Analyzing the Overhead of Filesystem Protection Using Linux Security Modules

Over the years, the complexity of the Linux Security Module (LSM) is keeping increasing (e.g. 10,684 LOC in Linux v2.6.0 vs. 64,018 LOC in v5.3), and the count of the authorization hooks is nearly doubled (e.g. 122 hooks in v2.6.0 vs. 224 hooks in v5.3). In addition, the computer industry has seen tremendous advancement in hardware (e.g., memory and processor frequency) in the past decade. These make the previous evaluation on LSM, which was done 18 years ago, less relevant nowadays. It is important to provide up-to-date measurement results of LSM for system practitioners so that they can make prudent trade-offs between security and performance. This work evaluates the overhead of LSM for file accesses on Linux v5.3.0. We build a performance evaluation framework for LSM. It has two parts, an extension of LMBench2.5 to evaluate the overhead of file operations for different security modules, and a security module with tunable latency for policy enforcement to study the impact of the latency of policy enforcement on the end-to-end latency of file operations. In our evaluation, we find opening a file would see about 87% (Linux v5.3) performance drop when the kernel is integrated with SELinux hooks (policy enforcement disabled) than without, while the figure was 27% (Linux v2.4.2). We found that performance of the above downgrade is affected by two parts, policy enforcement and hook placement. To further investigate the impact of policy enforcement and hook placement respectively, we build a Policy Testing Module, which reuses hook placements of LSM, while alternating latency of policy enforcement. With this module, we are able to quantitatively estimate the impact of the latency of policy enforcement on the end-to-end latency of file operations by using a multiple linear regression model and count policy authorization frequencies for each syscall. We then discuss and justify the evaluation results with static analysis on our syscalls’ call graphs, which is call string analysis enhanced with execution order analysis.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Gian Ntzik,et al.  Reasoning about POSIX file systems , 2016 .

[3]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[4]  Vijayalakshmi Atluri,et al.  PolTree: A Data Structure for Making Efficient Access Decisions in ABAC , 2019, SACMAT.

[5]  Mick Bauer,et al.  Paranoid penguin: an introduction to Novell AppArmor , 2006 .

[6]  Have You Driven an SELinux Lately? , 2010 .

[7]  Somesh Jha,et al.  Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis , 2007, 29th International Conference on Software Engineering (ICSE'07).

[8]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[9]  Trent Jaeger,et al.  Runtime verification of authorization hook placement for the linux security modules framework , 2002, CCS '02.

[10]  Michael Stumm,et al.  An analysis of performance evolution of Linux's core operations , 2019, SOSP.

[11]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[12]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[13]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Luigi V. Mancini,et al.  Towards a formal model for security policies specification and validation in the selinux system , 2004, SACMAT '04.

[15]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[16]  Donald E. Porter,et al.  Practical Fine-Grained Information Flow Control Using Laminar , 2014, ACM Trans. Program. Lang. Syst..

[17]  Trent Jaeger Operating System Security , 2008, Operating System Security.

[18]  K. Marill Advanced statistics: linear regression, part II: multiple linear regression. , 2004, Academic emergency medicine : official journal of the Society for Academic Emergency Medicine.

[19]  Stephen R. Walli The POSIX family of standards , 1995, STAN.

[20]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[21]  Adam Wright,et al.  Local Reasoning for the POSIX File System , 2014, ESOP.

[22]  Crispin Cowan,et al.  Linux Security Module Framework , 2002 .

[23]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[24]  Casey Schaufler Smack in Embedded Computing , 2010 .

[25]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[26]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[27]  Dimitris Mitropoulos,et al.  POSIX abstractions in modern operating systems: the old, the new, and the missing , 2016, EuroSys.

[28]  Trent Jaeger,et al.  Producing Hook Placements to Enforce Expected Access Control Policies , 2015, ESSoS.

[29]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[30]  Ahmed M. Azab,et al.  PeX: A Permission Check Analysis Framework for Linux Kernel , 2019, USENIX Security Symposium.

[31]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[32]  Trent Jaeger,et al.  A logical specification and analysis for SELinux MLS policy , 2007, SACMAT '07.