LSM (Linux Security Modules) has been developed as a lightweight, general purpose, access control framework for the mainstream Linux kernel, many tools employ LSM to implement mandatory access control of processes. However, when administrators intend to employ LSM to control a user’s behavior instead of just a process’s, things become more complicated. Since a user’s behavior is reflected by a variety of processes, the control of a user turns into the control of processes associated with the user, which needs the ability to match up a process’s identity to a particular user. Unfortunately, without a strong user authentication mechanism, malicious users can easily bypass the behavior control framework by juggling the identity of a process. In this paper, a practical, efficient, secure mechanism, namely RTA (Real-Time Authentication) is proposed to add real-time user authentication support for traditional LSM. The proposed mechanism employs the ID management framework in a thin hypervisor, BitVisor. At last, a new security module called EWL (Executable White List) is designed and implemented based on RTA and LSM, the experimental results show that EWL ensures security and has small system overhead.
Read full abstract