|| ||Trent Jaeger <firstname.lastname@example.org>|
|| ||LSM Verification Tools|
|| ||Tue, 1 Oct 2002 20:13:35 -0400|
I am glad to say that the LSM runtime verification tools that we have been
working on at IBM are now approved for us to release open source (GPL
I am getting the tool added to the external IBM DeveloperWorks, but in the
meantime I will be happy to send a tarball to requestors.
These runtime tools instrument the Linux kernel, collect logs of controlled
operations and security checks, and analyze the logs to display the
relationship between the controlled operations and authorization checks for
individual system calls. From this, one can compare the authorizations
within and across system calls (graphically and textually). A fairly
complete technical and usage document is included.
We have tested the tools on 2.4.16, 2.4.18, 2.4.19, and 2.5.26. I can't
say how easy it is to port to more recent 2.5 versions, but I'll look into
it. No changes were required between 2.4.16 and 2.4.18. Some were
required to 2.4.19, but mostly due to hook flattening.
Note that these tools are the ones from the upcoming CCS 2002 paper
(Runtime Verification of Authorization Hook Placement for the Linux
Security Modules Framework), *not* from the USENIX 2002 paper (based on
CQUAL static analysis). The latter prototype is not well-tested, and we
continue to improve the static analysis capabilities. We hope to make some
headway on this soon.
IBM T.J. Watson Research Center
19 Skyline Drive
Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7595
linux-security-module mailing list