This paper describes "HP Secure OS Software for Linux" (HP-LX) - a version of Linux that incorporates modifications into the kernel to improve security. A common attack strategy is to exploit a bug in a service causing it to execute code that downloads additional executables, and overwrites existing system executables and web pages. If the attack is in the form of a "worm", it will then probe the network looking for new targets.
This paper argues that incorporating additional features into the underlying operating system best resists such attacks. HP-LX has mechanisms that contain a process within a known part of the system and place severe limits on the damage that can be caused by attacks. These mechanisms restrict communication to constrain the ability to interfere with and probe the network or other processes. They protect the file system and can prevent even root from overwriting files. In addition HP-LX has extensive auditing mechanisms for detecting compromised processes.
[1]
Berni Dwan.
Halting the hacker: A practical guide to computer security
,
1997
.
[2]
D. Elliott Bell,et al.
Secure Computer System: Unified Exposition and Multics Interpretation
,
1976
.
[3]
Daniel F. Sterne,et al.
A Domain and Type Enforcement UNIX Prototype
,
1995,
Comput. Syst..
[4]
Stephen Smalley,et al.
Integrating Flexible Support for Security Policies into the Linux Operating System
,
2001,
USENIX Annual Technical Conference, FREENIX Track.
[5]
Munindar P. Singh,et al.
Network Computing
,
1999
.