Skip to main content

Advertisement

SpringerLink
Log in

Visualization-based policy analysis for SELinux: framework and user study

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In this paper, we propose a visualization-based policy analysis framework that enables system administrators to query and visualize security policies and to easily identify the policy violations, especially focused on SELinux. Furthermore, we propose a visual query language for expressing policy queries in a visual form. Our framework provides an intuitive cognitive sense about the policy, policy queries and policy violations. We also describe our implementation of a visualization-based policy analysis tool that supports the functionalities discussed in our framework. In addition, we discuss our study on usability of our tool with evaluation criteria and experimental results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. M and SD denote mean and standard deviation, respectively.

References

  1. Anderson, A.P.: Computer Security Technology Planning Study. Technical Report ESD-TR-73-51, II (1972)

  2. Aris, A.: Network visualization by semantic substrates. IEEE Trans. Vis. Comput. Graph. 12(5), 733–740 (2006). Senior Member-Ben Shneiderman

    Article  Google Scholar 

  3. Biba, K.J.: Integrity Consideration for Secure Compuer System. Technical report, Mitre Corp. Report TR-3153, Bedford, Mass (1977)

  4. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  5. Erbacher, R.: Intrusion behavior detection through visualization. In: IEEE International Conference on Systems, Man and Cybernetics, pp. 2507–2513 (Oct 2003)

  6. Green, M.: Toward a perceptual science of multidimensional data visualization: Bertin and beyond. Available from http://www.ergogero.com/dataviz/dviz2.html, 1998

  7. Guttman, J., Herzog, A., Ramsdell, J.: Information flow in operating systems: Eager formal methods. In: Workshop on Issues in the Theory of Security (WITS) (2003)

  8. Herman, I., Melancon, G., Marshall, M.: Graph visualization and navigation in information visualization: A survey. IEEE Trans. Vis. Comput. Graph. 6(1), 24–43 (2000)

    Article  Google Scholar 

  9. H.C. I. L. at University of Maryland. Piccolo. Available from http://www.cs.umd.edu/hcil/jazz/download/index.shtml

  10. Itoh, T., Takakura, H., Sawada, A., Koyamada, K.: Hierarchical visualization of network intrusion detection data. IEEE Comput. Graph. Appl. 26(2), 40–47 (2006)

    Article  Google Scholar 

  11. Jaeger, R.S.T., Zhang, X.: Resolving Constraint Conflicts. In: Sacmat ’04: Proceedings of the Ninth Acm Symposium on Access Control Models And Technologies, pp. 105–114 (2004)

  12. Jaeger, X.Z.T., Edwards, A.: Policy management using access control spaces. ACM Trans. Inf. Syst. Secur. (TISSEC) 6, 327–364 (2003)

    Article  Google Scholar 

  13. Jaeger, T., Sailer, R., Shankar, U.: Prima: policy-reduced integrity measurement architecture. In: SACMAT ’06: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, pp. 19–28. ACM, New York, NY, USA (2006)

  14. Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the selinux example policy. In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 59–74. USENIX Association, Berkeley, CA, USA (2003)

  15. Keller, R., Eckert, C.M., Clarkson, P.J.: Matrices or node-link diagrams: which visual representation is better for visualising connectivity models? Inf. Vis. 5(1), 62–76 (2006)

    Article  Google Scholar 

  16. Lee, C., Trost, J., Raheem, N.G.B., Copeland, J.: Visual firewall: Real-time network security monitor. In: IEEE Workshops Visualization for Computer, Security, pp. 129–136 (2005)

  17. Lime Survey Tool http://www.limesurvey.org/

  18. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: USENIX Annual Technical Conference, FREENIX Track, pp. 29–42 (2001)

  19. Loscocco, P.A., Smalley, S.D.: Meeting critical security objectives with security-enhanced linux. In: Proceedings of the Ottawa Linux Symposium (2001)

  20. Mathew, S., Giomundo, R., Upadhyaya, S., Sudit, M., Stotz, A.: Understanding multistage attacks by attack-track based visualization of heterogeneous event streams. In: VizSEC ’06: Proceedings of the 3rd International Workshop on Visualization for Computer Security, pp. 1–6. ACM, New York, NY, USA (2006)

  21. Nidhi, S.: Fireviz: A personal firewall visualizing tool. In: Thesis (M. Eng.), Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science (2005)

  22. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp. 109–118. ACM, New York, NY, USA (2004)

  23. Paired Samples T-tests. http://www.statisticssolutions.com/methods-chapter/statistical-tests/paired-sample-t-test/

  24. Reiterer, H., Muler, G.: A visual information seeking system for web search. In: Proceedings of the Oberquelle, H., Oppermann, R., Krause, J. (eds) Mensch& Computer Conference, pp. 297–306, (March 2001)

  25. Reiterer, H., Tullius, G., Mann, T.: Insyder: A content-based visual-informationseeking system for the web. Springer-Verlag GmbH, International Journal on Digital Libraries (2005)

  26. Saltzer, J., Schroeder, M., (1975) The protection of information in computer systems. In: Proceedings of the IEEE, pp. 1278–1308.

  27. Sarna-Starosta, B., Stoller, S.D.: Policy analysis for security-enhanced linux. In: Proceedings of the 2004 Workshop on Issues in the Theory of Security (WITS), pp. 1–12 (April 2004)

  28. Shankar, U., Jaeger, T., Sailer, R.: Toward automated information-flow integrity verification for security-critical applications. In: NDSS, The Internet Society (2006)

  29. Shen, Z., Ma, K.: Path visualization for adjacency matrices. In: Proceedings of Eurographics/IEEE Symposium on Visualization (EuroVis), May 2007

  30. Smalley, S.: Configuring the SELinux policy. http://www.nsa.gov/SELinux/docs.html, 2003

  31. Sutcliffe, A.G., Ennis, M., Watkinson, S.J.: Empirical studies of end-user information searching. J. Am. Soc. Inf. Sci. 51(13), 1211–1231 (2000)

    Article  Google Scholar 

  32. Secure computer systems: Unified exposition and multics interpretation. MITRE Corporation, 1976

  33. System management concepts: Operating system and devices, 1 ed., (1999)

  34. Thompson, R.S., Rantanen, E.M., Yurcik, W., Bailey, B.P.: Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection. In: CHI ’07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1205. ACM, New York, NY, USA (2007)

  35. Tran, T., Al-Shaer, E.S., Boutaba, R.: Policyvis: Firewall security policy visualization and inspection. In: Lisa, pp. 1–16 (2007)

  36. Tresys Technology Apol. http://www.tresys.com/selinux/

  37. Yao, D., Shin, M., Tamassia, R., Winsborough, W.H.: Visualization of automated trust negotiation. In: VizSEC 05: IEEE Workshop on Visualization for Computer, Security, Oct 2005

  38. Yin, X., Yurcik, W., Treaster, M., Li, Y., Lakkaraju, K.: Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: VizSEC/DMSEC ’04: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 26–34. ACM, New York, NY, USA (2004)

  39. Yurcik, W.: Visualizing netflows for security at line speed: the sift tool suite. In: LISA’05: Proceedings of the 19th Conference on Large Installation System Administration Conference, pp. 169–176. USENIX Association, Berkeley, CA, USA (2005)

  40. Yurcik, W.: Tool update: visflowconnect-ip with advanced filtering from usability testing. In: VizSEC ’06: Proceedings of the 3rd International Workshop on Visualization for Computer Security, pp. 63–64. ACM, New York, NY, USA (2006)

Download references

Acknowledgments

The work of Gail-Joon Ahn and Wenjuan Xu was partially supported by the grants from National Science Foundation and Department of Energy.

Author information

Authors and Affiliations

  1. Frostburg State University, 101 Braddock Rd., Frostburg, MD, 21532, USA

    Wenjuan Xu

  2. UNC Charlotte, 9201 University City Boulevard, Charlotte, NC, 22087, USA

    Mohamed Shehab

  3. Arizona State University, 660 South Mill Avenue, Tempe, AZ, 85287, USA

    Gail-Joon Ahn

Authors
  1. Wenjuan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohamed Shehab
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gail-Joon Ahn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gail-Joon Ahn.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Xu, W., Shehab, M. & Ahn, GJ. Visualization-based policy analysis for SELinux: framework and user study. Int. J. Inf. Secur. 12, 155–171 (2013). https://doi.org/10.1007/s10207-012-0180-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0180-7

Keywords

Search

Navigation