Enrico Bacis

SeSQLite: Security Enhanced SQLite: Mandatory Access Control for Android databases

SQLite is the most widely deployed in-process library that implements a SQL database engine. It offers high storage efficiency, fast query operation and small memory needs. Due to the fact that a complete SQLite database is stored in a single cross-platform disk file and SQLite does not support multiple users, anyone who has direct access to the file can read the whole database content. SELinux was originally developed as a Mandatory Access Control (MAC) mechanism for Linux to demonstrate how to overcome DAC limitations. However, SELinux provides per-file protection, thus the database file is treated as an atomic unit, impeding the definition of a fine-grained mandatory access control (MAC) policy for database objects. We introduce SeSQLite, an SQLite extension that integrates SELinux access controls into SQLite with minimal performance and storage overhead. SeSQLite implements labeling and access control at both schema level (for tables and columns) and row level. This permits the management of a fine-grained access policy for database objects. A prototype has been implemented and it has been used to improve the security of Android Content Providers.

AppPolicyModules: Mandatory Access Control for Third-Party Apps

Android has recently introduced the support for Mandatory Access Control, which extends previous security services relying on the Android Permission Framework and on the kernel-level Discretionary Access Control. This extension has been obtained with the use of SELinux and its adaptation to Android (SEAndroid). Currently, the use of the MAC model is limited to the protection of system resources. All the apps that are installed by users fall in a single undifferentiated domain, untrusted_app. We propose an extension of the architecture that permits to associate with each app a dedicated MAC policy, contained in a dedicated appPolicyModule, in order to protect app resources even from malware with root privileges. A crucial difference with respect to the support for policy modules already available in some SELinux implementations is the need to constrain the policies in order to guarantee that an app policy is not able to manipulate the system policy. We present the security requirements that have to be satisfied by the support for modules and show that our solution satisfies these requirements. The support for appPolicyModules can also be the basis for the automatic generation of policies, with a stricter enforcement of Android permissions. A prototype has been implemented and experimental results show a minimal performance overhead for app installation and runtime.

Mix&Slice: Efficient Access Revocation in the Cloud

We present an approach to enforce access revocation on resources stored at external cloud providers. The approach relies on a resource transformation that provides strong mutual inter-dependency in its encrypted representation. To revoke access on a resource, it is then sufficient to update a small portion of it, with the guarantee that the resource as a whole (and any portion of it) will become unintelligible to those from whom access is revoked. The extensive experimental evaluation on a variety of configurations confirmed the effectiveness and efficiency of our solution, which showed excellent performance and compatibility with several implementation strategies.

DockerPolicyModules: Mandatory Access Control for Docker containers

The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of containers.

An SELinux-based intent manager for Android

The support for Mandatory Access Control offered by SELinux has become a significant component of the security design of the Android operating system, offering robust protection and the ability to support system-level policies enforced by all the elements of the system. A well-known security-sensitive aspect of Android that currently SELinux does not cover is the abuse of intents, which represent the Android approach to inter-process communication. We propose SEIntentFirewall, an SELinux intent manager that provides fine-grained access control over Intent objects, permitting to cover within MAC policies the use of intents.

Policy Specialization to Support Domain Isolation

The exponential growth of modern information systems has introduced several new challenges in the management of security requirements. Nowadays, the technological scenario has evolved and the introduction of MAC models provides a better isolation among software components and reduces the damages that the malicious or defective ones can cause to the systems. On one hand it is important to confine applications and limit the privileges that they can request. On the other hand we want to let applications benefit from the flexibility given by MAC models, such as SELinux. In this paper we show how the constructs already available in SELinux and the specialization of security domains can be leveraged to define boundaries where the applications are confined but still able to introduce sophisticated security patterns, such as application isolation and the least privilege principle. After defining the proposed model, we describe how it can be integrated into real systems through the use of examples on Android and Apache Web Server.

Extending Mandatory Access Control Policies in Android

Solutions like SELinux have recently regenerated interest toward Mandatory Access Control MAC models. The role of MAC models can be expected to increase in modern systems, which are exposed to significant threats and manage high-value resources, due to the stronger protection they are able to offer. Android is a significant representative of these novel systems and the integration of MAC models is an important recent development in its security architecture. Opportunities indeed exist to further enrich the support offered by MAC models, increasing their flexibility and integrating them with other components of the system. We discuss a number of proposals that have recently been made in this domain. First, we illustrate the integration of SELinux and SQLite, named SeSQLite, which permits to apply MAC permissions at a fine granularity into relational databases, offering both a schema-level and row-level support. Then, AppPolicyModules are presented, which let app developers specify extensions to the system-level policy that protect the resources of each specific app. Finally, an integration between SELinux and the interprocess communication services is proposed, to further regulate the cooperation among separate apps and services. All these enhancements lead to a stronger and more detailed support of the complex security requirements that characterize modern environments.

Access Control Management for Secure Cloud Storage

With the widespread success and adoption of cloud-based solutions, we are witnessing an ever increasing reliance on external providers for storing and managing data. This evolution is greatly facilitated by the availability of solutions - typically based on encryption - ensuring the confidentiality of externally outsourced data against the storing provider itself. Selective application of encryption (i.e., with different keys depending on the authorizations holding on data) provides a convenient approach to access control policy enforcement. Effective realization of such policy-based encryption entails addressing several problems related to key management, access control enforcement, and authorization revocation, while ensuring efficiency of access and deployment with current technology. We present the design and implementation of an approach to realize policy-based encryption for enforcing access control in OpenStack Swift. We also report experimental results evaluating and comparing different implementation choices of our approach.

Managing Data Sharing in OpenStack Swift with Over-Encryption

The sharing of large amounts of data is greatly facilitated by the adoption of cloud storage solutions. In many scenarios, this adoption could be hampered by possible concerns about data confidentiality, as cloud providers are not trusted to know the content of the data they store. Especially when the data are organized in objects, the application of an encryption layer is an interesting solution to this problem, because it offers strong confidentiality guarantees with a limited performance overhead. In a data sharing scenario, the management of access privileges then requires an adequate support for key derivation and for managing policy evolution. We present a solution that provides transparent support for the encryption of objects stored on Swift. Our system offers an efficient management of the updates to the access control policy, including revocation of authorizations from some of the sharing users. We explore several alternatives for the architecture, associated with distinct levels of transparency for the applications, and integrate different options for the management of policy updates. Our implementation and experiments demonstrate the easy integration of the approach with existing cloud storage solutions.

Distributed Shuffle Index in the Cloud: Implementation and Evaluation

The distributed shuffle index strengthens the guarantees of access confidentiality provided by the shuffle index through the distribution of data among three cloud providers. In this paper, we analyze architectural and design issues and describe an implementation of the distributed shuffle index integrated with different cloud providers (i.e., Amazon S3, OpenStack Swift, Google Cloud Storage, and EMC Elastic Cloud Storage). The experimental results obtained with our implementation confirm the protection guarantees provided by the distributed shuffle index and its limited performance overhead, demonstrating its practical applicability in cloud scenarios.