LSM Verification Tools

From: Trent Jaeger (jaegertat_private)
Date: Tue Oct 01 2002 - 17:13:35 PDT

  • Next message: Chris Wright: "Re: LSM Verification Tools"

    I am glad to say that the LSM runtime verification tools that we have been
    working on at IBM are now approved for us to release open source (GPL
    license).
    
    I am getting the tool added to the external IBM DeveloperWorks, but in the
    meantime I will be happy to send a tarball to requestors.
    
    These runtime tools instrument the Linux kernel, collect logs of controlled
    operations and security checks, and analyze the logs to display the
    relationship between the controlled operations and authorization checks for
    individual system calls.  From this, one can compare the authorizations
    within and across system calls (graphically and textually).  A fairly
    complete technical and usage document is included.
    
    We have tested the tools on 2.4.16, 2.4.18, 2.4.19, and 2.5.26.  I can't
    say how easy it is to port to more recent 2.5 versions, but I'll look into
    it.  No changes were required between 2.4.16 and 2.4.18.  Some were
    required to 2.4.19, but mostly due to hook flattening.
    
    Note that these tools are the ones from the upcoming CCS 2002 paper
    (Runtime Verification of Authorization Hook Placement for the Linux
    Security Modules Framework), *not* from the USENIX 2002 paper (based on
    CQUAL static analysis).  The latter prototype is not well-tested, and we
    continue to improve the static analysis capabilities.  We hope to make some
    headway on this soon.
    
    Regards,
    Trent.
    ----------------------------------
    Trent Jaeger
    IBM T.J. Watson Research Center
    19 Skyline Drive
    Hawthorne, NY 10532
    jaegertat_private
    (914) 784-7225, FAX (914) 784-7595
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 17:14:33 PDT