Filters








176 Hits in 8.0 sec

Runtime verification of authorization hook placement for the linux security modules framework

Antony Edwards, Trent Jaeger, Xiaolan Zhang
2002 Proceedings of the 9th ACM conference on Computer and communications security - CCS '02  
We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework.  ...  The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control).  ...  Solution Description The key insight we leverage in runtime analysis for the Linux Security Modules (LSM) framework is that the LSM authorization hook placement is largely correct, such that cases that  ... 
doi:10.1145/586110.586141 dblp:conf/ccs/EdwardsJZ02 fatcat:sr25a5dv5jdvnnafgrocpdamd4

Runtime verification of authorization hook placement for the linux security modules framework

Antony Edwards, Trent Jaeger, Xiaolan Zhang
2002 Proceedings of the 9th ACM conference on Computer and communications security - CCS '02  
We present runtime tools to assist the Linux community in verifying the correctness of the Linux Security Modules (LSM) framework.  ...  The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control).  ...  Solution Description The key insight we leverage in runtime analysis for the Linux Security Modules (LSM) framework is that the LSM authorization hook placement is largely correct, such that cases that  ... 
doi:10.1145/586139.586141 fatcat:yno6e6q5hfdfpo2jhpwxagcyee

Runtime Verification of Linux Kernel Security Module [article]

Denis Efremov, Ilya Shchepetkov
2020 arXiv   pre-print
As a basis for it, we use an additional Event-B specification of the Linux system call interface that is formally proved to satisfy all the requirements of the security policy model.  ...  This work-in-progress paper presents a method to verify the Linux kernel for conformance with an abstract security policy model written in the Event-B specification language.  ...  Section 6 describes the Linux security modules framework, which is used to implement security policy models inside the kernel. Section 7 presents the runtime verification method itself.  ... 
arXiv:2001.01442v1 fatcat:girkvbtg75huhfzo7imblfimmi

Consistency analysis of authorization hook placement in the Linux security modules framework

Trent Jaeger, Antony Edwards, Xiaolan Zhang
2004 ACM Transactions on Privacy and Security  
We present a consistency analysis approach to assist the Linux community in verifying the correctness of authorization hook placement in the Linux Security Modules (LSM) framework.  ...  The LSM framework consists of a set of authorization hooks inserted into the Linux kernel to enable additional authorizations to be performed (e.g., for mandatory access control).  ...  Such a framework would enable developers to implement authorization modules of their choosing for the Linux kernel.  ... 
doi:10.1145/996943.996944 fatcat:ndhj7ttitbhpze5esrkwg6htim

Trustworthy Whole-System Provenance for the Linux Kernel

Adam Bates, Dave Tian, Kevin R. B. Butler, Thomas Moyer
2015 USENIX Security Symposium  
We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems.  ...  However, while past work has demonstrated the usefulness of provenance, less attention has been given to securing provenance-aware systems.  ...  This work was supported in part by the US National Science Foundation under grant numbers CNS-1118046, CNS-1254198, and CNS-1445983.  ... 
dblp:conf/uss/BatesTBM15 fatcat:klxqjjg335bt3mj74swddxbjnu

The case for analysis preserving language transformation

Xiaolan Zhang, Larry Koved, Marco Pistoia, Sam Weber, Trent Jaeger, Guillaume Marceau, Liangzhao Zeng
2006 Proceedings of the 2006 international symposium on Software testing and analysis - ISSTA'06  
We demonstrate the feasibility and effectiveness of aplt using two usage cases: analysis of the Java runtime native methods and reuse of Java analysis tools for C.  ...  Static analysis has gained much attention over the past few years in applications such as bug finding and program verification.  ...  An example reference monitor is the Linux Security Modules (lsm) interface [47] . The Linux Security Module provides a Mandatory Access Control (mac) architecture inside the Linux kernel.  ... 
doi:10.1145/1146238.1146260 dblp:conf/issta/ZhangKPWJMZ06 fatcat:hp6vkmfqovfyfjcjlhkbsa2dei

Runtime Analysis of Whole-System Provenance [article]

Thomas Pasquier and Xueyuan Han and Thomas Moyer and Adam Bates and Olivier Hermant and David Eyers and Jean Bacon and Margo Seltzer
2018 arXiv   pre-print
CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.  ...  We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance.  ...  Availability: We released an open-source implementation of Cam-Query. Based on the Linux Security Modules framework, CamQuery is immediately deployable on millions of systems worldwide.  ... 
arXiv:1808.06049v2 fatcat:3dg4kchdzvhanlzdgigwbheooi

Runtime Analysis of Whole-System Provenance

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, Margo Seltzer
2018 Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security - CCS '18  
CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.  ...  We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance.  ...  Availability: We released an open-source implementation of Cam-Query. Based on the Linux Security Modules framework, CamQuery is immediately deployable on millions of systems worldwide.  ... 
doi:10.1145/3243734.3243776 dblp:conf/ccs/PasquierHMBHEBS18 fatcat:5z5e53dmoba65kbazi4cak27ae

Leveraging "choice" to automate authorization hook placement

Divya Muthukumaran, Trent Jaeger, Vinod Ganapathy
2012 Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12  
The goal of authorization hook placement is to completely mediate all security-sensitive operations on shared resources.  ...  In this paper, we propose an automated hook placement approach that is motivated by a novel observation -that the deliberate choices made by clients for objects from server collections and for processing  ...  The Linux Security Modules (LSM) framework [41] remedies this shortcoming by placing authorization hooks to enforce more powerful security policies.  ... 
doi:10.1145/2382196.2382215 dblp:conf/ccs/MuthukumaranJG12 fatcat:2thzrzq52bag5aw5opeus3ymle

DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform

Andrew Henderson, Lok Kwong Yan, Xunchao Hu, Aravind Prakash, Heng Yin, Stephen McCamant
2017 IEEE Transactions on Software Engineering  
While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, a semantic gap between the analysis code and the program  ...  and 12 percent for VMI.  ...  Any opinions, findings, and conclusions made in this material are those of the authors and do not necessarily reflect the views of the funding agencies.  ... 
doi:10.1109/tse.2016.2589242 fatcat:n7mqdtkdjzeldnlu7b2itenvbi

Leveraging IPsec for Mandatory Per-Packet Access Control

Trent Jaeger, David H. King, Kevin R. Butler, Serge Hallyn, Joy Latten, Xiaolan Zhang
2006 2006 Securecomm and Workshops  
For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems.  ...  In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16.  ...  Acknowledgment The authors would like to thank Stephen Smalley, James Morris, and the SELinux community for their input into the design of the system.  ... 
doi:10.1109/seccomw.2006.359530 dblp:conf/securecomm/JaegerKBHLZ06 fatcat:ft5474lxsvbkva4u53e6t4ter4

Protecting the integrity of trusted applications in mobile phone systems

Divya Muthukumaran, Joshua Schiffman, Mohamed Hassan, Anuj Sawani, Vikhyath Rao, Trent Jaeger
2010 Security and Communication Networks  
We have implemented a prototype on the Openmoko Linux Platform, using an SELinux kernel with a PRIMA module and user-space services that leverage the SELinux user-level policy server.  ...  In this paper, we propose a security architecture for phone systems that protects trusted applications from such downloaded code.  ...  Authorization Hook Placement A hook is placed when the subject and target object of the operation are both known.  ... 
doi:10.1002/sec.194 fatcat:4pirtz7n2ngqrmajpcpyd5kvoy

TZ-MRAS: A Remote Attestation Scheme for the Mobile Terminal Based on ARM TrustZone

Ziwang Wang, Yi Zhuang, Zujia Yan
2020 Security and Communication Networks  
To ARM's mobile platform, we propose a mobile remote attestation scheme based on ARM TrustZone (TZ-MRAS), which uses the highest security authority of TrustZone to implement trusted attestation service  ...  algorithm based on the locality principle (LPSML) is proposed, which has the advantages of shortening the length of the authentication path and improving the verification efficiency of the platform configuration  ...  monitoring for kernels and programs running in the normal world through the placement of probes.  ... 
doi:10.1155/2020/1756130 fatcat:cqxt55hkizgrbdvunpugrx7kae

Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform

Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, Heng Yin
2014 Proceedings of the 2014 International Symposium on Software Testing and Analysis - ISSTA 2014  
While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, semantic gap between the analysis code and the program  ...  for VMI.  ...  We will need to parse the headers (PE for Windows, and ELF for Linux) of each code module to extract symbols.  ... 
doi:10.1145/2610384.2610407 dblp:conf/issta/HendersonPYHWZY14 fatcat:sufhzzcyabbt7mvkz2fla7uaka

NFV Platform Design: A Survey [article]

Tianzhu Zhang
2020 arXiv   pre-print
Then we thoroughly explore the design space and elaborate the implementation choices each platform opts for.  ...  This broad collection of convoluted alternatives makes it extremely arduous for network operators to make proper choices.  ...  Priyanka Naik for her valuable feedback.  ... 
arXiv:2002.11059v2 fatcat:zgafnd6xmvdzngkukq6qicf3gu
« Previous Showing results 1 — 15 out of 176 results