Sandra Julieta Rueda

A logical specification and analysis for SELinux MLS policy

The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subjects access rights. The problem is that the richness of the SELinux MLS model makes it impractical to manually evaluate that a given policy meets certain specific properties. To address this issue, we have modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing information flow properties of a given policy as well as an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and s-property defined by Bell and LaPadula. We also evaluated whether the policy associated to a given application is compliant with the policy of the SELinux system in which it would be deployed.

An architecture for enforcing end-to-end access control over web applications

The web is now being used as a general platform for hosting distributed applications like wikis, bulletin board messaging systems and collaborative editing environments. Data from multiple applications originating at multiple sources all intermix in a single web browser, making sensitive data stored in the browser subject to a broad milieu of attacks (cross-site scripting, cross-site request forgery and others). The fundamental problem is that existing web infrastructure provides no means for enforcing end-to-end security on data. To solve this we design an architecture using mandatory access control (MAC) enforcement. We overcome the limitations of traditional MAC systems, implemented solely at the operating system layer, by unifying MAC enforcement across virtual machine, operating system, networking and application layers. We implement our architecture using Xen virtual machine management, SELinux at the operating system layer, labeled IPsec for networking and our own label-enforcing web browser, called FlowwolF. We tested our implementation and find that it performs well, supporting data intermixing while still providing end-to-end security guarantees.

Analysis of virtual machine system policies

The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VM-system) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VM-system running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.

Flexible security configuration for virtual machines

Virtual machines are widely accepted as a promising basis for building secure systems. However, while virtual machines offer effective mechanisms to create isolated environments, mechanisms that offer controlled interaction among VMs are immature. Some VM systems include flexible policy models and some enable MLS enforcement, but the flexible use of policy to control VM interactions has not been developed. In this paper, we propose an architecture that enables administrators to configure virtual machines to satisfy prescribed security goals. We describe the design and implementation of such an architecture using SELinux, Xen and IPsec as the tools to express and enforce policies at the OS, VM and Network layers, respectively. We develop a web application using our architecture and show that we can configure application VMs in such a way that we can verify the enforcement of the security goals of those applications.

Extending the Floodlight Controller

Software Defined Networking (SDN) emerges as an option to implement security features difficult to develop and deploy in traditional network infrastructures. SDN has a programmable component that can build a global view of the actual state of a network and change network configuration to react to actual events: a controller. Additionally, a controllers functionality may be extended to meet specific requirements. This work studies the features that Floodlight, a Java based SDN controller, offers to extend its behavior. Previous works have studied Floodlight architecture and performance, but not these features. To meet the goal, we selected a known security context for traditional networks: DDoS detection and mitigation. This paper presents design and implementation of the CDM(Collection, Detection, and Mitigation) module, a statistical-based DDoS detection module that extends Floodlight. Statistical algorithms are a good fit for SDN, they have low memory and CPU demands, and can react to changes in network configuration. The module also uses Java features to establish an interface for statistical-based detection algorithms, enabling administrators to use libraries of algorithms and select some of them according to their systems. The results show that Floodlight is easy to extend and flexible. It is also efficient regarding CPU, but requires more memory than other controllers. The collection, detection, and mitigation algorithms run fast, although the time window required to detect statistical change bounds reaction times.

Transforming commodity security policies to enforce Clark-Wilson integrity

Modern distributed systems are composed from several off-the-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the systems data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.

Cut me some security

Computer security is currently fraught with fine-grained access control policies, in operating systems, applications and even programming languages. All this policy configuration means that too many decisions are left to administrators, developers and even users to some extent and as a result we do not get any comprehensive security guarantees. In this position paper, we take a stand for the idea that less policy is better and propose that limiting the choices given to parties along the development and deployment process leads to a more secure system. We argue that other systems processes like scheduling and memory management achieve their goals with minimal user input and access control configuration should also follow suit. We then suggest a technique to automate access control configuration using graph-cuts and show that this gets us closer to achieving our goal.

Identifying Android malware instructions

Android is a very attractive platform for malware developers because it is widely used. There is a need to understand how malware works and how it can exploit a systems security architecture. To do so, this work decompiles Android malware applications to study their source code and to look for patterns, regarding instructions, method calls, and permission usage. The goal is to define a set of instruction-based signatures that identify dangerous behavior and to use the identified signatures as a base for developing tools for code analysis.

Virtual Incident Response Functions in Control Systems

Abstract In the past decade the security of industrial control systems has emerged as a research priority in order to safeguard our critical infrastructures. A large number of research efforts have focused on intrusion detection in industrial networks, however, few of them discuss what to do after an intrusion has been detected. Because the safety of most of these control systems is time-sensitive, we need new research on automatic incident response. In this article we show how software-defined networks, and network-function virtualization can facilitate automatic incident response to a variety of attacks against industrial networks. We also prototype an incident response solution that detects and responds automatically to sensor attacks and controller attacks. Our work shows the promise that cloud-enabled software-defined networks and virtual infrastructures hold as a way to provide novel defense-in-depth solutions for industrial systems.

Sexual Intimacy in the Age of Smart Devices: Are We Practicing Safe IoT?

Sexual preferences are one of our most intimate and private choices, and new IoT devices, while facilitating and expanding the ways in which partners can enjoy sexual intimacy, can also put at risk the privacy and safety of their users. In this paper we analyze smart vibrators and show systematic privacy and security problems that can put owners of these devices at risk of privacy breaches and sexual assault. We discuss the role these sexual IoT devices play in the larger liberty and morals legislation discussion and emphasize that the security and privacy of these devices should be held at a higher standard than other IoT tools because of the potential consequences of security breaches.