DOI QR코드

DOI QR Code

Policy Reorganization Method for Performance Improvements in SELinux using Loadable Module Policy

로드 가능한 모듈 정책을 사용하는 SELinux의 성능 향상을 위한 정책 재구성 방법

  • 고재용 (충남대학교 컴퓨터공학과) ;
  • 이상길 (충남대학교 컴퓨터공학과) ;
  • 조경연 (충남대학교 컴퓨터공학과) ;
  • 이철훈 (충남대학교 컴퓨터공학과)
  • Received : 2018.02.07
  • Accepted : 2018.02.26
  • Published : 2018.03.28

Abstract

SELinux is used for system level security in various systems using Linux, and is now being used for device security such as IoT. However, since SELinux has inherent problems of execution time degradation, various studies have been conducted to solve this problem. In this paper, we show that performance can be improved through policy reconfiguration in the environment where the loadable module policy method, which is a general method using SELinux, is applied. By reconfiguring the access query table through the Priority-TE policy that gives priority to the type, it is possible to provide faster execution time for types requiring faster access query performance. This paper introduces the differences between SELinux policy configuration method in Monolithic environment and performance analysis. This can be used as a reference by security administrators or developers in applying SELinux.

Keywords

Secure OS;SELinux;Type Enforcement;Overhead

Acknowledgement

Supported by : 충남대학교

References

  1. https://en.wikipedia.org/wiki/Linux_Security_Modules
  2. https://github.com/SELinuxProject/selinux
  3. https://en.wikipedia.org/wiki/Smack_(software)
  4. https://en.wikipedia.org/wiki/AppArmor
  5. Frank Mayer, Karl Macmillan, and David Caplan, SELinux by Example, 2006.
  6. 고재용, 최정인, 조경연, 이철훈, "SELinux의 정책 재구성을 통한 성능 개선," 한국콘텐츠학회논문지, 제17권, 제4호, pp.307-319, 2017. https://doi.org/10.5392/JKCA.2017.17.04.307
  7. 조경연, 고재용, 이상길, 이철훈, "임베디드 리눅스 시스템에 SELinux 적용 방법 연구," 한국콘텐츠학회 종합학술대회 논문집, pp.371-372, 2017.
  8. 이상길, 이승율, 이철훈, "리눅스 사용자 영역에 실시간성 제공을 위한 미들웨어," 한국콘텐츠학회논문지, 제16권, 제5호, pp.217-228, 2016. https://doi.org/10.5392/JKCA.2016.16.05.217
  9. 이상길, 이철훈, "멀티프로세서 기반 리눅스에 실시간성 지원 방안 연구," 한국콘텐츠학회 종합학술대회 논문집, pp.57-58, 2015.
  10. 고재용, 조경연, 이상길, 이철훈, "로드 가능한 정책을 사용하는 SELinux의 정책 재구성을 통한 성능 향상," 한국콘텐츠학회 종합학술대회 논문집, pp.359-360, 2017.
  11. Bjorn Vogel and Bernd Steinke, "Using selinux security enforcement in linux-based embedded devices," Proceedings of the 1st international conference on MOBILe Wireless MiddleWARE, Operating Systems, and Applications, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2008.
  12. Toshihiro YOKOYAMA, Miyuki HANAOKA, Makoto SHIMAMURA, Kenji KONO, and Takahiro SHINAGAWA, "Reducing security policy size for internet servers in secure operating systems," IEICE transactions on information and systems, 2009.
  13. A. Kalyanasundaram, B. B. Roy, and S. Rao, "Exploiting Data Parallelism in SELinux Using a Multicore Processor," in Proceedings of the 47th Annual National Convention of Computer Society of India (CSI), 2012.
  14. Leandro Fiorin, "Security enhanced linux on embedded systems: A hardware-accelerated implementation," 17th Asia and South Pacific Design Automation Conference, IEEE, 2012.
  15. https://fedoraproject.org/wiki/SELinux/checkpolicy
  16. https://fedoraproject.org/wiki/SELinux/load_policy
  17. https://fedoraproject.org/wiki/SELinux/checkmodule
  18. https://fedoraproject.org/wiki/SELinux/semodul e_package
  19. https://fedoraproject.org/wiki/SELinux/semodule
  20. https://github.com/SELinuxProject/cil/wiki
  21. https://github.com/SELinuxProject/selinux/tree/ master/libsemanage
  22. https://github.com/TresysTechnology/refpolicy
  23. https://github.com/SELinuxProject/selinux/tree/ master/libsepol