[plug] New Linux security system FBAC-LSM released & call for collaborators
Z. Cliffe Schreuders
c.schreuders at murdoch.edu.au
Fri Dec 11 18:40:02 WST 2009
In preparation for my LCA talk “A New Paradigm for Restricting
Applications and Protecting Yourself from Your Processes”, today I have
released the code for FBAC-LSM. It is a new Linux security mechanism
which restricts programs based on the features each application
provides. This limits the damage which can be done by malicious code due
to malware or software vulnerabilities. I developed FBAC-LSM for my PhD
research. Reusable policy abstractions, known as functionalities, can be
used to grant the authority to perform high level features (for example
using the Web_Browser functionality) or lower level features (such as
using the HTTP_Client functionality) or to grant privileges to access
any specified resources. Functionalities are parameterised, which allows
them to be adapted to the needs of specific applications.
Functionalities are also hierarchical; that is, functionalities can
contain other functionalities.
Over one hundred applications were analysed, and functionalities and
policies were developed. A number of techniques for automating aspects
of policy specification were also developed. A usability study comparing
FBAC-LSM with SELinux and AppArmor found that the new approach provided
significant benefits including higher levels of user satisfaction and of
successful policy creation.
This initial development version of FBAC-LSM is functional, but is
unstable and slow. It is developed against an older version of the LSM
interface (using the AppArmor path-based hooks), and will be updated to
work with the new interface in the future. There is quite a bit of work
to be done before it is ready for production systems.
I am looking for anyone interested in collaborating on the project. No
matter your experience you can help! Please contact me.
Programmed in C and C++, using the Qt and LSM frameworks. Policy
abstractions in FBAC-LSM-PL policy language. Licensed GPL.
Please check out the FBAC-LSM homepage which has lots more information
and some videos:
http://schreuders.org/FBAC-LSM
You can pull the git repo from sourceforge (which includes the Linux
Security Module (LSM), graphical policy manager, and policies) to your
computer with the command:
git clone git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm
If you are attending the 2010 linux.conf.au conference, I hope to see
you at my talk in room Renouf 2 at 16:45 on Wednesday 20/01/10:
http://www.lca2010.org.nz/programme/schedule/view_talk/50029?day=wednesday
Thanks,
Z. Cliffe Schreuders
http://schreuders.org
PhD Candidate
Murdoch University
More information about the plug
mailing list