skip to main content
research-article

Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM

Published:01 September 2011Publication History
Skip Abstract Section

Abstract

Protecting end users from security threats is an extremely difficult, but increasingly critical, problem. Traditional security models that focused on separating users from each other have proven ineffective in an environment of widespread software vulnerabilities and rampant malware. However, alternative approaches that provide more finely grained security generally require greater expertise than typical end users can reasonably be expected to have, and consequently have had limited success.

The functionality-based application confinement (FBAC) model is designed to allow end users with limited expertise to assign applications hierarchical and parameterised policy abstractions based upon the functionalities each program is intended to perform. To validate the feasibility of this approach and assess the usability of existing mechanisms, a usability study was conducted comparing an implementation of the FBAC model with the widely used Linux-based SELinux and AppArmor security schemes. The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than widely used alternatives. In particular, policies created using FBAC were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task. In addition to the success of the functionality-based approach, the usability study also highlighted a number of limitations and problems with existing mechanisms. These results indicate that a functionality-based approach has significant potential in terms of enabling end users with limited expertise to defend themselves against insecure and malicious software.

References

  1. Athey, J., Ashworth, C., Mayer, F., and Miner, D. 2007. Towards intuitive tools for managing SELinux: Hiding the details but retaining the power. In Proceedings of the Security Enhanced Linux Symposium.Google ScholarGoogle Scholar
  2. Badger, L., Sterne, D. F., Sherman, D. L., Walker, K. M., and Haghighat, S. A. 1995. Practical domain and type enforcement for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bangor, A., Kortum, P. T., and Miller, J. T. 2008. An empirical evaluation of the system usability scale. Int. J. Hum.-Comput. Interact. 24, 6, 574--594.Google ScholarGoogle ScholarCross RefCross Ref
  4. Berman, A., Bourassa, V., and Selberg, E. 1995. TRON: Process-specific file protection for the UNIX operating system. In Proceedings of the Winter USENIX Conference. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Brooke, J. 1996. SUS: A quick and dirty usability scale. In Usability Evaluation in Industry, P. W. Jordan, B. Thomas, B. A. Weerdmeester, and I. L. McClelland Eds. Taylor & Francis, London, 189--194.Google ScholarGoogle Scholar
  6. Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., and Gligor, V. 2000. SubDomain: Parsimonious server security. In Proceedings of the USENIX 14th Systems Administration Conference (LISA). USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Cranor, L. and Garfinkel, S. 2005. Security and Usability: Designing Secure Systems That People Can Use. O’Reilly Media, Inc. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Dewitt, A. J. and Kuljis, J. 2006. Aligning usability and security: A usability study of Polaris. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 10th Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  10. Greenwald, A. G. 1976. Within-subjects designs: To use or not to use. Psych. Bull. 83, 2, 314--320.Google ScholarGoogle ScholarCross RefCross Ref
  11. Hitchings, J. 1995. Deficiencies of the traditional approach to information security and the requirements for a new methodology. Comput. Sec. 14, 5, 377--383.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Kamp, P.-H. and Watson, R. 2000. Jails: Confining the omnipotent root. In Proceedings of the 2nd International System Administration and Networking Conference (SANE’00).Google ScholarGoogle Scholar
  13. Krsti, I. and Garfinkel, S. L. 2007. Bitfrost: The one laptop per child security model. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Lewis, J. R. and Sauro, J. 2009. The factor structure of the system usability scale. In Proceedings of the International Conference on Human Centered Design. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Liang, Z., Sun, W., Venkatakrishnan, V. N., and Sekar, R. 2009. Alcatraz: An isolated environment for experimenting with untrusted software. ACM Trans. Info. Syst. Sec. 12, 3, 1--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Madnick, S. E. and Donovan, J. J. 1973. Application and analysis of the virtual machine approach to information security. In Proceedings of the ACM Workshop on Virtual Computer Systems. Harvard University, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Miller, M. S., Tulloh, B., and Shapiro, J. S. 2004. The structure of authority: Why security is not a separable concern. In Proceedings of the Multiparadigm Programming in Mozart/Oz (MOZ). Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Nakamura, Y., Sameshima, Y., and Tabata, T. 2009. SEEdit: SELinux security policy configuration system with higher level language. In Proceedings of the 23rd Large Installation System Administration Conference (LISA). USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Novell AppArmor and SELinux Comparison. http://www.novell.com/linux/security/apparmor/selinux_comparison.html.Google ScholarGoogle Scholar
  20. Ott, A. 2002. The Role Compatibility Security Model.Google ScholarGoogle Scholar
  21. Potter, S., Nieh, J., and Selsky, M. 2007. Secure isolation of untrusted legacy applications. In Proceedings of the 21st Large Installation System Administration Conference (LISA’07). USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Provos, N. 2002. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Rubin, J. and Chisnell, D. 2004. How to plan, design and conduct effective tests. In Handbook of Usability Testing. Wiley India Pvt. Ltd., 129.Google ScholarGoogle Scholar
  24. Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 1278--1308.Google ScholarGoogle ScholarCross RefCross Ref
  25. Schreuders, Z. C. and Payne, C. 2008a. Functionality-based application confinement: parameterised hierarchical application restrictions. In Proceedings of the International Conference on Security and Cryptography (SECRYPT’08). INSTICC Press.Google ScholarGoogle Scholar
  26. Schreuders, Z. C. and Payne, C. 2008b. Reusability of functionality-based application confinement policy abstractions. In Proceedings of the 10th International Conference on Information and Communications Security (ICICS’08). Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Schreuders, Z. C., Payne, C., and McGill, T. 2011. Techniques for automating policy specification for application-oriented access controls. In Proceedings of the 6th International Conference on Availability, Reliability and Security (ARES’11). IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Stiegler, M., Karp, A. H., Yee, K. P., Close, T., and Miller, M. S. 2006. Polaris: Virus-safe computing for Windows XP. Comm. ACM 49, 9, 83--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Tucker, A. and Comay, D. 2004. Solaris zones: Operating system support for server consolidation. In Proceedings of the 3rd Virtual Machine Research and Technology Symposium Works-in-Progress.Google ScholarGoogle Scholar
  30. Vance, C. and Salamon, W. 2001. Implementing SELinux as a Linux security module. NAI Labs rep. #01-043, NSA.Google ScholarGoogle Scholar
  31. Wagner, D. A. 1999. Janus: An approach for confinement of untrusted applications. Tech. rep. CSD-99-1056, University of California, Berkeley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Zanin, G. and Mancini, L. V. 2004. Towards a formal model for security policies specification and validation in the SELinux system. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Zurko, M. E. and Simon, R. T. 1996. User-centered security, ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM

          Recommendations

          Reviews

          Neil D Burgess

          Application security is at the core of current computing usage. This paper describes a Linux-based software product that may help organizations confine applications without consuming excessive support resources. It is for people with responsibilities in information technology (IT) security in a Unix environment. At 28 pages, the paper is long enough to adequately cover the material. As is expected from a respected ACM publication, the paper is clearly written. Because the study methods are fully described and the software products involved are freely available, the study could readily be reproduced. The paper describes the background, method, and results of a usability study that compared functionality-based application confinement-Linux security module (FBAC-LSM), a free, open-source software product written by the authors, with alternative methods (SELinux and AppArmor) that are available with various Unix distributions. Users were given detailed instructions on the security objectives to be achieved, as well as the opportunity to use one of the three products to achieve the required objectives. Unsurprisingly, the users achieved much better outcomes, and gave better subjective assessments, using FBAC-LSM. In summary, this paper is recommended reading for information security professionals in private or public organizations where Linux is the platform of choice. Online Computing Reviews Service

          Access critical reviews of Computing literature here

          Become a reviewer for Computing Reviews.

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!