论文信息 - Using CQUAL for Static Analysis of Authorization Hook Placement

Using CQUAL for Static Analysis of Authorization Hook Placement

The Linux Security Modules (LSM) framework is a set of authorization hooks for implementing flexible access control in the Linux kernel. While much effort has been devoted to defining the module interfaces, little attention has been paid to verifying the correctness of hook placement. This paper presents a novel approach to the verification of LSM authorization hook placement using CQUAL, a type-based static analysis tool. With a simple CQUAL lattice configuration and some GCC-based analyses, we are able to verify complete mediation of operations on key kernel data structures. Our results reveal some potential security vulnerabilities of the current LSM framework, one of which we demonstrate to be exploitable. Our experiences demonstrate that combinations of conceptually simple tools can be used to perform fairly complex analyses.

[1] Marco Pistoia,et al. Access rights analysis for Java , 2002, OOPSLA '02.

[2] David Evans,et al. Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[3] David A. Wagner,et al. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[4] George C. Necula,et al. CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[5] Matt Bishop,et al. Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[6] Dawson R. Engler,et al. Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7] Alexander Aiken,et al. A theory of type qualifiers , 1999, PLDI '99.

[8] Dawson R. Engler,et al. Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.