BAESGP:A Bottom-up Approach to Enable SELinux and Generate Policies for Unknown Linux Distributions

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：34

、訪客IP：18.191.154.132

姓名

王禹軒(Yu-Hsuan Wang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(BAESGP:A Bottom-up Approach to Enable SELinux and Generate Policies for Unknown Linux Distributions)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2025-11-30以後開放)

摘要(中)

處在資訊科技的社會中，隨處可見的科技產品皆為一個資訊系統，負責處理成千上萬的資訊，資訊安全領域中強調透過安全防護技術達成資訊的機密性 (Confidentiality)、整體性 (Integrity) 和可用性 (Availability)。在市場中存在著諸多的設備，又有多少設備在運行時可以達到上述的安全需求，國際標準中有提到存取控制對於達成上述安全需求扮演著重要的角色，論文中以存取控制為主軸思考輔以 SELinux 為實際技術展示，講解並分析如何透過存取控制達成資訊的機密性 (Confidentiality)、整體性 (Integrity) 和可用性 (Availability)。本篇論文的目的及動機為幫助開發者了解存取控制並且有足夠能力從頭開始在一個新的系統環境上部署 SELinux，並且解析如何能夠在有限度的假設之下自動產生 SELinux 政策與其所遭遇的困難。

摘要(英)

Nowadays, The concept of Access Control exists everywhere in our daily life and can protect our asset from unauthorized use, for example us- ing badge to enter the company entrance gate or card key when you back to home. In the area of Information Security, Access Control, a part of Risk Management, is used to keep confidentiality, integrity and availabil- ity of information, which are usually called CIA triad, from unauthorized disclosure, disruption and access. Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms are in place to control the access to protected information according to Access Control procedures or policies specified by Administrator. Essentially, the core of Access Control, procedures or policies are implemented to make the mechanism know how to ensure which subject is authorized to access what object within the organizations. The hardest part of Access Control is to create a suitable policy which can not restrict too strict or loose. SELinux is prevalently applied to cloud server and embedded system, but seldom people really know how to configure SELinux or correctly enable SELinux on their system. With the regulation and law progressing, vendors is asked to protect their devices with Access Control. However, there are less pa- pers describing how to apply SELinux on the system in technical detail. Hence, this paper is managed to help people enable and configure SELinux on their system step by step.

關鍵字(中)

★ 系統安全
★ 存取控制
★ 安全增強式 Linux

關鍵字(英)

★ system security
★ Access Control
★ SELinux

論文目次

摘要........................ i
Abstract ................... ii
誌謝........................ iii
目錄........................ iv
圖目錄...................... viii
表目錄...................... x
第 1 章緒論 ............... 1
第 2 章背景介紹 ........... 5
2.1 啟動 SELinux ........... 5
2.1.1 核心空間 (Kernel Space) ...... 6
2.1.2 使用者空間 (User Space)....... 9
2.1.3 SELinux 政策 (SELinux Policy) 與 SELinux 設定
檔 (SELinux Configuration Files) ......... 12
2.2 SELinux 存取控制設計 ................. 14
2.2.1 SELinux 模式 ....................... 15
2.2.2 SELinux 之存取主體 (Subject), 存取行為 (Access),
資源 (Object) ............................ 18
2.2.3 SELinux 標籤實務 ................... 21
2.3 稽核 SELinux 事件 .................... 28
2.3.1 存取向量快取事件 (AVC Audit Events)...... 29
2.3.2 一般的 SELinux 稽核事件 (General SELinux Audit
Events)................ 31
2.3.3 Linux Audit System .......... 33
2.4 SELinux 政策 ....................... 35
2.4.1 SELinux 政策名稱 (Policy Name)............ 36
2.4.2 SELinux 政策版本 (Policy Version).......... 36
2.4.3 SELinux Policy: Monolithic and Modular...... 37
2.4.4 開源 SELinux 政策: The Reference Policy ....... 38
2.4.5 建立自己的 SELinux 政策 ......... 44
第 3 章實驗設計與實作 .................... 52
3.1 硬體平台 ..................................... 52
3.2 Cross-Compile Toolchain ............ 53
3.2.1 環境變數 ...................... 54
3.2.2 Binutils ......................... 55
3.2.3 核心 Header 檔案 ......... 56
3.2.4 Glibc Header ................ 56
3.2.5 Minimal GCC ................ 57
3.2.6 第二階段 Glibc .............. 58
3.2.7 第二階段 GCC.................... 59
3.2.8 第三階段 Glibc ................... 59
3.2.9 Full-Fledged GCC................. 60
3.2.10 Glibc 支援 C++.................... 61
3.2.11 Full-Fledged GCC 支援 C++ ............... 61
3.3 編譯 Linux 核心.................... 62
3.4 開啟 SELinux 功能 .............. 63
3.4.1 PCRE (Perl Compatible Regular Expressions)....63
3.4.2 bzip2 ................................ 64
3.4.3 audit-userspace................ 64
3.4.4 cracklib ............................ 65
3.4.5 linux-pam ......................... 65
3.4.6 libcap................................. 67
3.4.7 libcap-ng ............................. 68
3.4.8 SELinux Project...................... 68
3.4.9 Busybox ................................ 69
3.4.10 使用者空間建立 .................. 71
3.4.11 SELinux 政策 (SELinux Reference Policy)........ 74
3.4.12 ldconfig ............................ 75
3.5 運行 Raspberry Pi 3 B+ ................ 75
3.5.1 分割和格式化 MicroSD 卡 ............ 76
3.5.2 運行結果 .................................... 77
第 4 章相關研究 ............................. 80
第 5 章討論 ................................ 82
5.1 系統呼叫效能評估 ........................ 82
5.1.1 Microbenchmarks................... 83
5.1.2 Macrobenchmarks.................... 84
5.2 SELinux 程式容量評估 .................... 84
5.2.1 核心 ................................ 85
5.2.2 使用者空間 ........................... 86
5.3 SELinux 政策容量評估 .................. 87
5.4 SELinux 防護實例 .................... 88
5.4.1 CVE-2011-1823 ............... 88
5.4.2 CVE-2019-5736 ................. 89
5.5 限制 ......................................... 89
5.6 分析自動化產生政策 ................... 90
第 6 章總結 ................................. 93
參考文獻..................................... 94
附錄 A 測試程式 .......................... 97
A.1 Ubuntu 上開啟 SELinux 腳本程式............. 97

參考文獻

[1] Wikipedia. (2020). “Information security,” [Online]. Available: https://en.wikipedia. org/wiki/Information_security (visited on 06/04/2020).
[2] P. Samarati and S. C. de Vimercati, “Access control: Policies, models, and mecha- nisms,” in Foundations of Security Analysis and Design, R. Focardi and R. Gorrieri, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 137–196, isbn: 978- 3-540-45608-7.
[3] S. Community. (2008). “Smack,” [Online]. Available: http://schaufler-ca.com/ (visited on 06/04/2020).
[4] A. Community. (2012). “Agl,” [Online]. Available: https://www.automotivelinux. org/ (visited on 06/04/2020).
[5] C.-H. Liu. (2019). “Smack-based application whitelisting on agl,” [Online]. Avail- able: https://ossalsjp19.sched.com/event/OVqp/smack-based-application- whitelisting-on-agl-che-hao-liu-chuan-yu-cho-industrial-technology- research-institute-taiwan (visited on 06/04/2020).
[6] A. Community. (2009). “Apparmor,” [Online]. Available: https://wiki.ubuntu. com/AppArmor (visited on 06/04/2020).
[7] J. Morris. (2008). “Selinux project,” [Online]. Available: https://selinuxproject. org/page/Main_Page (visited on 06/04/2020).
[8] Wikipedia. (2018). “Comparison with apparmor,” [Online]. Available: https://en. wikipedia.org/wiki/Security-Enhanced_Linux#Comparison_with_AppArmor (visited on 06/04/2020).
[9] (2008). “Selinux project github,” [Online]. Available: https://github.com/ SELinuxProject (visited on 06/04/2020).
[10] (2008). “Selinux classes and permissions,” [Online]. Available: https://selinuxproject. org/page/NB_ObjectClassesPermissions (visited on 06/04/2020).
[11] (2008). “Selinux constraint,” [Online]. Available: https://selinuxproject.org/ page/ConstraintStatements (visited on 06/04/2020).
[12] D. Walsh. (2013). “Selinux access control model guide,” [Online]. Available: https: //opensource.com/business/13/11/selinux-policy-guide (visited on 06/04/2020).
[13] (2008). “Auditing selinux events,” [Online]. Available: https://selinuxproject. org/page/NB_AL (visited on 06/04/2020).
[14] (2019). “Auditing record types,” [Online]. Available: https://access.redhat. com/articles/4409591#audit-record-types-2 (visited on 06/04/2020).
94
[15] (2019). “Linux audit github,” [Online]. Available: https://github.com/linux- audit (visited on 06/04/2020).
[16] (2019). “Linux audit oﬀicial,” [Online]. Available: https://people.redhat.com/ sgrubb/audit/index.html (visited on 06/04/2020).
[17] (2019). “Linux audit rule man page,” [Online]. Available: http://man7.org/ linux/man-pages/man7/audit.rules.7.html (visited on 06/04/2020).
[18] (2017). “Linux audit system architecture,” [Online]. Available: https://wiki. itcollege.ee/index.php/Auditd#cite_note-1 (visited on 06/04/2020).
[19] S. Grubb. (2020). “Linux audit service auditd man page,” [Online]. Available: http: //man7.org/linux/man-pages/man8/auditd.8.html (visited on 06/04/2020).
[20] ——, (2020). “Linux audit service config file auditd.conf man page,” [Online]. Avail- able: http://man7.org/linux/man-pages/man5/auditd.conf.5.html (visited on 06/04/2020).
[21] (2008). “Nb policytype,” [Online]. Available: https://selinuxproject.org/ page/NB_PolicyType (visited on 06/04/2020).
[22] (2008). “Selinux reference policy github,” [Online]. Available: https://github. com/SELinuxProject/refpolicy (visited on 06/04/2020).
[23] (2008). “Selinux policy language,” [Online]. Available: https://selinuxproject. org/page/PolicyLanguage (visited on 06/04/2020).
[24] (2008). “Selinux policy language, kernel policy language,” [Online]. Available: https: //selinuxproject.org/page/PolicyLanguage#Kernel_Policy_Language (vis- ited on 06/04/2020).
[25] (2016). “Raspberry pi 3 b+,” [Online]. Available: https://www.raspberrypi.org/ products/raspberry-pi-3-model-b-plus/ (visited on 06/04/2020).
[26] G. Automake. (2020). “Cross-compile,” [Online]. Available: https://www.gnu. org/software/automake/manual/html_node/Cross_002dCompilation.html (visited on 06/04/2020).
[27] J. Preshing. (2014). “How to build a gcc cross-compiler,” [Online]. Available: https: //preshing.com/20141119/how-to-build-a-gcc-cross-compiler/ (visited on 06/04/2020).
[28] (1996). “Binutils,” [Online]. Available: https://www.gnu.org/software/binutils/ (visited on 06/04/2020).
[29] pchang9. (2020). “Busybox patch for login program,” [Online]. Available: http:// lists.busybox.net/pipermail/busybox/2020-January/087740.html (visited on 06/04/2020).
95

[30] S. Smalley and R. Craig, “Security enhanced (se) android: Bringing flexible mac to android,” in Foundations of Security Analysis and Design, NDSS Symposium, 2013.
[31] P. Loscocco and S. Smalley, “Integrating flexible support for security policies into the linux operating system,” in Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, USA: USENIX Association, 2001, pp. 29–42, isbn: 1880446103.
[32] (2011). “Cve-2011-1823,” [Online]. Available: https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2011-1823 (visited on 06/04/2020).
[33] (2019). “Cve-2019-5736,” [Online]. Available: https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2019-5736 (visited on 06/04/2020).

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2020-11-13

推文