Characterizing SEAndroid Policies in the Wild

Elena Reshetova

1,2

, Filippo Bonazzi

, Thomas Nyman

, Ravishankar Borgaonkar

and N. Asokan

2,3

Intel OTC, Helsinki, Finland

Aalto University, Helsinki, Finland

University of Helsinki, Helsinki, Finland

Keywords:

Security, Access Control, SELinux, SEAndroid.

Abstract:

Starting from the 5.0 Lollipop release all Android processes must be run inside conﬁned SEAndroid access

control domains. As a result, Android device manufacturers were compelled to develop SEAndroid expertise

in order to create policies for their device-speciﬁc components. In this paper we analyse SEAndroid policies

from a number of 5.0 Lollipop devices on the market, and identify patterns of common problems we found.

We also suggest some practical tools that can improve policy design and analysis. We implemented the ﬁrst

of such tools, SEAL.

1 INTRODUCTION

During the past decade Android has gained a consid-

erable share of the mobile device market. However,

at the same time the number of malware and vari-

ous exploits available for Android has also been in-

creasing (Zhou and Jiang, 2012; Smalley and Craig,

2013). Many classical Android exploits, such as Gin-

gerBreak and Exploid (Smalley and Craig, 2013), at-

tempt to target system daemons that run with ele-

vated, often unlimited, privileges. Once such a dae-

mon is compromised, the whole Android OS usually

becomes compromised and the attacker is able to get

permanent root privileges on the device. Since the

Android permission system, which relies on Linux

Discretionary Access Control (DAC), cannot protect

from such attacks, a new Mandatory Access Con-

trol (MAC) mechanism has been introduced. SE-

Android (Smalley and Craig, 2013) is an Android

port of the well-established SELinux MAC mech-

anism (Smalley et al., 2001) with some Android-

speciﬁc additions and modiﬁcations. In SELinux,

security decisions are taken according to a policy:

the reference policy for SEAndroid was created from

scratch and is maintained as part of the Android Open

Source Project (AOSP)

Starting from the Android 5.0 Lollipop release,

the Android compliance requirements have mandated

that every process must be run inside a conﬁned SE-

source.android.com

Android domain with a proper set of access control

rules deﬁned. This has put many Android Original

Equipment Manufacturers (OEMs) in the difﬁcult po-

sition of enabling SEAndroid in enforcing mode on

their devices with a set of fully conﬁgured access con-

trol domains. While the reference SEAndroid pol-

icy is provided by AOSP, any OEM customization to

the reference AOSP device design results in a need

for SEAndroid policy modiﬁcations. Writing well-

designed SELinux policies requires expertise; this

difﬁculty, together with high time-to-market pressure,

can possibly lead to the introduction of mistakes and

outright vulnerabilities in modiﬁed SEAndroid poli-

cies deployed in OEM Android devices.

In this paper, we conduct a systematic manual

analysis of several available SEAndroid 5.0 Lollipop

OEM policies and identify common patterns and mis-

takes. We ﬁnd that OEM modiﬁcations can render

policies less strict, resulting in a wider attack surface

for potential vulnerabilities. Based on these ﬁndings,

we identify a number of practical tools that can as-

sist SEAndroid policy designers and researchers to

analyze and improve SEAndroid policies. We also

provide an initial implementation of one such tool,

SEAL. To the best of our knowledge, this is the ﬁrst

comparative study of SEAndroid policies from real-

world devices.

482

Reshetova, E., Bonazzi, F., Nyman, T., Borgaonkar, R. and Asokan, N.

Characterizing SEAndroid Policies in the Wild.

DOI: 10.5220/0005759204820489

In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 482-489

ISBN: 978-989-758-167-0

 2016 by SCITEPRESS – Science and Technology Publications, Lda. All r ights reserved

2 BACKGROUND

2.1 SELinux

SELinux (Smalley et al., 2001) is a well-established

MAC mechanism available for Linux-based distribu-

tions. It was the ﬁrst MAC for mainstream Linux

with its initial release in 1998. SELinux has been

implemented in the Linux kernel following the Flask

architecture (Spencer et al., 1999), where the policy

enforcement code, known as Linux Security Module

(LSM) Framework, and the policy decision-making

code are separated: this allows other MAC modules,

such as AppArmor (Bauer, 2006) or Smack (Schau-

ﬂer, 2008), to utilize the same policy enforcement

code.

The main MAC mechanism in SELinux is Do-

main/Type Enforcement (Badger et al., 1995), which

assigns a type to each subject or object in the system;

a subject’s type is also known as domain. A subject

running in domain can only access an object belong-

ing to type if there is an allow rule in the policy of

the following form:

allow domain type : class permissions

where class represents the nature of an object

such as ﬁle, socket or property, and permissions

represent the types of operation on this object that

are being controlled, like open, write, set etc. Sub-

jects can change their domain if a corresponding type

transition rule is deﬁned. For example, if a process

executes a new binary, it is possible for the resulting

process to run in a different domain. Such a transition

rule will be represented as:

type transition olddomain type:process

newdomain

where type denotes the type of a binary that

should be executed in order for the transition to hap-

pen. We will use the term process transition in the

future to refer to such a rule. In practice there are a

number of additional rules that are needed in order

to make the transition happen, but we leave them out

here for the sake of simplicity. Another type of tran-

sition can occur if an object is created and its type

should differ from the type of the object’s parent. For

ﬁle creation inside an existing directory such a rule

can be represented as:

type transition domain oldtype:dir newtype

where domain denotes the domain of the subject

creating the ﬁle, oldtype represent the type of the

directory where the ﬁle is being created and newtype

denotes the type that the new ﬁle should be assigned.

In addition, the SELinux policy language has the

following notions:

• An attribute is a way to refer to sets of types

and domains. It is used to express type hierarchies

and rule inheritance. For example, SELinux poli-

cies on Android deﬁne an app attribute consist-

ing of common rules for all platform applications

such as the ability access the device display.

• Initial Security Identifier (SID) are types

that should be assigned by default to subjects and

objects during system initialization, such as for

example kernel and init.

• genfs contexts deﬁne types that should be as-

signed to objects residing in special ﬁlesystems,

such as proc, debugfs and ecryptfs.

2.2 SEAndroid

The SELinux port to Android, SEAndroid (Smalley

and Craig, 2013), was mostly based on SELinux code

with some additional LSM hooks to support Android-

speciﬁc mechanisms, such as Binder Inter Process

Communication (IPC). However, the SEAndroid ref-

erence policy was written from scratch due to 1) a de-

sire for a simpler and a smaller policy and 2) the big

difference between the userspace layers of Android

and a standard Linux distribution.

SEAndroid classes and permissions are mostly the

same as on SELinux, with some Android-speciﬁc ad-

ditions like the property class for the Android init-

based property service and the keystore key class

for the Android keystore key object.

Native services and daemons are assigned SEAn-

droid domains based on ﬁlesystem labeling or di-

rect domain declaration in the service deﬁnition in

the init.rc ﬁle. In turn, applications are assigned

domains based on the signature of the Android ap-

plication package ﬁle (.apk). There are a number

of predeﬁned application domains, like system app,

platform app and untrusted app. OEMs are able

to create additional domains if needed.

One new notion that SEAndroid has is the pres-

ence of neverallow rules in the source policy.

A neverallow rule speciﬁes that certain accesses

should never be allowed by the policy. For example,

the following neverallow rule asserts that only pro-

cesses running in the init domain should be able to

modify security-sensitive ﬁles in the proc ﬁlesystem:

neverallow {domain -init}

proc security:file {append write}

If one tries to add a rule that conﬂicts with a

neverallow rule, the policy compilation fails.

SEAndroid was initially added to the AOSP code-

base for Android 4.3 back in 2012; at that point, it

was conﬁgured in permissive mode. In Android 4.4,

Characterizing SEAndroid Policies in the Wild

483

SEAndroid was switched to enforcing mode: how-

ever, most domains were left in permissive mode,

apart from a number of core AOSP domains such as

init and vold. Android 5.0 Lollipop eventually re-

quired every single process to be put in an enforcing

domain, effectively extending the enforcement to the

whole system.

2.3 OEM Modiﬁcations to the AOSP

SEAndroid Reference Policy

Default AOSP services, processes and applications

are already covered by the AOSP SEAndroid refer-

ence policy. Typically, OEM Android devices are

highly customized with their own speciﬁc drivers,

new services, processes and ﬁlesystem mounts. In or-

der for these custom components to work, appropriate

additions must be made to the SEAndroid reference

policy. OEMs were allowed to make additions to the

SEAndroid reference policy right from the start, but

very few of them actually did in Android 4.3 and 4.4:

and in fact, the resulting policy was stricter than the

AOSP reference policy. The stringent requirements

of Android 5.0 Lollipop, however, forced all OEMs

to deploy comprehensive policies deﬁning complete

rules for their own custom services: this turned out

to be a challenging task for most. The inherent difﬁ-

culty of incorporating SEAndroid in the development

process, combined with high time-to-market pressure,

has resulted in the introduction of anti-patterns, mis-

takes and potential vulnerabilities in OEM policies.

3 SEANDROID POLICIES IN

DEPLOYED OEM DEVICES

3.1 Statistical Analysis

We collected 8 policy ﬁles from non-rooted, off-the-

shelf commercial Android 5.0 Lollipop devices by

different manufacturers. Table 1 shows the compar-

ison of all basic policy attributes and characteristics

with regards to the Android 5.0 Lollipop AOSP SE-

Android reference policy in the following categories:

• Policy Size. All OEMs increased the policy size,

by factors ranging from 1.1 up to 3.2.

• Types, Domains, Type Transitions and Domain

Transitions. The overall ratio of newly added do-

mains to newly added types ranges between 4.7

and 6.5, which is very close to the ratio in AOSP

itself (6.3). We conjecture that OEMs tend to

add slightly simpler domains, with fewer types

per each domain deﬁned. The ratio of newly

added process transitions to newly added domains

is close to 1; this indicates that OEMs add sim-

ple domains, with only one process transition to

these domains either from the init domain (upon

system startup) or from the parent process do-

main (usually upon execution of processes such

as shell or toolbox). This ratio is 1.4 for LG

G3, due to a number of newly deﬁned domains

and having two or more transitions to the shell,

toolbox, dumpstate and logcat domains. New

type transitions are mostly used by OEMs for

tmpfs types, as in the following example:

type transition aal tmpfs : file

aal tmpfs

• Allow Rules. The ratio of total number of allow

rules to total number of types varies between 10.9

and 13.1, with the exception of 14.8 for Motorola

G and 18.7 for LG G3; the ratio for AOSP is 12.0.

The numbers for Motorola and LG are compara-

tively excessive, and may indicate overly permis-

sive policies; this may be due to the use of tools to

automatically generate policies from system logs.

• Attributes. Only Samsung and Sony deﬁne new

attributes. Sony adds only one, probably related

to the system update process. In contrast, Sam-

sung adds many new attributes, which seem to be

auto-generated and most probably used for policy

optimization. The rest of the OEMs add separate

domains for their services and applications, and

do not introduce any new domain hierarchies: this

may imply unfamiliarity with the use of policy hi-

erarchies.

• Classes, Permissions and Initial SIDs. OEMs

do not modify the default set of SEAndroid

classes (86), permissions (267) or initial SIDs

(27): this is to be expected, since they repre-

sent interfaces and objects recognized and sup-

ported by SEAndroid. The only change we ob-

served was for Samsung S6, that had 4 more per-

missions deﬁned: delete as user, get by uid,

insert as user and set max retry count, all

granted on the keystore key class. The most

probable reason for such additions is Samsung’s

implementation of the keystore and its API, which

requires speciﬁc permissions.

• Genfs Contexts. The primary reason for the ad-

dition of genfs contexts is that most OEMs have

additional mount points and ﬁlesystems on their

devices, which by default would be labeled as

unlabeled unless a proper genfs context for it

is speciﬁed. An AOSP neverallow rule prohibits

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

484

any OEM domain from creating ﬁles with this

type: this restriction has forced OEMs to deﬁne

proper types for their new mount points.

3.2 Systematic Manual Analysis

We manually searched each policy for OEM miscon-

ﬁgurations: we used existing tools for SELinux policy

analysis, which we found to be cumbersome. Our pri-

mary tool was apol (Tresys, 2014), a GUI tool that

allows the user to load a binary policy and examine

it by specifying various ﬁlters. However, apol was

not suitable for comparing two policies: it was nec-

essary to run two instances of apol simultaneously,

manually insert the same queries into both and exam-

ine the differences between the outputs. Another tool

was sediff (Tresys, 2014), which can do basic pol-

icy comparison but does not allow ﬁltering based on

speciﬁc types or domains.

To make our manual analysis tractable, we iden-

tiﬁed three sets of types that we consider impor-

tant to check. The ﬁrst set comprises core Android

and security-sensitive domains, such as init, vold,

keystore, tee, as well as types that protect access

to security-sensitive areas of the ﬁlesystem, such as

proc security, kmem device and security file.

The second is the set of default types that would be as-

signed to an object upon its creation unless a concrete

type is speciﬁed in one of the policy ﬁles. The third

is the set of types that would be assigned to untrusted

code and its data, primarily the untrusted app do-

main.

Analyzing these sets of types and the associated

rules, we discovered the following patterns across

many devices from different OEMs.

3.2.1 Overuse of Default Types

As mentioned above, a default type is one that is

assigned to an object upon creation unless a dedi-

cated type for it is speciﬁed in the policy ﬁles: exam-

ples include unlabeled, device, socket device,

default prop and system data file. Table 2

shows that in many cases OEMs overuse the default

SEAndroid object types. For example, compared

to AOSP, HTC M7 has 10 new rules allowing vari-

ous system daemons, such as healthd, netd, vold,

mediaserver, wpa, system server, to set system

properties with the default type default prop. In

practice, this means that some of the system prop-

erties belonging to these components end up la-

beled as default

prop. Similarly, HTC M7 has

13 more rules granting various system daemons

(rild, mediaserver, thermal-engine, sensors,

thermald, system-server, . . . ) write access to

the default socket device object type. The only ex-

ceptions when OEM actually reduced the number of

rules with regards to default types are LG Nexus 5 and

Motorola G policies, where a rule for logd to access

/setypedevice was removed, and Samsung S6 policy

where a set of rules for unused unconfined domain

was removed. Below are concrete example rules from

different OEMs to show the usage of default types:

allow thermald socket device : sock file

{write create setattr unlink}

allow mediaserver default prop :

property service set

allow untrusted app unlabeled : dir

{ioctl read getattr search open}

allow untrusted app unlabeled :

filesystem getattr

Plausible reasons for OEMs to use default types

include the fact that objects are automatically as-

signed default types, and the common practice of us-

ing tools like audit2allow (SELinux Project, 2014)

which parse audit logs and automatically create new

allow rules to permit denied accesses.

There are two main consequences of such mis-

takes. Foregoing distinct, dedicated types in favor of

default types means that different, unrelated resources

are collected under a common label: domains with

access to said label thus get wider access rights than

actually needed. This is undesirable, as it violates the

principle of least privilege. The second, more severe,

consequence is that some untrusted domains might be

given access to default labeled sensitive objects.

Fortunately, we did not ﬁnd examples of such

cases in the policies we examined, apart from the ex-

ample above where untrusted app is given some ac-

cess to unlabeled ﬁlesystem objects; however, the

possibility of such mistakes remains.

Google is actively trying to address this problem

by ﬁne-tuning the set of neverallow rules in the

AOSP reference policy. Starting from Android 5.1,

OEMs are not allowed to modify this set. For exam-

ple, it is not possible anymore for an OEM domain to

set default properties or access block devices.

3.2.2 Overuse of Predeﬁned Domains

Another observed trend is that typically OEMs do not

deﬁne separate domains for speciﬁc system applica-

tions, but tend to place them either in system

app or

in platform app domains. Consequently, these do-

mains accumulate a lot of allow rules that are shared

by all system or platform applications. Moreover,

if many applications are pre-installed in the same

Characterizing SEAndroid Policies in the Wild

485

Table 1: Policy comparison and complexity.

size (KB) types domains type trans process trans allow rules attributes genfs contexts untrusted app rules

AOSP 117 341 54 95 41 4096 21 30 33

LG Nexus 5 134 416, +75 65, +11 158, +63 51, +10 4972, +876 21 32, +2 33

Intel 127 393, +52 65, +11 115, +20 51, +10 4748, +652 21 32, +2 38, +5

HTC M7 181 621, +280 106, +52 213, +118 95, +54 7587, +3491 21 34, +4 46, +13

Motorola G 193 590, +249 92, +38 199, +104 83, +42 8753, +4657 21 33, +3 33

LG G3 302 851, +510 149, +95 340, +245 180, +139 15921, +11825 21 45, +15 168, +135

Intex Aqua 230 900, +559 142, +88 266, +171 128, +87 9824, +5728 21 37, +7 44, +11

Samsung S6 370 1102, +761 215, +161 430, +335 180, +139 14412, +10316 158, +137 43, +13 81, +48

Sony Xperia 218 793, +452 139, +85 265, +170 113, +72 9308, +5212 22, +1 37, +7 42, +9

+ denotes the number of additions compared to AOSP.

Table 2: Usage of default types by OEMs.

unlabeled socket device device default prop system data ﬁle

AOSP 25 4 18 0 42

LG Nexus 5 25 7, +3 17, –1 0 45, +3

Intel 27, +2 5, +1 24, +6 3, +3 54, +12

HTC M7 31, +6 17, +13 26, +8 10, +10 68, +26

Motorola G 31, +6 7, +3 17, –1 2, +2 62, +20

LG G3 42, +17 21, +17 28, +10 3, +3 120, +78

Intex Aqua 33, +8 8, +14 23, +5 0 108, +66

Samsung S6 24, –1 22, +18 46, +28 1, +1 204, +162

Sony Xperia 25 15, +11 21, +3 1, +1 57, +15

± denotes the number of additions/removals compared to AOSP.

domain, SEAndroid cannot prevent privilege esca-

lation attacks or unauthorized data sharing by such

apps (Smalley and Craig, 2013). As an example, let

us consider the pre-installed McAfee anti-virus ap-

plication on LG devices. It runs in the system app

domain, which contains more than 900 associated al-

low rules in the LG G3 policy compared to 46 in

the AOSP one. It is quite difﬁcult to identify spe-

ciﬁc rules that were added to the system app domain

because of the McAfee application, given that many

other applications run in this domain. However, by

analyzing the permissions of the same McAfee ap-

plication in Google Play Store, we observed corre-

sponding SEAndroid policy rules in the system app

domain, such as access to the telephony functionality,

camera and several types related to the ﬁlesystem, in-

cluding tmpfs types and sockets. This might indicate

that these rules were added for the McAfee applica-

tion.

A solution to this problem would be to place cer-

tain powerful system applications in their own SEAn-

droid domains; this can be done by signing these ap-

plications with different keys and creating a mapping

between these keys and target application domains.

3.2.3 Forgotten or Seemingly Useless Rules

Another common trend is the presence of rules that

seem to have no effect. One example is rules of the

following type present in one device:

allow untrusted app <xyz> exec : file

For example

allow untrusted app tee exec : file {read

getattr execute open}

Since no corresponding process transition rule

from the untrusted app domain to the tee

domain via tee exec ﬁle is deﬁned, and no

execute no trans access type is granted, a process

running in the untrusted app domain cannot ex-

ecute a ﬁle labeled as tee exec. There are two

plausible explanations. One is the use of tools like

audit2allow (SELinux Project, 2014) to automati-

cally generate rules, as discussed above. The other is

the failure to clean up rules that were tested at some

point but are no longer required. Below is an exam-

ple of a vestigial rule that allows access to the debug

interface of the Qualcomm KGSL GPU driver, which

is itself disabled in production builds:

allow untrusted app sysfs kernel debug kgsl

: file {read getattr}

3.2.4 Potentially Dangerous Rules

When working under tight time-to-market require-

ments, OEMs might decide to ship less strict secu-

rity policies rather than make invasive changes to their

codebase. This leads to a number of potentially dan-

gerous rules appearing in OEM policies, like access to

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

486

the procfs security-related ﬁlesystem objects. The

rules below give read/write permissions on such

objects to a trusted hal domain, a release app do-

main and an untrusted app domain.

allow hal proc security : file {write

getattr open}

allow release app proc security : file

{ioctl read getattr lock open}

allow untrusted app proc security : file

{read getattr open}

While processes running in the hal system do-

main can be considered trusted, the ﬁrst rule is unde-

sirable because it increases the attack surface of cer-

tain interfaces (like sensitive procfs settings) if the

trusted process is compromised. The same applies to

applications put in the release

app domain, as in the

second rule. The third rule is even more dangerous,

because it allows malicious applications running in

the untrusted app domain to get sensitive informa-

tion, such as mmap min addr, memory randomization

parameters and kernel pointer exposure settings, that

can be used for further exploits.

Another example of a potentially dangerous rule

is allowing processes running in the untrusted app

domain to read/write application data belonging to

the system app domain:

allow untrusted app system app data file :

file {read write getattr}

However, since processes from untrusted app

and system app domains will be run with different

UIDS, the Linux DAC layer would guard against such

arbitrary accesses unless a system application erro-

neously made its own ﬁles world-accessible.

In general, OEMs should have no additions to

the set of rules for the untrusted app domain, be-

cause any new allow rule increases the possible at-

tack surface for malicious untrusted app applica-

tions. However, Table 1 shows that almost all OEMs

do add new rules for the untrusted app domain.

On a positive note, OEMs are aware of such mis-

takes; some of them have been already ﬁxed in the

subsequent Android 5.1 update. The major reason be-

hind these ﬁxes was the release of the Android Com-

patibility Test Suite (CTS)

version 5.1, that added

tests to ensure that AOSP neverallow rules are not

violated by any process running on a device.

3.2.5 Discussion

We found several problematic patterns in the Android

5.0 OEM SEAndroid policies we examined. We con-

source.android.com/compatibility/cts/index.html

jecture that the reason for their presence is the rel-

ative unfamiliarity with SEAndroid. Google utilizes

the set of neverallow rules in order to try to pre-

vent OEMs from making security mistakes. How-

ever, while this approach might prevent some mis-

takes, it can also create difﬁculties for OEMs. For ex-

ample any Global Platform-enabled TEE design

will

likely end up with untrusted app applications need-

ing to access a kernel driver for their memory refer-

encing. In Android 5.1 this conﬂicts with the existing

neverallow rules, and as a result OEMs are forced

to come up with a workaround. In the next section we

propose a set of tools that can further help OEMs to

avoid security mistakes and at the same time do not

imply any restrictions on OEMs.

4 NEW TOOLS FOR SEANDROID

Although our systematic manual analysis unearthed

some problem areas in the policies we analyzed, the

process was cumbersome and time-consuming using

the currently available tools. Based on our experi-

ence, we argue that new tools or new functionality

in existing tools are necessary to aid both OEMs and

security researchers to create and analyze SEAndroid

policies effectively. We identify several such desir-

able tools below. We have implemented the ﬁrst on

the list (live policy analyzer) and are working on the

rest.

4.1 Live Policy Analyzer

Existing SELinux policy analysis tools focus solely

on the policy itself, and do not address the question

of how the policy rules apply to a speciﬁc target de-

vice. A tool that can answer questions like “what ﬁles

can a speciﬁed process on a device access?” or “what

processes on a device can access a speciﬁed ﬁle?”

would be very useful for the analyst. We developed

SEAndroid live device analysis tool SEAL

for this

purpose. SEAL allows different queries that take into

account not only the SEAndroid policy loaded on the

device, but also the actual device state, i.e. running

processes and ﬁlesystem objects. SEAL offers com-

mand line and GUI interfaces, and queries the device

over the adb interface. In order to obtain results about

the entire device ﬁlesystem, the target device has to

be either rooted or running an engineering build. Fig-

ure 1 shows the architecture of SEAL.

globalplatform.org

github.com/seandroid-analytics/seal

Characterizing SEAndroid Policies in the Wild

487

Figure 1: SEAL tool architecture.

4.2 Policy Decompilation Tool

One of the main problems during our manual analysis

was the lack of a tool to easily identify and analyze

changes that an OEM made to the default AOSP pol-

icy. Current tools like apol and sediff are not di-

rectly suited for this task, as described in Section 3.2.

It would be very beneﬁcial to have a tool able to trans-

form a binary policy into a set of source ﬁles orga-

nized similarly to the AOSP SEAndroid source policy.

In this case, it would not only be possible to perform

manual analysis in a more organized and convenient

manner, but also to employ standard text manipula-

tion tools to compare or ﬁlter needed information.

4.3 Policy Visualization Tool

SELinux has the notion of attributes, that allow

organizing policy types and domains in a hierarchi-

cal manner. This is a very powerful mechanism that

can easily be misconﬁgured by mistake. The data

collected in section 3.1 showed that most OEMs do

not create new policy attributes, perhaps due to the

perceived complexity of the attribute mechanism. A

tool to visualize hierarchies induced by attributes may

help an analyst better understand and make use of at-

tributes effectively.

4.4 Policy Analyzer

The hardest part of our manual analysis was iden-

tifying rules that are either potentially dangerous or

possibly unnecessary. The analysis can be automated

with a set of heuristic checks. The tool can also utilize

SEAL in order to make policy queries with regards to

the device state.

Let us consider the following rule from sec-

tion 3.2.4 and explain how it can be automatically de-

tected as suspicious:

allow untrusted app tee exec : file {read

getattr execute open}

The tool ﬁrst uses SEAL to fetch from a device all

ﬁles with the tee exec label. Then it queries SEAL

for all labels and DAC permissions of all higher-level

directories on the path to each tee exec ﬁle, and tries

to determine if the untrusted app domain can even

reach the target ﬁle to perform the requested opera-

tions. If the ﬁrst check passes, the analyzer can further

check that each requested access control type makes

sense. For example, in order for execute to succeed

given that execute no trans access is not granted,

there has to be a type transition rule deﬁned; fur-

thermore, in order to be able to write or read a ﬁle,

one would also normally need to have open permis-

sion. The policy analyzer can mark the rule as not

functional if the checks fail.

In order to identify potentially dangerous rules,

the policy analyzer can scan rules for possible ad-

ditional usages of default types, mentioned in Sec-

tion 3.2.1, and analyze new rules associated with sen-

sitive types, such as tee or proc security, or un-

trusted domains, such as the untrusted app domain.

One use of the policy analyzer is its integration

into OEMs’ automatic build systems, in order to con-

sistently verify that the policy does not contain un-

reachable or potentially dangerous rules, and that it

is optimized with regards to the usage of attributes

and types. This would provide value for OEMs, since

policy additions might be made by different develop-

ment teams, possibly without detailed knowledge of

SEAndroid. The output of the tool can be further an-

alyzed manually by a person with detailed knowledge

of SEAndroid, in order to reject or accept suggested

modiﬁcations.

5 RELATED WORK

Several tools and methods originally designed for

SELinux are relevant to the new mobile environment.

The de facto standard for handling SELinux poli-

cies in text and binary format is the SETools li-

brary (Tresys, 2014): this contains the aforemen-

tioned apol and sediff tools, which can be used in-

terchangeably on SELinux and SEAndroid.

Formal methods have been used for SELinux pol-

icy analysis. Gokyo (Jaeger et al., 2003) is a policy

analysis tool designed to identify and resolve conﬂict-

ing policy speciﬁcations. Usage of the HRU security

model (Harrison et al., 1976) has been proposed as an

approach to SELinux policy analysis (Amthor et al.,

2011). Information ﬂow analysis has been applied

to SELinux policies (Guttman et al., 2005). These

analysis methods are not SELinux-speciﬁc, and can

be easily adapted to SEAndroid.

Some researchers have applied information vi-

sualization techniques to SELinux policy analy-

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

488

sis (Clemente et al., 2012), also in combination with

clustering (Marouf and Shehab, 2011). These tech-

niques are also system-agnostic, and we may use them

in future SEAndroid tools.

SELinux policy generation and reﬁning tools are

rare. Polgen, a tool for semi-automated SELinux pol-

icy generation based on system call tracing (Sniffen

et al., 2006), appears to be no longer in active de-

velopment. The SELinux userspace tools (SELinux

Project, 2014) can generate SELinux policies. One

of these tools, audit2allow, is widely used to au-

tomatically generate and reﬁne SELinux policies by

converting SELinux audit messages into rules; these

policies, however, are not necessarily correct, com-

plete or secure, since the rules depend on code paths

taken during execution, and there is no way to dis-

tinguish intended and possibly malicious application

behavior. These tools are used both in SELinux and

SEAndroid.

There has been some research in applying Do-

main Speciﬁc Languages (DSL) (Fowler, 2010) to

SELinux policy development and veriﬁcation (Hurd

et al., 2009). The authors proposed a tool (shrimp) to

analyze and ﬁnd errors in the SELinux Reference Pol-

icy, similar to the Lint tool for C. This is similar to a

tool we propose, but different in scope as it is limited

to analysis of the SELinux reference policy.

The only SEAndroid-speciﬁc analysis method is

based on audit log analysis with machine learn-

ing (Wang et al., 2015). This approach is completely

different from what we propose, since it relies on sig-

niﬁcant volumes of data to classify rules.

6 CONCLUSIONS

In this paper we presented a number of common mis-

takes made by OEMs in their SEAndroid policies,

suggesting potential reasons behind them. As a re-

sult of this study, we identiﬁed a number of practical

tools that should help OEMs and security researchers

to improve SEAndroid policies. We provided the im-

plementation of a ﬁrst tool , SEAL, and we are cur-

rently working on the rest.

REFERENCES

Amthor, P., Kuhnhauser, W., and Polck, A. (2011). Model-

based safety analysis of selinux security policies. In

NSS, pages 208–215. IEEE.

Badger, L., Sterne, D., Sherman, D., Walker, K., Haghighat,

S., et al. (1995). Practical domain and type enforce-

ment for UNIX. In Security and Privacy, pages 66–77.

IEEE.

Bauer, M. (2006). Paranoid penguin: an introduction to

Novell AppArmor. Linux Journal, (148):13.

Clemente, P., Kaba, B., Rouzaud-Cornabas, J., Alexandre,

M., and Aujay, G. (2012). Sptrack: Visual analysis of

information ﬂows within selinux policies and attack

logs. In AMT, pages 596–605. Springer.

Fowler, M. (2010). Domain-speciﬁc languages. Pearson

Education.

Guttman, J. D., Herzog, A. L., Ramsdell, J. D., and Sko-

rupka, C. W. (2005). Verifying information ﬂow goals

in security-enhanced Linux. Journal of Computer Se-

curity, 13(1):115–134.

Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976).

Protection in operating systems. Commun. ACM,

19(8):461–471.

Hurd, J., Carlsson, M., Finne, S., Letner, B., Stanley, J., and

White, P. (2009). Policy DSL: High-level Speciﬁca-

tions of Information Flows for Security Policies.

Jaeger, T., Sailer, R., and Zhang, X. (2003). Analyzing in-

tegrity protection in the selinux example policy. In

USENIX Security, page 5.

Marouf, S. and Shehab, M. (2011). SEGrapher:

Visualization-based SELinux policy analysis. In

SAFECONFIG, pages 1–8. IEEE.

Schauﬂer, C. (2008). Smack in embedded computing. In

Ottawa Linux Symposium.

SELinux Project (2014). Userspace tools.

github.com/SELinuxProject/selinux/wiki. Accessed:

2015-09-29.

Smalley, S. and Craig, R. (2013). Security Enhanced (SE)

Android: Bringing ﬂexible MAC to Android. In

NDSS, volume 310, pages 20–38.

Smalley, S., Vance, C., and Salamon, W. (2001). Imple-

menting SELinux as a Linux security module. NAI

Labs Report, 1(43):139.

Sniffen, B. T., Harris, D. R., and Ramsdell, J. D. (2006).

Guided policy generation for application authors. In

SELinux Symposium.

Spencer, R., Smalley, S., Loscocco, P., Hibler, M., and Lep-

reau, J. (1999). The Flask security architecture: Sys-

tem support for diverse policies. In USENIX Security.

Tresys (2014). SETools project page.

github.com/TresysTechnology/setools3/wiki. Ac-

cessed: 2015-09-29.

Wang, R., Enck, W., Reeves, D., Zhang, X., Ning, P.,

Xu, D., Zhou, W., and Azab, A. (2015). EASE-

Android: Automatic Policy Analysis and Reﬁnement

for Security Enhanced Android via Large-Scale Semi-

Supervised Learning. In USENIX Security.

Zhou, Y. and Jiang, X. (2012). Dissecting android mal-

ware: Characterization and evolution. In Security and

Privacy, pages 95–109. IEEE.

Characterizing SEAndroid Policies in the Wild

489