![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: "Trent Jaeger" <jaegert@us.ibm.com> To: linux-security-module@wirex.com Subject: LSM verification tools -- report Date: Mon, 7 Jan 2002 15:42:37 -0500 Hi, We have completed a first prototype of two LSM verification tools. A report describing the tool is available from the IBM Tech Reports site: http://www.research.ibm.com/resources/paper_search.shtml. The paper is titled: Verifying Authorization Hook Placement for the Linux Security Modules Framework by Antony Edwards, Trent Jaeger, and Xiaolan Zhang. This the tech report search site at IBM, so you can either search for the paper or presumably this link will take you to it directly: http://domino.watson.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/fd3bffacfd2bbd9385256b30005ec7ee?OpenDocument I am working on getting the code released to the community (and we are fine tuning its function). Hopefully, this will happen without a hitch, but I am obliged to say that there is no guarantee that code will be released. The tools are: (1) a runtime tool that enables verification that controlled operations are authorized properly and (2) a static tool that examines whether the LSM hook placement is clear relative to the operations that it is protecting, so easy maintenance is possible. The first tool automatically collects controlled operations from the source (operations on key data types and globals specified to define a 'mediation interface'), logs authorizations and the executions of these controlled operations at runtime, and enables off-line analysis of the log to identify anomalies that may indicate missplacement of hooks. We are still early in our analysis, but the paper identifies a few anomalies in placement. The second tool generates a web page output that lists the LSM hooks, their descriptions, and whether the operations they protect can be 'easily deduced' from their placement. Easy deduction is defined by the agreement of conservative and optimistic heuristics. The tool is fairly conservative: we envision that any hook should be right before one or more operations that use the first parameter (i.e., the object) in the hook. Other hook placements should be justified, and help should be provided to maintain the correct location of these hooks. The second tool's output for LSM on Linux 2.4.9 is available at: http://www.research.ibm.com/sawmill/lsm_249_intf.html A description of these results is available at: http://www.research.ibm.com/sawmill/lsm_249_notes.txt Hopefully, these tools are a useful start. Please let us know what you think and what other features that you may find useful. Regards, Trent. ---------------------------------- Trent Jaeger IBM T.J. Watson Research Center 30 Saw Mill River Road Hawthorne, NY 10532 jaegert@watson.ibm.com (914) 784-7225, FAX (914) 784-7595 _______________________________________________ linux-security-module mailing list linux-security-module@wirex.com http://mail.wirex.com/mailman/listinfo/linux-security-module