DOI QR코드

DOI QR Code

Performance Improvements through Policy Reorganization in SELinux

SELinux의 정책 재구성을 통한 성능 개선

  • Received : 2017.01.13
  • Accepted : 2017.04.06
  • Published : 2017.04.28

Abstract

SELinux is known as a secure operating system that is easily accessible to users due to the popularization of Linux, and is applied to various security operating system references deployed on systems such as embedded systems and servers. However, if SELinux is applied without considering the performance overhead of activating the SELinux kernel module, the performance of the entire system may be degraded. In this paper, we describe the factors directly affecting the performance inside the SELinux kernel and show that it is possible to improve performance by simply reorganizing the policy without changing the SELinux kernel. This can be used as a reference when security administrators or developers apply SELinux.

Keywords

Secure OS;SELinux;Policy;Overhead;Type Enforcement

Acknowledgement

Supported by : 한화시스템(주)

References

  1. 김주만, 송창인, 이철훈, "RTiK-Linux: 리눅스용 실시간 이식 커널의 설계," 한국콘텐츠학회논문지, 제11권, 제9호, pp.45-53, 2011.
  2. Frank Mayer, Karl Macmillan, and David Caplan, SELinux by Example, 2006.
  3. http://www.crypt.gen.nz/selinux/faq.html#0.1
  4. A. Kalyanasundaram, B. B. Roy, and S. Rao, "Exploiting Data Parallelism in SELinux Using a Multicore Processor," in Proceedings of the 47th Annual National Convention of Computer Society of India (CSI), 2012.
  5. Haines, Richardm, The selinux notebook, 2014.
  6. 김정녀, 손승원, 이철훈, "안전한 운영체제 접근 제어 정책에 대한 보안성 및 성능시험," 정보처리학회논문지, Vol.10, No.5, pp.773-780, 2003.
  7. 고영웅, "보안 운영체제의 오버헤드 분석," 한국컴퓨터정보학회, Vol.10, No.2, pp.11-19, 2005.
  8. Yuichi Nakamura and Yoshiki Sameshima, "SELinux for consumer electronics devices," 2008 Linux Symposium, 2008.
  9. Bjorn Vogel and Bernd Steinke, "Using selinux security enforcement in linux-based embedded devices," Proceedings of the 1st international conference on MOBILe Wireless MiddleWARE, Operating Systems, and Applications, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2008.
  10. Toshihiro YOKOYAMA, Miyuki HANAOKA, Makoto SHIMAMURA, and Kenji KONO, Takahiro SHINAGAWA, "Reducing security policy size for internet servers in secure operating systems," IEICE transactions on information and systems, 2009.
  11. Vikhyath Rao and Trent Jaegerm, "Dynamic mandatory access control for multiple stakeholders," Proceedings of the 14th ACM symposium on Access control models and technologies, 2009.
  12. Leandro Fiorin, "Security enhanced linux on embedded systems: A hardware-accelerated implementation," 17th Asia and South Pacific Design Automation Conference, IEEE, 2012.
  13. 이재서, 김민수, 노봉남, "SELinux 보안 정책 복잡성 개선을 위한 보안 정책 설정 도구," 정보보호학회지, 제19권, 제2호, pp.43-52, 2009.
  14. https://fedoraproject.org/wiki/SELinux/Policies
  15. https://github.com/TresysTechnology/refpolicy
  16. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/rhlcommon-section-0104.html
  17. https://fedoraproject.org/wiki/SELinux/checkpolicy
  18. https://github.com/SELinuxProject/selinux
  19. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/S/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
  20. 이상길, 이승율, 이철훈, "리눅스 사용자 영역에 실시간성 제공을 위한 미들웨어," 한국콘텐츠학회논문지, 제16권, 제5호, pp.217-228, 2016.
  21. 이상길, 이철훈, "멀티프로세서 기반 리눅스에 실시간성 지원 방안 연구," 한국콘텐츠학회 종합 학술대회 논문집, pp.57-58, 2015.
  22. 정재엽, 박성종, 임재석, 이철훈, "임무컴퓨터를 위한 고가용 시스템의 구현 및 성능분석," 한국콘텐츠학회논문지, 제8권, 제8호, pp.47-56, 2008.