Murdoch University Research Repository

Welcome to the Murdoch University Research Repository

The Murdoch University Research Repository is an open access digital collection of research
created by Murdoch University staff, researchers and postgraduate students.

Learn more

Empowering end users to confine their own applications: The results of a usability study comparing SELinux, AppArmor and FBAC-LSM

Schreuders, Z.C., McGill, T. and Payne, C. (2011) Empowering end users to confine their own applications: The results of a usability study comparing SELinux, AppArmor and FBAC-LSM. ACM Transactions on Information and System Security, 14 (2). pp. 1-28.

PDF - Authors' Version
Download (709kB)
Link to Published Version:
*Subscription may be required


Protecting end users from security threats is an extremely difficult, but increasingly critical, problem. Traditional security models that focused on separating users from each other have proven ineffective in an environment of widespread software vulnerabilities and rampant malware. However, alternative approaches that provide more finely grained security generally require greater expertise than typical end users can reasonably be expected to have, and consequently have had limited success.

The functionality-based application confinement (FBAC) model is designed to allow end users with limited expertise to assign applications hierarchical and parameterised policy abstractions based upon the functionalities each program is intended to perform. To validate the feasibility of this approach and assess the usability of existing mechanisms, a usability study was conducted comparing an implementation of the FBAC model with the widely used Linux-based SELinux and AppArmor security schemes. The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than widely used alternatives. In particular, policies created using FBAC were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task. In addition to the success of the functionality-based approach, the usability study also highlighted a number of limitations and problems with existing mechanisms. These results indicate that a functionality-based approach has significant potential in terms of enabling end users with limited expertise to defend themselves against insecure and malicious software.

Item Type: Journal Article
Murdoch Affiliation(s): School of Information Technology
Publisher: Association for Computing Machinery
Copyright: © 2011 ACM
Item Control Page Item Control Page


Downloads per month over past year