New security system FBAC-LSM announcement and call for collaborators

From: Cliffe
Date: Fri Dec 11 2009 - 03:31:11 EST

Next message: Ingo Molnar: "Re: Bisected regression (Was Re: current -git fails to boot onnehalem-ex)"
Previous message: Cypher Wu: "Re: Questions about Watch Dog Timer under Linux."
Next in thread: Lincoln Yeoh: "Re: [Apparmor-dev] New security system FBAC-LSM announcement and call for collaborators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In preparation for my LCA talk “A New Paradigm for Restricting Applications and Protecting Yourself from Your Processes”, today I have released the code for FBAC-LSM. This initial development version of FBAC-LSM is functional, but is unstable and slow. It is developed against an older version of the LSM interface (using the AppArmor path-based hooks), and will be updated to work with the new interface in the future. There is quite a bit of work to be done before it is ready for production systems or formal code review.

I developed FBAC-LSM for my PhD research. FBAC-LSM restricts programs based on the features each application provides. Reusable policy abstractions, known as functionalities, can be used to grant the authority to perform high level features (for example using the Web_Browser functionality) or lower level features (such as using the HTTP_Client functionality) or to grant privileges to access any specified resources. Functionalities are parameterised, which allows them to be adapted to the needs of specific applications. Functionalities are also hierarchical; that is, functionalities can contain other functionalities.

Over one hundred applications were analysed, and functionalities and policies were developed. A number of techniques for automating aspects of policy specification were also developed. A usability study comparing FBAC-LSM with SELinux and AppArmor found that the new approach provided significant benefits including higher levels of user satisfaction and of successful policy creation. In the near future I will share the results of the usability study, including suggestions for improving the usability of SELinux and AppArmor.

Currently I am planning on expanding the FBAC-LSM tools to export to and manage AppArmor and SEEdit policies.

I am looking for anyone interested in collaborating on the project. Please contact me. There are a number of problems with the synchronisation in the LSM code, which I hope someone on one of these mailinglists can help with.

Programmed in C and C++, using the LSM and Qt frameworks. Policy abstractions in FBAC-LSM-PL policy language. Licensed GPL.

Check out the FBAC-LSM homepage which has lots more information and videos:
http://schreuders.org/FBAC-LSM

Pull the sourceforge Git repo (which includes the Linux Security Module (LSM), graphical policy manager, and policies) to your computer with the command:
git clone git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm

If you are attending the 2010 linux.conf.au conference, I hope to see you at my talk in room Renouf 2 at 16:45 on Wednesday 20/01/10:
http://www.lca2010.org.nz/programme/schedule/view_talk/50029?day=wednesday

Thanks,

Z. Cliffe Schreuders
http://schreuders.org
PhD Candidate
Murdoch University

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: Bisected regression (Was Re: current -git fails to boot onnehalem-ex)"
Previous message: Cypher Wu: "Re: Questions about Watch Dog Timer under Linux."
Next in thread: Lincoln Yeoh: "Re: [Apparmor-dev] New security system FBAC-LSM announcement and call for collaborators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]