US009697382B2

(12) United States Patent (10) Patent No.: US 9,697,382 B2

Korkishk0 et al. (45) Date of Patent: Jul. 4, 2017

(54) METHOD AND SYSTEM FOR PROVIDING 2008/0184335 A1* 7/2008 Zhang et al. ..................... T26.1
SECURITY POLICY FOR LINUX-BASED 2008/02095.01 A1* 8/2008 Mayer et al. ..................... T26.1
SECURITY OPERATING SYSTEM 2009, O150886 A1 ck 6/2009 Subramanian ............ Gest
2009/0158385 A1 6/2009 Kim et al. ........................ T26.1
(75) Inventors: Tymur Korkishko, Suwon-si (KR): a
Kyung-Hee Lee, Yongin-si (KR) FOREIGN PATENT DOCUMENTS
(73) Assignee: Samsung Electronics Co., Ltd (KR) KR 1020010105116 11 2001
KR 102005.0062368 6, 2005
(*) Notice: Subject to any disclaimer, the term of this KR 102O080051972 6, 2008
patent is extended or adjusted under 35
U.S.C. 154(b) by 422 days. OTHER PUBLICATIONS
(21) Appl. No.: 12/776,826 Korean Office Action dated Jul. 16, 2015 issued in counterpart
application No. 1020090040417, 12 pages.
(22) Filed: May 10, 2010 Korean Office Action dated Apr. 21, 2016 issued in counterpart
application No. 10-2009-0040417, 6 pages.
(65) Prior Publication Data
k .
US 2010/0287598 A1 Nov. 11, 2010 cited by examiner
(30) Foreign Application Priority Data Primary Examiner — Brandon Hoffman
May 8, 2009 (KR) ........................ 10-2009-004O417 Assistant Examiner — Thong Truong
(51) Int. Cl. S.) Attorney, Agent, or Firm — The Farrell Law Firm,
G06F2L/00 (2013.01) -- -
G06F2L/62 (2013.01)
G06F 2/53 (2013.01) (57) ABSTRACT
G06F 2/54 (2013.01)
(52) U.S. Cl. A system for providing security policy for a Linux-based
CPC .......... G06F 21/6281 (2013.01); G06F 2 1/53 security operating system, which includes a template policy
(2013.01); G06F 2 1/54 (2013.01) module configured to set an authority using policy informa
(58) Field of Classification Search tion of a downloaded application so that the template policy
CPC ..... H04L 63/20: G06F 21/6281; G06F 21/53; module can set an access control rule for accessing a system
GO6F 21/54 resource of the application, a base policy module executing
USPC . . . .. . . . . . . . . . . . . . . . . . ... 726/1 the access control rule for the system resource in accordance
See application file for complete search history. with the access control rule set by the template policy
(56) References Cited module, and a template policy module editor generating a
custom application for the corresponding application using
U.S. PATENT DOCUMENTS information output from the template policy module.
2005, 0138416 A1 6/2005 Qian et al.
2008. O141338 A1* 6/2008 Kim et al. ........................ T26.1 10 Claims, 6 Drawing Sheets

EMPLATE POLICY, ODE

APPLICATION TYPE IDENTIFIER

CONDONAL
ACNUMBER
UNCONDITIONALh'
ACR NUMBER
APPLICATION POL ICY MODULEIDENTIFIER
GENERATION GENERATION
FIE CONEXT UNIT UNI
NUMBER
GENERATION BOOLEAN DENTFER
T

BASE POLICY ODULE 10

U.S. Patent Jul. 4, 2017 Sheet 1 of 6 US 9,697,382 B2
U.S. Patent Jul. 4, 2017 Sheet 2 of 6 US 9,697,382 B2

0IH
SBO\f NIOS|IW}Td
U.S. Patent Jul. 4, 2017 Sheet 3 of 6 US 9,697,382 B2

312 300

POLICY APPLICATION
MANIFEST TEMPLATE POLICY MODULE 316
POLICY
MODULE
APPLICATION EDTOR CUSTOMZED
SETTING BOOLEAN ST 38
INFORMATION

FIG.3
U.S. Patent Jul. 4, 2017 Sheet 4 of 6 US 9,697,382 B2

START

ACQUIRE POLICY MANIFEST 40

GENERATE APPLICATION POLICY MODULE 412

MANAGE APPLICATION POLICY MODULE 414

FIG.4
U.S. Patent Jul. 4, 2017 Sheet 5 of 6 US 9,697,382 B2

ACOUIRE APPLICATION POLICY MODULE 510

ACQUIRE APPLICATION IDENTIFIER 512

ACQUIRE CUSTOMZED BOOLEAN LIST

NSTALL APPLICATION POLICY

MODULE IN KERNEL 56

CLASSIFY COMPONENTS
RELATED TO APPLICATION 518

REGISTER APPLICATION POLICY MODULE 520

FIG.5
U.S. Patent Jul. 4, 2017 Sheet 6 of 6 US 9,697,382 B2

ACQUIRE APPLICATION IDENTIFIER 610

ACQUIRE APPLICATION POLICY MODULE NAME 62

UNLOAD APPLICATION POLICY MODULE 64

RE-CLASSIFY APPLICATION COMPONENTS 616

DELETE AND RE-REGISTER

APPLICATION POLICY MODULE 618

FIG.6
 US 9,697,382 B2
1. 2
METHOD AND SYSTEM FOR PROVIDING as DAC. That is, a method of limiting the access of an object
SECURITY POLICY FOR LINUX-BASED based on the discretion of the subject or a group to which the
SECURITY OPERATING SYSTEM subjects belong is defined as DAC.
The biggest security problem in the DAC method is that
PRIORITY the authority of a Super user (i.e., root) is too great. That is,
a super user can set all the environment variables of the
This application claims priority under 35 U.S.C. S 119(a) system, and can delete all processes. Accordingly, once a
to an application filed in the Korean Intellectual Property hacker becomes a Super user using a Vulnerability, they can
Office on May 8, 2009 and assigned Serial No. 10-2009 perform all the functions of a Super user.
0040417, the content of which is incorporated herein by 10
According to the DAC method, as many system files are
reference.
changed or the kernel becomes larger and has many Support
BACKGROUND OF THE INVENTION functions, the kernel becomes modularized, and a part of the
kernel performs a task after a module is inserted into the
1. Field of the Invention 15 kernel. Accordingly, a serious problem may occur as mali
The present invention relates to a Linux-based system cious code is inserted into the kernel.
having strengthened security, and more particularly to a Although SELinux can perform more enhanced access
method and a system for providing a security policy for control, there is a high possibility that, due to a type of a
downloaded applications in a security operating system. downloaded application that means a group having the same
2. Description of the Related Art security attribute and Boolean designation, a special control
Presently, as the role of the Internet is extended from element in SELinux policy controlling what part of policy is
merely providing information to, or sharing information applied to an application, which are given during installation
with intranet networks, electronic commerce, and the like, of the downloaded application, the given designation col
the need to protect against hacking is of increased impor lides with the existing designation, and thus it is difficult for
tance. Hacking is an invasion of privacy, may cause the 25 general users to set the security policy for the downloaded
destruction of property, tarnish a corporation’s image, com application to Suit the users purposes.
promise corporate trade secrets, interrupt service, and the
like, and the scale of damage caused by hacking has been SUMMARY OF THE INVENTION
increasing at a high rate. Particularly, in the case of a
corporation, whether the corporation can defend itself 30 Accordingly, the present invention has been made to solve
against hacking is vital to its survival. the above-mentioned problems occurring in the prior art,
Recently, with the development of the Internet, it has and the present invention provides a method and a system
become possible to access personal computers and networks for providing security policy for a Linux-based security
throughout the world. In such environments, the accessing operating system, which enables a user having no special
of data from remote locations is convenient, but sensitive 35 ized knowledge in security to easily set the security policy
data may be exposed to unauthorized users, and malicious through an improvement in the complexity of the security
attacks may frequently occur. Accordingly, security tech policy.
nologies of application layers, such as encryption, firewalls, In accordance with an aspect of the present invention,
invasion detecting systems, and the like, for safe sharing and there is provided a system for providing a security policy for
use of information have been developed to protect informa 40 a Linux-based security operating system, which includes a
tion of networks or servers. However, such security tech template policy module configured to set using policy infor
nologies of application layers have their own Vulnerabilities mation of a downloaded application so that the template
and drawbacks such that it is difficult to cope with privacy policy module can set an access control rule for accessing a
violations by otherwise authorized users, misuse/abuse of system resource of the application; a base policy module
authority, and attack through system hacking. 45 executing the access control rule for the system resource in
In order to solve this problem and to implement a Trusted accordance with the access control rule set by the template
Computing Base (TCB), research for a security operating policy module; and a template policy module editor gener
system has been ongoing, and a representative security ating a custom application for the corresponding application
operating system may be SELinux (Security Enhanced using information output from the template policy module.
Linux). SELinux is a security operating system developed 50 In accordance with another aspect of the present inven
by the National Security Agency (NSA) through application tion, there is provided a method of providing security policy
of a Flux Advanced Security Kernel (Flask) structure to for a Linux-based security operating system, which includes
Linux, and provides a structure that executes diverse access acquiring a policy manifest and installation information of a
control policies, such as Type Enforcement (TE), role based downloaded application using policy information of the
access control, Multi-Level Security (MLS), and the like. 55 application; generating an application policy module based
SELinux also performs access control of not only files and on the acquired policy manifest and installation information;
device files but also various resources in the system, such as and managing the generated application policy module.
processes, signals, memory, and the like. SELinux also
minimizes the range of damage through minimum authority BRIEF DESCRIPTION OF THE DRAWINGS
allocation, and prevents the execution of malicious code. In 60
structure, SELinux separates a policy decision module and The above and other aspects, features, and advantages of
a policy execution module from each other to provide the present invention will be more apparent from the fol
flexibility to the security policy. On the other hand, a general lowing detailed description taken in conjunction with the
UNIX operating system uses a Discretionary Access Control accompanying drawings, in which:
(DAC) method as an access control method. Also, in Trusted 65 FIG. 1 illustrates the configuration of a sample Linux
Computer System Evaluation Criteria (TCSEC), the same system used to set security policy according to the present
concept as the discretionary access control policy is defined invention;
 US 9,697,382 B2
3 4
FIG. 2 illustrates a data flow diagram in a conditional attribute of the application, a policy module identifier
Access Control Rule (ACR) generation unit of a template defined in the application, and a Boolean identifier which
policy module in a Linux system used to set security policy has a true or false value and can flexibly apply an authority
according to the present invention; of permitting/interrupting the conditional access control rule
FIG. 3 illustrates the configuration of a template policy for an Access Control Interface (ACI) to accessible
module editor in a Linux system used to set security policy resources in the system, and outputs the divided identifiers
according to the present invention; to the conditional ACR generation unit 114 and the uncon
FIG. 4 is a flowchart, which illustrates a method of ditional ACR generation unit 116, respectively.
providing security policy for a Linux-based security oper Here, the detection unit 107 includes an application type
ating system according to an embodiment of the present 10 identifier unit 102, a policy module identifier unit 104, and
invention; a Boolean identifier unit 106, to which the policy informa
FIG. 5 is a detailed flowchart, which illustrates a method tion of the downloaded application is input, respectively.
of installing an application generated by an application On the other hand, in the application file context number
policy module in a Linux system in a method of providing generation unit 118 having the application component path
security policy for a Linux-based security operating system 15 defined during generation of the downloaded application,
according to an embodiment of the present invention; and the security context and the Type Enforcement (TE) tech
FIG. 6 is a detailed flowchart, which illustrates a method nical terms, the security context of the corresponding appli
of deleting an application generated by an application policy cation component is stored in the form of a file after the
module in a Linux system in a method of providing security corresponding application is installed in the system, and one
policy for a Linux-based security operating system accord application file context has the following syntax description
ing to an embodiment of the present invention. form.
/tpm file path XXXXXXX yyyyyyy-tpm user XXXXXXX:
DETAILED DESCRIPTION OF THE PRESENT tpm role ZZZZZ ZZ:tpm app exec VVVVVVV t
INVENTION where XXXXXX, yyyyyyy, ZZZZZZZ, VVVVVVV-are the tem
25 plates for further customization.
Hereinafter, embodiments of the present invention will be The Boolean identifier has the following syntax descrip
described with reference to the accompanying drawings. In tion form.
the following description, various specific definitions found If(tpm XXXXXXX network b)base allow network
in the following description are provided only to aid in the for app(tpm_app yyyyyyy_t)}
general understanding of the present invention, and it is 30 In this case, the Boolean identifier sets the conditional
apparent to those skilled in the art that the present invention policy of the accessible resources in the Linux system. For
can be implemented without such definitions. example, if the conditional policy is provided, it has syntax
For help in completely understanding the present inven in the form of tpm app yyyyyyy t type identifier, and in
tion, the basic principle of the present invention will now be this case, it has a true value.
described. A Linux-based terminal according to the present 35 The above-described syntax form permits access to the
invention is a device that can transmit/receive data, and it resources in the system, and the resources include an appli
would be apparent that the terminal could be applied to all cation Access Control Interface (ACI), a network ACI, a
information communication appliances, such as a mobile storage ACI, a telephony ACI, and other conditional ACIs.
communication terminal, a digital broadcasting terminal, a FIG. 2 illustrates a data flow in a conditional ACR
Personal Digital Assistant (PDA), and the like, multimedia 40 generation unit of a template policy module in a Linux
appliances, and applications thereof. system used to set security policy according to the present
Also, in the description of the present invention, the term invention.
"module” means a unit that processes a specified function or The conditional ACR generation unit 25 includes an
operation, and can be implemented by hardware, software, access permission list 214 to which application access
or combination thereof. 45 permission list files from the Boolean identifier 212 are
FIG. 1 illustrates the configuration of an example of a input. This refers to authorized entities 20, e.g. a camera, a
Linux system used to set security policy according to the phone, a network, and the like.
present invention. Also, the conditional ACR generation unit 25 includes an
Referring to FIG. 1, the Linux system includes a template application access permission list input from the access
policy module 112 and a base policy module 110. 50 permission list 214, an inherent identifier 218 of the corre
The template policy module 112 is configured to set sponding application, and a component 220, which are
permissions using policy information of an application provided in a downloaded application provider 22.
downloaded from a remote location. Accordingly, the conditional ACR generation unit 25 can
More specifically, the template policy module 112 acquire the policy manifest 222 of the corresponding appli
includes a conditional Access Control Rule (ACR) genera 55 cation.
tion unit 114 and an unconditional ACR generation unit 116, The policy manifest 222, which is generated from the
which have different inputs in accordance with the exis downloaded application provider, includes information on
tence/nonexistence of a Boolean identifier among policy the corresponding application component, an inherent appli
constituent elements included in the policy information of cation identifier, and an application access permission list.
the downloaded application, and an application file context 60 Here, the access permission list is a list in which access
number generation unit 118 having an application compo rules given to the respective applications are recorded.
nent path defined during generation of the downloaded The application component is composed of executable
application, security context and Type Enforcement (TE) data, configuration files, temporary files, and directories.
technical terms. The application component also includes information about
The template policy module 112 includes a detection unit 65 executable file names, and Such information is provided in
107, which divides the downloaded application policy infor an application installation path, and has the following syntax
mation into an application type identifier indicating the description form.
 US 9,697,382 B2
5 6
For application executable: Accordingly, the template policy module editor 300 cus
Exe: file (SINSTALL PATHS/app name tomizes the template using the binary template policy mod
For application components (non-executable): ule, the received application policy manifest and the appli
Comp: file (SINSTALL PATHS/com namel cation installation information, and generates a
Comp: file (SINSTALL PATHS/com name2 corresponding application policy module 316 and a custom
ized Boolean list 318 of the respective applications.
Comp: file (SINSTALL PATHS/com nameN Hereinafter, a method of providing security policy for a
where SINSTALL PATHS is template for further cus Linux-based security operating system according to the
tomization with actual installation path of the application present invention using a system for providing security
component. 10 policy for a Linux-based security operating system accord
Here, the inherent identifier 218 of the application is ing to an embodiment of the present invention will be
distinguished from other applications, and the application described in detail with reference to FIGS. 4, 5, and 6.
identifier is configured as a partial result of an application FIG. 4 is a general flowchart illustrating a method of
providing security policy for a Linux-based security oper
message authority code using a secret key of the application 15 ating system according to an embodiment of the present
provider. invention.
Also, the application access permission list 216 is pro Referring to FIG. 4, the application policy manifest and
vided by the access permission list 214 of the authorized install information are acquired using the policy information
entities, e.g. a camera, a network, a phone, and the like, and of the downloaded application in step 410.
is supported by the template policy module 25. This is to acquire the access rule capable of accessing the
The authorized entity corresponds to the permission name resources in the system from the template policy module of
and the Boolean identifier 212 on the template, and the the security policy providing system for a Linux-based
permission list 214 has the following syntax description security operating system.
form. In step 412, a customized policy module of the corre
25 sponding application is generated using the template policy
Boolean identifier Permission Name
module editor based on the acquired policy manifest and
install information.
Tpm XXXXXXX network b Network access In step 414, the generated application policy module is
Tpm XXXXXXX camera b Camera access managed.
Tpm XXXXXXX Sms b Send SMS 30 Hereinafter, the method of providing security policy for a
Tpm XXXXXXX call b Place phone calls Linux-based security operating system according to an
embodiment of the present invention will be described in
Also, the application permission list 216 has the following detail with reference to FIG. 5.
Syntax description form. FIG. 5 is a detailed flowchart illustrating a method of
Perm name: Network access Required: Yes 35 installing an application generated by an application policy
Perm name: Camera access Required: Yes module in a Linux system in a method of providing security
Perm name: Send SMS policy for a Linux-based security operating system accord
Perm name: Place call ing to an embodiment of the present invention.
For example, the application provider 22 describes the Referring to FIG. 5, the application policy module of the
application permission for accessing the network and cam 40 corresponding application is acquired from the template
era device in the following syntax form. policy module in step 510.
Exe: file (SINSTALL PATHS/app name The corresponding identifier is acquired from the policy
Comp: file (SINSTALL PATHS/app name1 manifest of the acquired application policy module in step
Comp: file (SINSTALL PATHS/app name2 512, and the customized Boolean list output from the
45 template policy module editor is acquired in step 514.
Comp: file (SINSTALL PATHS/appp nameN In this case, the policy manifest is generated from the
Perm name: Network access Required: Yes provider of the initially downloaded application, and gen
Perm name: Camera access Required: Yes erally refers to information on the corresponding application
Perm name: Send SMS component, an inherent application identifier, and an appli
Perm name: Place call 50 cation access permission list.
Also, the application component is composed of execut
AppD: 6dgGHd783 able data, configuration files, temporary files, and directo
FIG. 3 illustrates the configuration of a template policy ries, and includes information on executable names. Such
module editor in a Linux system used to set security policy information is provided from an application installation
according to the present invention. 55 path.
The template policy module editor 300 generates a cus Then, in Step 516, the application policy module gener
tom application of the corresponding application using ated in the kernel is installed depending on whether the
information output from the template policy module. access control rule given to the kernel through the acquired
For this, the template policy module editor 300 receives Boolean list is satisfied.
a policy manifest 310 and application setting information 60 In step 518, labeling of the respective components related
314 from a template module 312. to the corresponding installed application is performed.
That is, the template policy module editor 300 receives The corresponding labeled application is registered in the
the input policy manifest 310 and the application setting form of setting the authority to the resources in the system
information 314 through a binary template policy module in step 520.
(not illustrated). 65 FIG. 6 is a detailed flowchart illustrating a method of
In this case, the application setting information 314 means deleting an application generated by an application policy
the current setting path of the corresponding application. module in a Linux system in a method of providing security
 US 9,697,382 B2
7 8
policy for a Linux-based security operating system accord 3. The system as claimed in claim 1, wherein the down
ing to an embodiment of the present invention. loaded application policy information includes:
Referring to FIG. 6, in step 610, the identifier of the an application type identifier indicating an attribute of the
corresponding application is acquired from the policy mani application;
fest of the application policy module acquired in step 412 of 5 a policy module identifier defined in the application; and
FIG. 4. a Boolean identifier which has a true or false value and
Then, the name of the corresponding application is can flexibly apply an authority of permitting or inter
acquired in step 612, and the policy module of the corre rupting a conditional ACR for an Access Control Inter
sponding application that is registered in the template policy
module in the Linux system is unloaded using the acquired 10 4. face The
(ACI) to accessible resources in the system.
system as claimed in claim 2, wherein the condi
application identifier and the name thereof in step 614.
The labeling of the components of the unloaded applica cation permission listgeneration
tional ACR number unit acquires a list of appli
files from the Boolean identifier, and
tion policy module is re-performed in step 616.
In this case, the component is composed of configuration reads out the policy manifest using the acquired list, inherent
files, temporary files, and directories, and also includes 15 identifiers of the respective applications, and the policy
information.
information on the executable file name.
Then, in step 618, the deletion of the application policy 5. The system as claimed in claim 1, wherein the template
module registered in the template policy module in the policy module editor comprises a binary template policy
Linux system in step 616 is performed. module that receives the policy manifest of the correspond
As described above, according to the method and system ing application and a current installation path.
for providing security policy for a Linux-based security 6. A method of providing security policy for a Linux
operating system according to the present invention, the based security operating system, comprising the steps of:
access control function of downloaded applications in the acquiring policy manifest and installation information of
system is strengthened, and an operating system suitable for a downloaded application using policy information of
the purpose of the Linux-based system can be configured. 25 the application;
While the invention has been shown and described with generating an application policy module corresponding to
reference to certain embodiments thereof, it will be under the downloaded application based on the policy mani
stood by those skilled in the art that various changes in form fest and the installation information; and
and details may be made therein without departing from the managing the generated application policy module,
spirit and scope of the invention as defined by the appended 30 wherein generating the application policy module
claims. includes generating the application policy module
directly after acquiring the policy manifest and the
What is claimed is: installation information,
1. A system for providing security policy for a Linux wherein the policy manifest is generated from a provider
based security operating system, comprising: 35 of the downloaded application, and
a template policy module configured to set authority using wherein the application policy module is different from
policy information of a downloaded application and set the downloaded application.
an access control rule for accessing a system resource 7. The method as claimed in claim 6, wherein acquiring
of the downloaded application based on the authority; the policy manifest comprises:
a base policy module configured to execute the access 40 receiving policy information of an application program so
control rule for the system resource in accordance with that a system resource access control rule for the
the access control rule set by the template policy downloaded application can be set;
module; and acquiring application permission list files from a Boolean
a template policy module editor configured to acquire identifier among policy constituent elements included
policy manifest and installation information using the 45 in the policy information; and
policy information, and generate a custom application acquiring an inherent identifier of the application.
corresponding to the downloaded application using the 8. The method as claimed in claim 6, wherein the down
policy manifest and the installation information, loaded application policy information includes:
wherein the template policy module editor generates the an application type identifier indicating an attribute of the
custom application directly after acquiring the policy 50 application;
manifest and the installation information, a policy module identifier defined in the application; and
wherein the policy manifest is generated from a provider a Boolean identifier which has a true or false value and
of the downloaded application, and can flexibly apply an authority of permitting or inter
wherein the custom application is different from the rupting a conditional ACR for an Access Control Inter
downloaded application. 55 face (ACI) to accessible resources in the system.
2. The system as claimed in claim 1, wherein the template 9. The method as claimed in claim 6, wherein managing
policy module comprises: the application policy module comprises:
a conditional and unconditional Access Control Rule acquiring the corresponding identifier from the policy
(ACR) number generation unit having different inputs manifest of the generated application policy module:
in accordance with existence or nonexistence of a 60 acquiring a customized Boolean list;
Boolean identifier among policy constituent elements installing the application policy module generated in a
included in the policy information of the downloaded kernel according to whether an access control rule
application; and given to the kernel through the acquired Boolean list is
an application file context number generation unit having satisfied;
an application component path defined during genera 65 labeling components related to the installed application
tion of the downloaded application, security context module; and
and Type Enforcement (TE) technical terms. registering the corresponding labeled application.
 US 9,697,382 B2
9 10
10. The method as claimed in claim 6, wherein managing
the application policy module comprises:
acquiring a corresponding identifier and a name thereof
from the policy manifest of the generated application
policy module; 5
unloading the application policy module corresponding to
the acquired identifier and name from a database;
labeling components related to the unloaded application
policy module; and
deleting the generated application policy module. 10
k k k k k