Article Preview
TopIntroduction
End users face serious security risks related to processes maliciously misusing users’ authority. One of the largest threats to end users is flaws in applications such as PDF readers, media players, web browsers and email clients (Dhamankar, Dausin, Eisenbarth, & King, 2009). These vulnerabilities can inadvertently allow remote attackers to subvert the behaviour of programs in order to carry out malicious actions. Trojan horses, where malware poses as legitimate software and carries out malicious activities, are also a significant threat.
Linux, like most operating systems, typically allows applications to act with all the authority of a user. The Linux discretionary access control (DAC) mechanism authorises processes to run with the full authority of the associated user, regardless of the trustworthiness of programs. In the current threat climate this approach is inadequate as a sole access control measure; basing security decisions on the identity of the user does not protect against processes which act maliciously due to software vulnerabilities or malware.
The Linux Security Module (LSM) framework provides a means for security extensions to be incorporated into the Linux kernel (Wright, Cowan, Smalley, Morris, & Kroah-Hartman, 2002). Many of the LSMs that have been developed can address threats posed by malicious code, by restricting specific processes to authorised actions. Examples of LSMs that can place restrictions on the activities of processes include SELinux (Smalley, Vance, & Salamon, 2001), AppArmor (previously known as SubDomain) (Cowan et al., 2000), TOMOYO (Harada, Horie, & Tanaka, 2004), and SMACK (Schaufler, 2008). However, as is typical for this class of security mechanism (DeWitt & Kuljis, 2006), these systems face usability challenges that can limit the practical benefit to end users.
A new model, known as the functionality-based application confinement (FBAC) model, has been designed to meet end user usability goals (Schreuders & Payne, 2008a). The model incorporates policy abstractions, known as functionalities, that can model the privileges authorised to processes based on the high level features applications provide (Schreuders & Payne, 2008b). A Linux implementation of the FBAC model has been developed, known as FBAC-LSM (FBAC-LSM is free open source software available at: http://schreuders.org/FBAC-LSM). The implementation also leverages automation techniques, which the FBAC model is naturally suited to.
A study has been conducted to compare the usability of three different approaches to application restrictions: FBAC-LSM, and two of the most widely deployed Linux security extensions, SELinux and AppArmor (Schreuders, McGill, & Payne, 2011). The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than the widely used alternatives. In particular, policies created using FBAC-LSM were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task (Schreuders et al., 2011). In order to further explore and understand the reasons for the usability differences between the three security systems, this paper presents the results of qualitative analysis of the participant feedback for each of the security systems. The qualitative analysis identified a number of emergent themes in participants’ comments. These themes indicate a number of factors that affect the usability of application-restriction mechanisms, and are likely to be responsible for the usability differences between the security systems studied. These results are then discussed and used to compare the usability of the three systems studied. The paper also proposes changes to all three systems to address or mitigate specific usability issues that were identified throughout the study.