Security Goals Assurance Based on Software Active Monitoring

Abstract

Access control is a vital security mechanism in today's operating systems, and the security policies dictating the security relevant behaviors is lengthy and complex, for example in Security-Enhanced Linux (SELinux). It is extremely difficult to verify the consistency between the security policies and the security goals desired by applications. In this paper, we present how to predict whether the information flow security goal is violated or not during runtime, how to generate the corresponding control actions on-line when divergence is detected and how to apply these actions in time based on software active monitoring technique. The symbolic security information flow model of SElinux is generated from a formalization of the access control mechanism which can be used to generate the N-step ahead projection of the future behavior. Information flow security goals are expressed in linear temporal logic (LTL) which provides clear description of the objectives desired by applications. Anticipatory monitor is generated from LTL formula automatically. We consider an on-line scheme where after the occurrence of an event, the next control action is determined on the basis of the N-step ahead projection of the future behavior. This procedure is repeated after the occurrence of next security relevant event. Thus, a closed-loop system is generated that all behavior sequences will satisfy the security goals.