|
 ABSTRACT
We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. We have examined both static and runtime analysis techniques for this verification, and have found them to be complementary. Static analysis is more complex to implement and tends to generate more false positives, but coverage of all type-safe execution paths is possible. Runtime analysis lacks the code and input coverage of static analysis, but tends to be simpler to gather useful information. The major simplifying factor in our runtime verification approach is that we can leverage the fact that most of the LSM hooks are properly placed to identify misplaced hooks. Our runtime verification tools collect the current LSM authorizations and find inconsistencies in these authorizations. We describe our approach for performing runtime verification, the design of the tools that implement this approach, and the anomalous situations found in an LSM-patched Linux 2.4.16 kernel.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
|
| |
2
|
M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131--152, 1996.
|
 |
3
|
|
| |
4
|
A. Edwards, T. Jaeger, and X. Zhang. Runtime verification of authorization hook placement for the Linux Security Modules framework. Technical Report RC22254, IBM Research, December 2001.
|
| |
5
|
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the Fourth Symposium on Operation System Design and Implementation (OSDI), October 2000.
|
| |
6
|
Jeffrey S. Foster , Manuel Fähndrich , Alexander Aiken, A theory of type qualifiers, Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation, p.192-203, May 01-04, 1999, Atlanta, Georgia, United States
|
| |
7
|
P. Gutmann. The design and verification of a cryptographic security architecture, August 2000. Submitted thesis. Available at www.cs.auckland.ac.nz/pgut001/pubs/thesis.html.
|
| |
8
|
ITSEC. Common Criteria for Information Security Technology Evaluation. ITSEC, 1998. Available at www.commoncriteria.org.
|
| |
9
|
T. Jaeger, X. Zhang, and A. Edwards. Maintaining the correct of the Linux Security Modules framework. In Proceedings of the 2002 Ottawa Linux Symposium, pages 223--241, June 2002.
|
| |
10
|
E. Koutsofios and S. North. Drawing graphs with Dot. Available at http://www.research.att.com/sw/tools/graphviz/.
|
| |
11
|
Larry Koved , Marco Pistoia , Aaron Kershenbaum, Access rights analysis for Java, Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, November 04-08, 2002, Seattle, Washington, USA
|
| |
12
|
D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the Tenth USENIX Security Symposium, pages 177--190, August 2001.
|
| |
13
|
NCSC. Trusted Computer Security Evaluation Criteria. National Computer Security Center, 1985. DoD 5200.28-STD, also known as the Orange Book.
|
| |
14
|
|
| |
15
|
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the Tenth USENIX Security Symposium, pages 201--216, August 2001.
|
| |
16
|
|
| |
17
|
D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed System Security Symposium (NDSS 2000), February 2000.
|
| |
18
|
|
CITED BY 2
|
|
Junfeng Yang , Ted Kremenek , Yichen Xie , Dawson Engler, MECA: an extensible, expressive system and language for statically checking security properties, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
|
|
|
|
Peer to Peer - Readers of this Article have also read:
-
Improving the granularity of access control in Windows NT
Proceedings of the sixth ACM symposium on Access control models and technologies
Michael M. Swift
, Peter Brundrett
, Cliff Van Dyke
, Praerit Garg
, Anne Hopkins
, Shannon Chan
, Mario Goertzel
, Gregory Jensenworth
-
Web application security assessment by fault injection and behavior monitoring
Proceedings of the 12th international conference on World Wide Web
Yao-Wen Huang
, Shih-Kun Huang
, Tsung-Po Lin
, Chung-Hung Tsai
-
Efficient, DoS-resistant, secure key exchange for internet protocols
Proceedings of the 9th ACM conference on Computer and communications security
William Aiello
, Steven M. Bellovin
, Matt Blaze
, John Ioannidis
, Omer Reingold
, Ran Canetti
, Angelos D. Keromytis
-
Data structures for quadtree approximation and compression
Communications of the ACM
28, 9
Hanan Samet
-
A hierarchical single-key-lock access control using the Chinese remainder theorem
Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
Kim S. Lee
, Huizhu Lu
, D. D. Fisher
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
D.2