Brennon Brimhall, Justin Garrard, Christopher De La Garza, Joel Coffman
{"title":"A Comparative Analysis of Linux Mandatory Access Control Policy Enforcement Mechanisms","authors":"Brennon Brimhall, Justin Garrard, Christopher De La Garza, Joel Coffman","doi":"10.1145/3578357.3589454","DOIUrl":null,"url":null,"abstract":"Unix---and by extension, Linux---traditionally uses a discretionary access control (DAC) paradigm. DAC mechanisms are decentralized by design, which makes it difficult to audit the security of a computer system. Furthermore, Unix systems have the concept of a root user who can bypass any DAC policies in place. These issues led to the development of mandatory access control (MAC) mechanisms, such as AppArmor, Security-Enhanced Linux (SELinux), and eBPF. We compare and contrast the performance differences between two popular MAC mechanisms for the Linux kernel: SELinux and Berkeley Packet Filter (BPF)/kernel runtime security implementation (KRSI). We demonstrate that BPF policies offer superior performance, have greater expressive power, and are easier to implement than comparable SELinux policies. Our results suggest that BPF/KRSI is the leading MAC mechanism for Linux systems.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th European Workshop on System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3578357.3589454","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Unix---and by extension, Linux---traditionally uses a discretionary access control (DAC) paradigm. DAC mechanisms are decentralized by design, which makes it difficult to audit the security of a computer system. Furthermore, Unix systems have the concept of a root user who can bypass any DAC policies in place. These issues led to the development of mandatory access control (MAC) mechanisms, such as AppArmor, Security-Enhanced Linux (SELinux), and eBPF. We compare and contrast the performance differences between two popular MAC mechanisms for the Linux kernel: SELinux and Berkeley Packet Filter (BPF)/kernel runtime security implementation (KRSI). We demonstrate that BPF policies offer superior performance, have greater expressive power, and are easier to implement than comparable SELinux policies. Our results suggest that BPF/KRSI is the leading MAC mechanism for Linux systems.
Unix——以及扩展到Linux——传统上使用自主访问控制(DAC)范式。DAC机制在设计上是分散的,这使得审计计算机系统的安全性变得困难。此外,Unix系统有一个可以绕过任何DAC策略的根用户的概念。这些问题导致了强制访问控制(MAC)机制的开发,例如AppArmor、Security-Enhanced Linux (SELinux)和eBPF。我们比较和对比了Linux内核中两种流行的MAC机制:SELinux和伯克利包过滤(BPF)/内核运行时安全实现(KRSI)之间的性能差异。我们证明了BPF策略提供了优越的性能,具有更强的表达能力,并且比类似的SELinux策略更容易实现。我们的研究结果表明,BPF/KRSI是Linux系统的主要MAC机制。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
