Analyzing the Overhead of File Protection by Linux Security Modules

Zhang, Wenhui; Liu, Peng; Jaeger, Trent

doi:10.1145/3433210.3453078

Cited by 10 publications

(4 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is difficult to precisely measure LSM overhead [68]. In general, there exist two sources of overhead when performing audit (or other policy enforcement) through LSM: hooking and execution.…”

Section: Lsm Overheadmentioning

confidence: 99%

Secure Namespaced Kernel Audit for Containers

Lim¹,

Stelea²,

Han³

et al. 2021

Preprint

View full text Add to dashboard Cite

Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making it difficult to deploy in practical settings.In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel. * This paper was accepted at the 12th ACM Symposium on Cloud Computing (SoCC'21) (see https://acmsocc.org/2021/).

show abstract

Section: Lsm Overheadmentioning

confidence: 99%

Secure Namespaced Kernel Audit for Containers

Lim¹,

Stelea²,

Han³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…SMACK may also be absent from the support list. Additionally, due to their lower impact on the file loading overhead, many system installations choose AppArmor or TOMOYO instead of SELinux [7,8]. Additionally, SELinux implements MAC policies by means of contexts composed of users, roles, and types [9].…”

Section: Introductionmentioning

confidence: 99%

XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies

Litchfield

2023

Applied Sciences

View full text Add to dashboard Cite

The Integrity Measurement Architecture subsystem on the Linux platform is a critical security component in the kernel to ensure the integrity of the running system. However, the default Integrity Measurement Architecture policy mechanisms based on options such as file owner and FSMAGIC cannot achieve a file-level configuration. Although Integrity Measurement Architecture supports the Linux Security Module policy rules to be close to the goal of fine-grained configuration, it is not easy to be managed because the Linux Security Module was not originally designed for integrity measurement. Moreover, the Linux Security Module-based policy does not apply in some use cases considering the type of Mandatory Access Control tools chosen by users. This paper presents a new policy configuration option, named XFilter, that achieves a fine-grained policy configuration method. The XFilter includes two policy matching mechanisms, XLabel and XList, which share the same policy token created for XFilter exclusively. XLabel marks the files for measurement using a label in the file’s extended attribute (xattr). By contrast, XList stores the measurement information in a list of file paths. To simplify the deployment, an automatic configuration process is implemented for integrating into the package management system. The evaluation results suggest that both mechanisms satisfy the requirements of file-level IMA policy control and create a performance burden for system operation in the acceptable range. They also reveal a positive correlation between the increment of the system latency and the growth of the length of file paths list for the XList mechanism.

show abstract

“…Enforcement hooks serve as checkpoints for security enforcement over specific access categories, while bookkeeping hooks enable a se-curity module to maintain stateful information about subjects and objects on the system. LSM hooks are not considered to be static, and often change between kernel versions as new hooks are implemented and both new and existing hooks placed into various kernel functions [158]. The eventual goal of the LSM framework is to provide complete mediation over kernel security events, however this is an evolving process and no formal verification exists to prove the security of LSM hooks [60].…”

Section: Linux Security Modules Selinux and Apparmormentioning

confidence: 99%

“…In the Complaining case, BPFBox and BPFContain significantly outperform AppArmor, a fact which can be attributed to inefficiencies in AppArmor's logging mechanism, which relies on the kernel's audit framework. The ring buffer maps used by BPFBox and BPFContain are known to exhibit comparatively less overhead [103,157,158]. Additional overhead may also arise due to differences in how…”

Section: Osbench File Creationmentioning

confidence: 99%

A Practical, Lightweight, and Flexible Confinement Framework in eBPF

Findlay¹

View full text Add to dashboard Cite

show abstract

Analyzing the Overhead of File Protection by Linux Security Modules

Cited by 10 publications

References 32 publications

Secure Namespaced Kernel Audit for Containers

Secure Namespaced Kernel Audit for Containers

XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies

A Practical, Lightweight, and Flexible Confinement Framework in eBPF

Contact Info

Product

Resources

About