Abstract
The Linux kernel is one of the most important Free/Libre Open Source Software (FLOSS) projects. It is installed on billions of devices all over the world, which process various sensitive, confidential or simply private data. It is crucial to establish and prove its security properties. This work-in-progress paper presents a method to verify the Linux kernel for conformance with an abstract security policy model written in the Event-B specification language. The method is based on system call tracing and aims at checking that the results of system call execution do not lead to accesses that violate security policy requirements. As a basis for it, we use an additional Event-B specification of the Linux system call interface that is formally proved to satisfy all the requirements of the security policy model. In order to perform the conformance checks we use it to reproduce intercepted system calls and verify accesses.
This work has received funding from the Ministry of Education and Science of Russia under grant agreement RFMEFI60719X0295.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Publicly available part of the specification: https://github.com/17451k/base-model.
- 2.
According to the Linux manual page
- 3.
Code can be found here: https://github.com/17451k/base-model/tree/open.
- 4.
The listed error codes are taken from the Linux kernel file
include/uapi/asm-generic/errno-base.h.
References
Abrial, J.R.: Modeling in Event-B: System and Software Engineering, 1st edn. Cambridge University Press, New York (2010)
Abrial, J.R., et al.: Rodin: an open toolset for modelling and reasoning in event-B. Int. J. Softw. Tools Technol. Transf. 12(6), 447–466 (2010). https://doi.org/10.1007/s10009-010-0145-y
Abrial, J.R., Hallerstede, S.: Refinement, decomposition, and instantiation of discrete models: application to event-B. Fundamenta Informaticae 77, 1–28 (2007)
Bell, D.E., La Padula, L.J.: Secure Computer System: Unified Exposition and MULTICS Interpretation. ESD-TR-75-306, Electronic Systems DivisiDon, AFSC, Hanscom AFB, 1976 (1976)
Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Mathematical Foundations. ESD-TR-73-278 v. 1, Electronic Systems Division, AFSC, Hanscom AFB (1973)
Belousov, K., Viro, A.: Linux kernel LSM file permission hook restriction bypass (2006). https://vulners.com/osvdb/OSVDB:25747
Biba, K.: Integrity considerations for secure computer systems. Technical report MTR-3153, The MITRE Corporation (1977)
Devyanin, P.N.: The models of security of computer systems: access control and information flows. Goryachaya Liniya-Telecom, Moscow, Russia (2013). (in Russian)
Devyanin, P., Khoroshilov, A., Kuliamin, V., Petrenko, A., Shchepetkov, I.: Formal verification of OS security model with alloy and event-B. In: Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014. LNCS, vol. 8477, pp. 309–313. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43652-3_30
Devyanin, P.N., Khoroshilov, A.V., Kuliamin, V.V., Petrenko, A.K., Shchepetkov, I.V.: Using refinement in formal development of OS security model. In: Mazzara, M., Voronkov, A. (eds.) PSI 2015. LNCS, vol. 9609, pp. 107–115. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41579-6_9
Edwards, A., Jaeger, T., Zhang, X.: Runtime verification of authorization hook placement for the Linux security modules framework. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 225–234. CCS 2002. ACM, New York (2002). https://doi.org/10.1145/586110.586141, http://doi.acm.org/10.1145/586110.586141
Georget, L.: Add missing LSM hooks in MQ timed send, receive and splice (2016). http://thread.gmane.org/gmane.linux.kernel.lsm/28737
Georget, L., Jaume, M., Tronel, F., Piolle, G., Tong, V.V.T.: Verifying the reliability of operating system-level information flow control systems in Linux. In: 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE), pp. 10–16, May 2017. https://doi.org/10.1109/FormaliSE.2017.1
Goyal, V.: Overlayfs SELinux support (2016). https://lwn.net/Articles/693663/
Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in security-enhanced linux. J. Comput. Secur. 13(1), 115–134 (2005)
Huynh, N., Frappier, M., Mammar, A., Laleau, R., Desharnais, J.: Validating the RBAC ANSI 2012 standard using B. In: Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014. LNCS, vol. 8477, pp. 255–270. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43652-3_22
ISO/IEC 15408–1:2009. Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model. ISO (2009)
ISO/IEC 15408–2:2008. Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional components. ISO (2008)
Jacob, B., Larson, P., Leitao, B., Da Silva, S.: SystemTap: instrumenting the Linux kernel for analyzing performance and functional problems. In: IBM Redbook, vol. 116 (2008)
Jurgens, D.: SELinux support for Infiniband RDMA (2016). https://lwn.net/Articles/684431/
Kozachok, A.: TLA+ based access control model specification. In: Proceedings of the Institute for System Programming of the RAS, vol. 30, pp. 147–162, January 2018. https://doi.org/10.15514/ISPRAS-2018-30(5)-9
Larson, P.: Testing Linux with the Linux test project. In: Ottawa Linux Symposium, p. 265 (2002)
Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security modules: general security support for the Linux kernel. In: USENIX Security Symposium, pp. 17–31. ACM Berkeley, CA (2002)
RusBITech: Astra Linux® Special Edition. https://astralinux.ru/products/astra-linux-special-edition/
Tsirunyan, K., Martirosyan, V., Tsyvarev, A.: The Spruce System: quality verification of Linux file systems drivers. In: Proceedings of the Spring/Summer Young Researchers Colloquium on Software Engineering. ISP RAS (2012)
Vykov, D.: Syzkaller (2015). https://github.com/google/syzkaller
Write, C.: LSM update, another missing hook (2005). https://lwn.net/Articles/155496/
Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SELinux system. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, pp. 136–145. ACM (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Efremov, D., Shchepetkov, I. (2020). Runtime Verification of Linux Kernel Security Module. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12233. Springer, Cham. https://doi.org/10.1007/978-3-030-54997-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-54997-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-54996-1
Online ISBN: 978-3-030-54997-8
eBook Packages: Computer ScienceComputer Science (R0)