Consistency analysis of authorization hook placement in the Linux security modules framework

Trent Ray Jaeger, Antony Edwards, Xiaolan Zhang

Research output: Contribution to journalArticle

26 Citations (Scopus)

Abstract

We present a consistency analysis approach to assist the Linux community in verifying the correctness of authorization hook placement in the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. Static analysis has been used previously to verified mediation (i.e., that some hook mediates access to a security-sensitive operation), but that work did not determine whether the necessary set of authorizations were checked. In this paper, we develop an approach to test the consistency of the relationships between security-sensitive operations and LSM hooks. The idea is that whenever a security-sensitive operation is performed as part of specifiable event, a particular set of LSM hooks must have mediated that operation. This work demonstrates that the number of events that impact consistency is manageable and that the notion of consistency is useful for verifying correctness. We describe our consistency approach for performing verification, the implementation of run-time tools that implement this approach, the anomalous situations found in an LSM-patched Linux 2.4.16 kernel, and an implementation of a static analysis version of this approach.

Original languageEnglish (US)
Pages (from-to)175-205
Number of pages31
JournalACM Transactions on Information and System Security
Volume7
Issue number2
DOIs
StatePublished - May 1 2004

Fingerprint

Hooks
Static analysis
Linux
Access control

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality

Cite this

@article{d75aa007278c4127afc20c1a4d5fe492,
title = "Consistency analysis of authorization hook placement in the Linux security modules framework",
abstract = "We present a consistency analysis approach to assist the Linux community in verifying the correctness of authorization hook placement in the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. Static analysis has been used previously to verified mediation (i.e., that some hook mediates access to a security-sensitive operation), but that work did not determine whether the necessary set of authorizations were checked. In this paper, we develop an approach to test the consistency of the relationships between security-sensitive operations and LSM hooks. The idea is that whenever a security-sensitive operation is performed as part of specifiable event, a particular set of LSM hooks must have mediated that operation. This work demonstrates that the number of events that impact consistency is manageable and that the notion of consistency is useful for verifying correctness. We describe our consistency approach for performing verification, the implementation of run-time tools that implement this approach, the anomalous situations found in an LSM-patched Linux 2.4.16 kernel, and an implementation of a static analysis version of this approach.",
author = "Jaeger, {Trent Ray} and Antony Edwards and Xiaolan Zhang",
year = "2004",
month = "5",
day = "1",
doi = "10.1145/996943.996944",
language = "English (US)",
volume = "7",
pages = "175--205",
journal = "ACM Transactions on Information and System Security",
issn = "1094-9224",
publisher = "Association for Computing Machinery (ACM)",
number = "2",

}

Consistency analysis of authorization hook placement in the Linux security modules framework. / Jaeger, Trent Ray; Edwards, Antony; Zhang, Xiaolan.

In: ACM Transactions on Information and System Security, Vol. 7, No. 2, 01.05.2004, p. 175-205.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Consistency analysis of authorization hook placement in the Linux security modules framework

AU - Jaeger, Trent Ray

AU - Edwards, Antony

AU - Zhang, Xiaolan

PY - 2004/5/1

Y1 - 2004/5/1

N2 - We present a consistency analysis approach to assist the Linux community in verifying the correctness of authorization hook placement in the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. Static analysis has been used previously to verified mediation (i.e., that some hook mediates access to a security-sensitive operation), but that work did not determine whether the necessary set of authorizations were checked. In this paper, we develop an approach to test the consistency of the relationships between security-sensitive operations and LSM hooks. The idea is that whenever a security-sensitive operation is performed as part of specifiable event, a particular set of LSM hooks must have mediated that operation. This work demonstrates that the number of events that impact consistency is manageable and that the notion of consistency is useful for verifying correctness. We describe our consistency approach for performing verification, the implementation of run-time tools that implement this approach, the anomalous situations found in an LSM-patched Linux 2.4.16 kernel, and an implementation of a static analysis version of this approach.

AB - We present a consistency analysis approach to assist the Linux community in verifying the correctness of authorization hook placement in the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. Static analysis has been used previously to verified mediation (i.e., that some hook mediates access to a security-sensitive operation), but that work did not determine whether the necessary set of authorizations were checked. In this paper, we develop an approach to test the consistency of the relationships between security-sensitive operations and LSM hooks. The idea is that whenever a security-sensitive operation is performed as part of specifiable event, a particular set of LSM hooks must have mediated that operation. This work demonstrates that the number of events that impact consistency is manageable and that the notion of consistency is useful for verifying correctness. We describe our consistency approach for performing verification, the implementation of run-time tools that implement this approach, the anomalous situations found in an LSM-patched Linux 2.4.16 kernel, and an implementation of a static analysis version of this approach.

UR - http://www.scopus.com/inward/record.url?scp=3142518085&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=3142518085&partnerID=8YFLogxK

U2 - 10.1145/996943.996944

DO - 10.1145/996943.996944

M3 - Article

AN - SCOPUS:3142518085

VL - 7

SP - 175

EP - 205

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

SN - 1094-9224

IS - 2

ER -