Consistency Analysis of Authorization of Hook Placement in the Linux Security Modules Framework
Jaeger, T., Edwards, A., & Zhang, X. (2004). Consistency Analysis of Authorization of Hook Placement in the Linux Security Modules Framework. ACM Transactions on Information Security and System Security, 7, 175-205. Retrieved on September 21, 2006, from the ACM Digital Library database.
In this article, the authors Jaeger, Edwards, and Zhang, tried to confirm for Linux users and kernel developers the correct location of hooks inside the Linux kernel which comprise the Linux Security Modules (LSM) project framework. The authors theorized that because hooks define the kinds of authorizations, including sensitive security operations, that a module can enforce, the consistency in authorizations is dependent on the proper placement of the hooks making consistency an indicator of correct hook placement.
Whenever a security sensitive operation is performed as a specific event, a set of LSM hooks must have mediated in that operation. While there are benefits to locating the hooks inside the kernel, their location makes a mediation interface harder to see, so the controlled operations and their mapping to policy operations are also harder to see. The authors noted that there was no location inside the kernel similar to the system call interface at which all the kernel’s controlled operations that access security sensitive data must pass, making pin-pointing such operations more difficult. In the absence of such a location, the authors sought a model to help identify controlled operations in the kernel, determine controlled operations authorizations requirements, and compare actual hook authorizations to authorization requirements.
In arriving at a solution, the authors considered the fact that LSM authorization hooks were almost always placed correctly making inconsistencies in authorization a sign of trouble, and that consistency is dependent on context. To collect and analyze authorizations, they established a system of logging generation tool using run-time analysis of the kernel and static analysis of its source code, and an authorization consistency analysis tool such as JaBA (a Java static analysis tool) to collect the logs. They also discussed improvements to the overall analysis that could be made using JaBA data flow analysis. They were able to identify operations that were irregular or unexpected by analyzing the output of a logging tool, and in this way found four anomalies that could have been exploited but were corrected with help of Linux Security Module users.
In this article, the authors Jaeger, Edwards, and Zhang, tried to confirm for Linux users and kernel developers the correct location of hooks inside the Linux kernel which comprise the Linux Security Modules (LSM) project framework. The authors theorized that because hooks define the kinds of authorizations, including sensitive security operations, that a module can enforce, the consistency in authorizations is dependent on the proper placement of the hooks making consistency an indicator of correct hook placement.
Whenever a security sensitive operation is performed as a specific event, a set of LSM hooks must have mediated in that operation. While there are benefits to locating the hooks inside the kernel, their location makes a mediation interface harder to see, so the controlled operations and their mapping to policy operations are also harder to see. The authors noted that there was no location inside the kernel similar to the system call interface at which all the kernel’s controlled operations that access security sensitive data must pass, making pin-pointing such operations more difficult. In the absence of such a location, the authors sought a model to help identify controlled operations in the kernel, determine controlled operations authorizations requirements, and compare actual hook authorizations to authorization requirements.
In arriving at a solution, the authors considered the fact that LSM authorization hooks were almost always placed correctly making inconsistencies in authorization a sign of trouble, and that consistency is dependent on context. To collect and analyze authorizations, they established a system of logging generation tool using run-time analysis of the kernel and static analysis of its source code, and an authorization consistency analysis tool such as JaBA (a Java static analysis tool) to collect the logs. They also discussed improvements to the overall analysis that could be made using JaBA data flow analysis. They were able to identify operations that were irregular or unexpected by analyzing the output of a logging tool, and in this way found four anomalies that could have been exploited but were corrected with help of Linux Security Module users.
posted by Dr. Adam Norten at 5:02 PM
0 Comments:
Post a Comment
<< Home