PolicyViewer: Ferramenta para Visualização e Análise de Políticas de Seguranças em Grafos
Resumo
Neste artigo é apresentada a ferramenta PolicyViewer, cujo objetivo é auxiliar na configuração e gerenciamento de políticas de segurança, auxiliando o administrador na compreensão, análise e verificação das políticas. Para atingir esse objetivo, o modelo de política de segurança do SELinux foi mapeado para uma estrutura de grafo, a partir do qual foram desenvolvidas representações visuais com intuito de permitir uma melhor compreensão e análise das regras da política.Referências
Bell, D. E. and La Padula, L. J. (1973). Secure computer systems: Mathematical foundations and model. Technical Report MTR-2547 Vol I, MITRE Corporation, Bedford, MA, EUA.
Biba, K. (1977). Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE Corporation, Bedford, MA, EUA.
Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley, 4th edition.
Card, S. K., Mackinlay, J. D., and Shneierman, B. (1999). Readings in Information Visualization: Using Vision to Think. Morgan Kaufmann Publishers, San Francisco, CA, USA.
Cowan, C., Pu, C., Maier, D., Hinton, H., andPeat Bakke, J. W., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. (1998). Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference.
Damianou, N., Dulay, N., Lupu, E., Sloman, M., and Tonouchi, T. (2002). Tools for domain-based policy management of distributed systems. In In proceedings of Network Operations and Management Symposium, 2002., pages 203 - 217.
Ferraiolo, D. and Kuhn, R. (1992). Role-based access control. In Proceedings of The 15th National Computer Security Conference.
Ferraiolo, D. F., Cugini, J. A., and Kuhn, D. R. (1995). Role-based access control (rbac): Features and motivations. Proceedings of the 7th Annual Computer Security Applications Conference.
Garfinkel, S. and Spafford, G. (1996). Pratical Unix & Internet Security. O'Reilly & Associates, Inc., USA, 2nd edition. 971 p.
Koch, M., Mancini, L. V., and Parisi-Presicce, F. (2002). A graph-based formalism for rbac. ACM Trans. Inf. Syst. Secur., 5(3):332-365.
Kropiwiec, D. D. (2005). Policyviewer: Ferramenta para visualização de políticas de segurança em grafos. Master's thesis, Universidade Estadual de Campinas (UNICAMP).
Kropiwiec, D. D. and de Geus, P. L. (2004). Paradigmas de segurança em sistemas operacionais. In Anais do IV Workshop de Segurança em Sistemas Computacionais, Gramado/RS.
Lipner, S. (1982). Non-discretionary controls for commercial applications. In Proceedings of th 1982 Symposium on Privacy and Security, pages 2-10.
Loscocco, P. and Smalley, S. (2001). Integrating flexible support for security policies into the linux operating system. In Proccedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, Boston Mass.
Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R. C., Turner, S. J., and Farrel, J. F. (1998). The inevitability of failure: The flawed assumption of security in modern computing environment. In Proceedings of the 21st National Information Systems Security Conference, pages 303-314.
Nakamura, E. and de Geus, P. L. (2002). Segurança de Redes em ambientes cooperativos. Editora Berkeley, São Paulo, first edition.
Nyanchama, M. and Osborn, S. (1999). The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur., 2(1):3-33.
Smalley, S. D. (2003). Configuring the selinux policy. Technical report, National Security Agency of United States of America.
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., and Lepreau., J. (1999). The flask security architecture: System support for diverse security policies. Proceedings of the Eighth USENIX Security Symposium, pages 123-139.
Viega, J. and McGraw, G. (2003). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 3rd edition.
Walker, K. W., Bagder, D. F., Petkac, M. J., Sherman, L., and Oostendorp, K. A. (1996). Confining root programs with domain and type enforcement. In Proceedings of The 6th USENIX Security Symposium, San Jose, California.
Biba, K. (1977). Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE Corporation, Bedford, MA, EUA.
Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley, 4th edition.
Card, S. K., Mackinlay, J. D., and Shneierman, B. (1999). Readings in Information Visualization: Using Vision to Think. Morgan Kaufmann Publishers, San Francisco, CA, USA.
Cowan, C., Pu, C., Maier, D., Hinton, H., andPeat Bakke, J. W., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. (1998). Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference.
Damianou, N., Dulay, N., Lupu, E., Sloman, M., and Tonouchi, T. (2002). Tools for domain-based policy management of distributed systems. In In proceedings of Network Operations and Management Symposium, 2002., pages 203 - 217.
Ferraiolo, D. and Kuhn, R. (1992). Role-based access control. In Proceedings of The 15th National Computer Security Conference.
Ferraiolo, D. F., Cugini, J. A., and Kuhn, D. R. (1995). Role-based access control (rbac): Features and motivations. Proceedings of the 7th Annual Computer Security Applications Conference.
Garfinkel, S. and Spafford, G. (1996). Pratical Unix & Internet Security. O'Reilly & Associates, Inc., USA, 2nd edition. 971 p.
Koch, M., Mancini, L. V., and Parisi-Presicce, F. (2002). A graph-based formalism for rbac. ACM Trans. Inf. Syst. Secur., 5(3):332-365.
Kropiwiec, D. D. (2005). Policyviewer: Ferramenta para visualização de políticas de segurança em grafos. Master's thesis, Universidade Estadual de Campinas (UNICAMP).
Kropiwiec, D. D. and de Geus, P. L. (2004). Paradigmas de segurança em sistemas operacionais. In Anais do IV Workshop de Segurança em Sistemas Computacionais, Gramado/RS.
Lipner, S. (1982). Non-discretionary controls for commercial applications. In Proceedings of th 1982 Symposium on Privacy and Security, pages 2-10.
Loscocco, P. and Smalley, S. (2001). Integrating flexible support for security policies into the linux operating system. In Proccedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, Boston Mass.
Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R. C., Turner, S. J., and Farrel, J. F. (1998). The inevitability of failure: The flawed assumption of security in modern computing environment. In Proceedings of the 21st National Information Systems Security Conference, pages 303-314.
Nakamura, E. and de Geus, P. L. (2002). Segurança de Redes em ambientes cooperativos. Editora Berkeley, São Paulo, first edition.
Nyanchama, M. and Osborn, S. (1999). The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur., 2(1):3-33.
Smalley, S. D. (2003). Configuring the selinux policy. Technical report, National Security Agency of United States of America.
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., and Lepreau., J. (1999). The flask security architecture: System support for diverse security policies. Proceedings of the Eighth USENIX Security Symposium, pages 123-139.
Viega, J. and McGraw, G. (2003). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 3rd edition.
Walker, K. W., Bagder, D. F., Petkac, M. J., Sherman, L., and Oostendorp, K. A. (1996). Confining root programs with domain and type enforcement. In Proceedings of The 6th USENIX Security Symposium, San Jose, California.
Publicado
26/09/2005
Como Citar
KROPIWIEC, Diogo Ditzel; GEUS, Paulo Lício de.
PolicyViewer: Ferramenta para Visualização e Análise de Políticas de Seguranças em Grafos. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 5. , 2005, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2005
.
p. 231-244.
DOI: https://doi.org/10.5753/sbseg.2005.21535.