Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems
Source: Purdue University (Krannert)
Host compromise is a serious computer security problem today. To better protect hosts, several Mandatory Access Control systems, such as Security Enhanced Linux (SELinux) and AppArmor, have been introduced. This paper proposes an approach to analyze and compare the quality of protection offered by these different MAC systems. The paper introduces the notion of vulnerability surfaces under attack scenarios as the measurement of protection quality, and implements a tool called VulSAN for computing such vulnerability surfaces. In VulSAN, the author encodes security policies, system states, and system rules using logic programs. Given an attack scenario, VulSAN computes a host attack graph and the vulnerability surface.