Linux Security Modules Enhancements: Module Stacking Framework and TCP State Transition Hooks for State-Driven NIDS
نویسندگان
چکیده
Until the availability of Kernel 2.6 the Linux operating system lacked general support to integrate security mechanisms into the kernel. The Linux Security Module Framework (LSM) was designed to overcome this limitation. Although LSM provides a solid baseline for kernel security, it lacks important features. In this paper two of these limitations are addressed: First a framework-managed module stacking mechanism is proposed that allows multiple security policies to be present in the kernel at the same time. The second aspect this paper deals with is the addition of LSM hooks to the Linux TCP layer. This extension was chosen because it allows the implementation of a State-Based Network Intrusion Detection Mechanism which is outlined at the end of the article.
منابع مشابه
Maintaining the Correctness of the Linux Security Modules Framework
In this paper, we present an approach, supported by software tools, for maintaining the correctness of the Linux Security Modules (LSM) framework (the LSM community is aiming for inclusion in Linux 2.5). The LSM framework consists of a set of function call hooks placed at locations in the Linux kernel that enable greater control of user-level processes’ use of kernel functionality, such as is n...
متن کاملUsing CQUAL for Static Analysis of Authorization Hook Placement
The Linux Security Modules (LSM) framework is a set of authorization hooks for implementing flexible access control in the Linux kernel. While much effort has been devoted to defining the module interfaces, little attention has been paid to verifying the correctness of hook placement. This paper presents a novel approach to the verification of LSM authorization hook placement using CQUAL, a typ...
متن کاملTCP and Link Layer Enhancements in DVB-S/DVB-RCS satellite systems
[email protected] ABSTRACT The Transmission Control Protocol (TCP) is efficient on wired networks, but provides poor performance on satellite networks due to the specific characteristics of satellite links. In this paper, we present the experiments results for a combined approach of a selected set of state-of-art TCP enhancements in conjunction with link layer enhancements. Link laye...
متن کاملFree Extended BCK-Module
In this paper, by considering the notion of extended BCK-module, we define the concepts of free extended BCK-module, free object in category of extended BCK-modules and we state and prove some related results. Specially, we define the notion of idempotent extended BCK-module and we get some important results in free extended BCK-modules. In particular, in category of idempotent extended BCK-mod...
متن کاملRoundhouse: A Security Architecture for Active Networks
We describe a high-assurance framework for actively networked clients and servers. Called Roundhouse consists of the following elements: 1. Pinkerton, a comprehensive model for the implementation of distributed protection domains that provide for robust protection in an active networks environment; 2. Iron Horse: Functional and security design of a kernelized host providing essential ringbased ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2004