Runtime verification of authorization hook placement for the Linux Security Modules framework

Antony Edwards, Trent Jaeger, Xiaolan Zhang

Research output: Contribution to conferencePaper

28 Citations (Scopus)

Abstract

We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. We have examined both static and runtime analysis techniques for this verification, and have found them to be complementary. Static analysis is more complex to implement and tends to generate more false positives, but coverage of all type-safe execution paths is possible. Runtime analysis lacks the code and input coverage of static analysis, but tends to be simpler to gather useful information. The major simplifying factor in our runtime verification approach is that we can leverage the fact that most of the LSM hooks are properly placed to identify misplaced hooks. Our runtime verification tools collect the current LSM authorizations and find inconsistencies in these authorizations. We describe our approach for performing runtime verification, the design of the tools that implement this approach, and the anomalous situations found in an LSM-patched Linux 2.4.16 kernel.

Original languageEnglish (US)
Pages225-234
Number of pages10
StatePublished - Dec 1 2002
EventProceedings of the 9th ACM Conference on Computer and Communications Security - Washington, DC, United States
Duration: Nov 18 2002Nov 22 2002

Other

OtherProceedings of the 9th ACM Conference on Computer and Communications Security
CountryUnited States
CityWashington, DC
Period11/18/0211/22/02

Fingerprint

Hooks
Static analysis
Linux
Access control

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Edwards, A., Jaeger, T., & Zhang, X. (2002). Runtime verification of authorization hook placement for the Linux Security Modules framework. 225-234. Paper presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States.
Edwards, Antony ; Jaeger, Trent ; Zhang, Xiaolan. / Runtime verification of authorization hook placement for the Linux Security Modules framework. Paper presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States.10 p.
@conference{bb8dd08751c6461b8461c3fef85dc6f2,
title = "Runtime verification of authorization hook placement for the Linux Security Modules framework",
abstract = "We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. We have examined both static and runtime analysis techniques for this verification, and have found them to be complementary. Static analysis is more complex to implement and tends to generate more false positives, but coverage of all type-safe execution paths is possible. Runtime analysis lacks the code and input coverage of static analysis, but tends to be simpler to gather useful information. The major simplifying factor in our runtime verification approach is that we can leverage the fact that most of the LSM hooks are properly placed to identify misplaced hooks. Our runtime verification tools collect the current LSM authorizations and find inconsistencies in these authorizations. We describe our approach for performing runtime verification, the design of the tools that implement this approach, and the anomalous situations found in an LSM-patched Linux 2.4.16 kernel.",
author = "Antony Edwards and Trent Jaeger and Xiaolan Zhang",
year = "2002",
month = "12",
day = "1",
language = "English (US)",
pages = "225--234",
note = "Proceedings of the 9th ACM Conference on Computer and Communications Security ; Conference date: 18-11-2002 Through 22-11-2002",

}

Edwards, A, Jaeger, T & Zhang, X 2002, 'Runtime verification of authorization hook placement for the Linux Security Modules framework', Paper presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States, 11/18/02 - 11/22/02 pp. 225-234.

Runtime verification of authorization hook placement for the Linux Security Modules framework. / Edwards, Antony; Jaeger, Trent; Zhang, Xiaolan.

2002. 225-234 Paper presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States.

Research output: Contribution to conferencePaper

TY - CONF

T1 - Runtime verification of authorization hook placement for the Linux Security Modules framework

AU - Edwards, Antony

AU - Jaeger, Trent

AU - Zhang, Xiaolan

PY - 2002/12/1

Y1 - 2002/12/1

N2 - We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. We have examined both static and runtime analysis techniques for this verification, and have found them to be complementary. Static analysis is more complex to implement and tends to generate more false positives, but coverage of all type-safe execution paths is possible. Runtime analysis lacks the code and input coverage of static analysis, but tends to be simpler to gather useful information. The major simplifying factor in our runtime verification approach is that we can leverage the fact that most of the LSM hooks are properly placed to identify misplaced hooks. Our runtime verification tools collect the current LSM authorizations and find inconsistencies in these authorizations. We describe our approach for performing runtime verification, the design of the tools that implement this approach, and the anomalous situations found in an LSM-patched Linux 2.4.16 kernel.

AB - We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it is more difficult to verify that placement of the LSM hooks ensures that all the kernel's security-sensitive operations are authorized. We have examined both static and runtime analysis techniques for this verification, and have found them to be complementary. Static analysis is more complex to implement and tends to generate more false positives, but coverage of all type-safe execution paths is possible. Runtime analysis lacks the code and input coverage of static analysis, but tends to be simpler to gather useful information. The major simplifying factor in our runtime verification approach is that we can leverage the fact that most of the LSM hooks are properly placed to identify misplaced hooks. Our runtime verification tools collect the current LSM authorizations and find inconsistencies in these authorizations. We describe our approach for performing runtime verification, the design of the tools that implement this approach, and the anomalous situations found in an LSM-patched Linux 2.4.16 kernel.

UR - http://www.scopus.com/inward/record.url?scp=0037673305&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037673305&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:0037673305

SP - 225

EP - 234

ER -

Edwards A, Jaeger T, Zhang X. Runtime verification of authorization hook placement for the Linux Security Modules framework. 2002. Paper presented at Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, United States.