XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies
-
Published:2023-05-15
Issue:10
Volume:13
Page:6046
-
ISSN:2076-3417
-
Container-title:Applied Sciences
-
language:en
-
Short-container-title:Applied Sciences
Author:
Litchfield Alan1ORCID, Du Weihua2
Affiliation:
1. Service and Cloud Computing Research Lab, Auckland University of Technology, Auckland 1010, New Zealand 2. Datacom, Wellington 6011, New Zealand
Abstract
The Integrity Measurement Architecture subsystem on the Linux platform is a critical security component in the kernel to ensure the integrity of the running system. However, the default Integrity Measurement Architecture policy mechanisms based on options such as file owner and FSMAGIC cannot achieve a file-level configuration. Although Integrity Measurement Architecture supports the Linux Security Module policy rules to be close to the goal of fine-grained configuration, it is not easy to be managed because the Linux Security Module was not originally designed for integrity measurement. Moreover, the Linux Security Module-based policy does not apply in some use cases considering the type of Mandatory Access Control tools chosen by users. This paper presents a new policy configuration option, named XFilter, that achieves a fine-grained policy configuration method. The XFilter includes two policy matching mechanisms, XLabel and XList, which share the same policy token created for XFilter exclusively. XLabel marks the files for measurement using a label in the file’s extended attribute (xattr). By contrast, XList stores the measurement information in a list of file paths. To simplify the deployment, an automatic configuration process is implemented for integrating into the package management system. The evaluation results suggest that both mechanisms satisfy the requirements of file-level IMA policy control and create a performance burden for system operation in the acceptable range. They also reveal a positive correlation between the increment of the system latency and the growth of the length of file paths list for the XList mechanism.
Subject
Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science
Reference55 articles.
1. Trusted Computing Group (2021, May 01). Trusted Computing. Available online: https://trustedcomputinggroup.org/trusted-computing. 2. Principles of remote attestation;Coker;Int. J. Inf. Secur.,2011 3. Francillon, A., Nguyen, Q., Rasmussen, K.B., and Tsudik, G. (2014, January 24–28). A minimalist approach to Remote Attestation. Proceedings of the 2014 Design, Automation Test in Europe Conference Exhibition (DATE), Dresden, Germany. 4. Kasatkin, D., and Zohar, M. (2021, May 01). Integrity Measurement Architecture (IMA). Available online: https://sourceforge.net/p/linux-ima/wiki. 5. Son, J., Koo, S., Choi, J., Choi, S.j., Baek, S., Jeon, G., Park, J.H., and Kim, H. (2017, January 3–7). Quantitative analysis of measurement overhead for integrity verification. Proceedings of the Symposium on Applied Computing, Marrakech, Morocco.
|
|