We present tools to assist the Linux community in verifying the correctness and maintainability of the Linux Security Modules (LSM) framework. The LSM framework consists of a set of authorization hooks inserted into the kernel to enable additional security enforcement (e.g., mandatory access control). When compared to system call interposition, authorization within the kernel has both security and performance advantages, but it makes it more difficult to verify that the kernel’s security-sensitive operations are authorized. To tackle this problem, we define a mediation interface in the kernel, and verify that all mediating operations are appropriately authorized. Verification leverages the fact that most of the LSM hooks are properly placed to identify misplaced hooks. We define a mediation interface in terms of the LSM authorized kernel data structures and a set of properties that the authorizations should display. Using a runtime analysis tool, we collect authorization data that we can use to detect candidate flaws that do not display the expected properties. A second static tool identifies hooks placements that may be difficult to maintain. We describe the anomalous situations that the tools found in an LSM-patched Linux 2.4.9 kernel.
By: Antony Edwards, Trent R. Jaeger, Xiaolan Zhang
Published in: Proceedings of the 9th ACM Conference on Computer and Communications Security. , ACM. , 225-34 in 2002
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .