domain and type enforcement for UNIX. In Security and Privacy, pages 66-77. IEEE.
- Bauer, M. (2006). Paranoid penguin: an introduction to Novell AppArmor. Linux Journal, (148):13.
- Clemente, P., Kaba, B., Rouzaud-Cornabas, J., Alexandre, M., and Aujay, G. (2012). Sptrack: Visual analysis of information flows within selinux policies and attack logs. In AMT, pages 596-605. Springer.
- Fowler, M. (2010). Domain-specific languages . Pearson Education.
- Guttman, J. D., Herzog, A. L., Ramsdell, J. D., and Skorupka, C. W. (2005). Verifying information flow goals in security-enhanced Linux. Journal of Computer Security, 13(1):115-134.
- Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Commun. ACM, 19(8):461-471.
- Hurd, J., Carlsson, M., Finne, S., Letner, B., Stanley, J., and White, P. (2009). Policy DSL: High-level Specifications of Information Flows for Security Policies.
- Jaeger, T., Sailer, R., and Zhang, X. (2003). Analyzing integrity protection in the selinux example policy. In USENIX Security, page 5.
- Marouf, S. and Shehab, M. (2011). SEGrapher: Visualization-based SELinux policy analysis. In SAFECONFIG, pages 1-8. IEEE.
- Schaufler, C. (2008). Smack in embedded computing. In Ottawa Linux Symposium.
- SELinux Project (2014). Userspace tools. github.com/SELinuxProject/selinux/wiki. Accessed: 2015-09-29.
- Smalley, S. and Craig, R. (2013). Security Enhanced (SE) Android: Bringing flexible MAC to Android. In NDSS, volume 310, pages 20-38.
- Smalley, S., Vance, C., and Salamon, W. (2001). Implementing SELinux as a Linux security module. NAI Labs Report, 1(43):139.
- Sniffen, B. T., Harris, D. R., and Ramsdell, J. D. (2006). Guided policy generation for application authors. In SELinux Symposium.
- Spencer, R., Smalley, S., Loscocco, P., Hibler, M., and Lepreau, J. (1999). The Flask security architecture: System support for diverse policies. In USENIX Security.
- Tresys (2014). SETools project github.com/TresysTechnology/setools3/wiki. cessed: 2015-09-29.
- Wang, R., Enck, W., Reeves, D., Zhang, X., Ning, P., Xu, D., Zhou, W., and Azab, A. (2015). EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale SemiSupervised Learning. In USENIX Security.
- Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Security and Privacy, pages 95-109. IEEE.
Paper Citation
in Harvard Style
Reshetova E., Bonazzi F., Nyman T., Borgaonkar R. and Asokan N. (2016). Characterizing SEAndroid Policies in the Wild . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 482-489. DOI: 10.5220/0005759204820489
in Bibtex Style
@conference{icissp16,
author={Elena Reshetova and Filippo Bonazzi and Thomas Nyman and Ravishankar Borgaonkar and N. Asokan},
title={Characterizing SEAndroid Policies in the Wild},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={482-489},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005759204820489},
isbn={978-989-758-167-0},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Characterizing SEAndroid Policies in the Wild
SN - 978-989-758-167-0
AU - Reshetova E.
AU - Bonazzi F.
AU - Nyman T.
AU - Borgaonkar R.
AU - Asokan N.
PY - 2016
SP - 482
EP - 489
DO - 10.5220/0005759204820489