Producing Hook Placements to Enforce Expected Access Control Policies

Muthukumaran, Divya; Talele, Nirupama; Jaeger, Trent; Tan, Gang

doi:10.1007/978-3-319-15618-7_14

Cited by 8 publications

(8 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compared with the results in [24], LSM hooking is still efficient and does not cause tangible performance impact. However, SELinux hooking could cause large performance drop for open (87%) and stat (30%), overhead for open is small in absolute value (about 1 𝜇𝜇s), however the absolute value might be higher for low-end embedded systems [26]; the overhead for mkdir and rmdir is smaller than 2%; for the rest of the tests, the overhead ranges from 8% to 19%. We also report the performance overhead (regression rate) of SELinux hooking using Equation (2), see Figure 3.…”

Section: Evaluation Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Analyzing the Overhead of File Protection by Linux Security Modules

Zhang

Liu

Jaeger

2021

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Over the years, the complexity of the Linux Security Module (LSM) is keeping increasing (e.g. 10,684 LOC in Linux v2.6.0 vs. 64,018 LOC in v5.3), and the count of the authorization hooks is nearly doubled (e.g. 122 hooks in v2.6.0 vs. 224 hooks in v5.3). In addition, the computer industry has seen tremendous advancement in hardware (e.g., memory and processor frequency) in the past decade. These make the previous evaluation on LSM, which was done 18 years ago, less relevant nowadays. It is important to provide up-to-date measurement results of LSM for system practitioners so that they can make prudent trade-offs between security and performance.This work evaluates the overhead of LSM for file accesses on Linux v5.3.0. We build a performance evaluation framework for LSM. It has two parts, an extension of LMBench2.5 to evaluate the overhead of file operations for different security modules, and a security module with tunable latency for policy enforcement to study the impact of the latency of policy enforcement on the end-to-end latency of file operations.In our evaluation, we find opening a file would see about 87% (Linux v5.3) performance drop when the kernel is integrated with SELinux hooks (policy enforcement disabled) than without, while the figure was 27% (Linux v2.4.2). We found that performance of the above downgrade is affected by two parts, policy enforcement and hook placement. To further investigate the impact of policy enforcement and hook placement respectively, we build a Policy Testing Module, which reuses hook placements of LSM, while alternating latency of policy enforcement. With this module, we are able to quantitatively estimate the impact of the latency of policy enforcement on the end-to-end latency of file operations by using a multiple linear regression model and count policy authorization frequencies for each syscall. We then discuss and justify the evaluation results with static analysis on our syscalls' call graphs, which is call string analysis enhanced with execution order analysis.Conference'17, July 2017, Washington, DC, USA Wenhui Zhang * This is carried out using LMBench2.5 executed on a 700 MHz Pentium Xeon computer with 1 GB of RAM and an ultra-wide SCSI disk. † This is carried out using LMBench2.5 executed on a 333MHz Pentium II with 128M RAM. ‡ This is tested with LMBench2.5 on 6th Generation Intel® Core™ i7-6500U 2.50 GHz processor with 2 cores, at 1,442MHz each

show abstract

Section: Evaluation Resultsmentioning

confidence: 99%

“…Previous hook placement works [7,10,16,25,26] try to minimize the count of hooks, not performance (i.e. hook invocations).…”

Section: Analysis Of Resultsmentioning

confidence: 99%

Analyzing the Overhead of File Protection by Linux Security Modules

Zhang

Liu

Jaeger

2021

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…(2) it must be tamperproof; and (3) its operation must be verified to be correct via complete testing. Researchers have explored a variety of techniques to assess the correctness of authorization, particularly complete mediation, by assessing control flow [13], [20], [9], [8], [17], [18], [14], [15], [16] (i.e., all control flows to security-sensitive operations are mediated) and data flow [36], [37], [24], [25] (i.e., all accesses to data obey an information flow policy). However, those techniques do not detect tampering.…”

Section: B the Tamper Problem For Reference Monitorsmentioning

confidence: 99%

“…In the past, researchers developed several automated analyses to detect failures in complete mediation [13], [14], [15], [16], [17], [18], [19], [8], [9], [20]. Such analyses detect the absence of authorization checks [13], [20], [9], detect inconsistent use of authorization checks [8], [16], and propose placements and/or repairs for missing checks [14], [15], [17], [18], [19]. These methods use control flows to determine what authorization checks are expected at particular points in the program.…”

Section: Introductionmentioning

confidence: 99%

TALISMAN: Tamper Analysis for Reference Monitors

Capobianco,

Zhou,

Basu

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Correct access control enforcement is a critical foundation for data security. The reference monitor is the key component for enforcing access control, which is supposed to provide tamperproof mediation of all security-sensitive operations. Since reference monitors are often deployed in complex software handling a wide variety of operation requests, such as operating systems and server programs, a question is whether reference monitor implementations may have flaws that prevent them from achieving these requirements. In the past, automated analyses detected flaws in complete mediation. However, researchers have not yet developed methods to detect flaws that may tamper with the reference monitor, despite the many vulnerabilities found in such programs. In this paper, we develop TALISMAN, an automated analysis for detecting flaws that may tamper the execution of reference monitor implementations. At its core, TALISMAN implements a precise information flow integrity analysis to detect violations that may tamper the construction of authorization queries. TALISMAN applies a new, relaxed variant of noninterference that eliminates several spurious implicit flow violations. TALISMAN also provides a means to vet expected uses of untrusted data in authorization using endorsement. We apply TALISMAN on three reference monitor implementations used in the Linux Security Modules framework, SELinux, AppArmor, and Tomoyo, verifying 80% of the arguments in authorization queries generated by these LSMs. Using TALISMAN, we also found vulnerabilities in how pathnames are used in authorization by Tomoyo and AppArmor allowing adversaries to circumvent authorization. TALISMAN shows that tamper analysis of reference monitor implementations can automatically verify many cases and also enable the detection of critical flaws.

show abstract

“…JIGSAW [16] is an automated tool to protect programs from resource access attacks. There are also studies [17][18][19] that perform access control analysis to protect security-sensitive operations from access by unauthorized subjects.…”

Section: Access Control Analysismentioning

confidence: 99%

AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

Wang

Yin

Dong

2021

J. Comput. Sci. Technol.

View full text Add to dashboard Cite

The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions. If a security-sensitive operation is unchecked, a missing-check issue arises. Missing check is a class of severe bugs in software programs especially in operating system kernels, which may cause a variety of security issues, such as out-of-bound accesses, permission bypasses, and privilege escalations. Due to the lack of security specifications, how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis. In this paper, we present an accurate missing-check analysis method for Linux kernel, which can automatically infer possible security-sensitive operations. Particularly, we first automatically identify all possible security check functions of Linux. Then according to their callsites, a two-direction analysis method is leveraged to identify possible security-sensitive operations. A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check. We have implemented our method as a tool, named AMCheX, on top of the LLVM (Low Level Virtual Machine) framework and evaluated it on the Linux kernel. AMCheX reported 12 new missing-check bugs which can cause security issues. Five of them have been confirmed by Linux maintainers.

show abstract

Producing Hook Placements to Enforce Expected Access Control Policies

Cited by 8 publications

References 10 publications

Analyzing the Overhead of File Protection by Linux Security Modules

Analyzing the Overhead of File Protection by Linux Security Modules

TALISMAN: Tamper Analysis for Reference Monitors

AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

Contact Info

Product

Resources

About