Check out the new USENIX Web site. next up previous
Next: Discussion Up: Results Previous: Performance Evaluation

Implementation and Usability Aspects

Our kernel implementation includes LSM hooks for measurement, dirty flagging, and bypass protection and comprises 4755 lines of code (loc) including comments. This code resides in its own security/measure kernel directory and is thus very easy to port to new Linux kernel versions as long as the LSM interface does not change. We need to add another 2 loc into the load_module routine of kernel/module.c to measure loading kernel modules. To instrument the bash shell, we insert 2 loc at the places where source files are loaded or script files are interpreted. These user level measure calls are based on a header file of 42 loc that translates the user level measure request macro into a proper write on /sys/security/measure. Porting the architecture from a 2.6.2 to a 2.6.5 Linux kernel took about 10 minutes. Moving from a non-LSM implementation in a 2.4 kernel to an LSM-based version of our integrity measurement architecture in the 2.6 kernel reduced the complexity of our implementation and increased its portability considerably.

We have successfully stacked our integrity measurement architecture as an LSM module on top of SELinux, which required small modifications of SELinux to call our hooks and to share security substructures in the file and inode kernel structures. These changes are minor but they are necessary because the current Linux LSM implementation leaves most of the stacking implementation to the modules themselves.

Our experiences show that a standard RedHat 9.0 Linux system including the Xwindow server and the Gnome Desktop system accumulates about 500-600 measurement entries after running about one week, including about 60-100 bash script and source file measurements. Those bash measurements cover all bash service startup and shutdown scripts as well as local source scripts (e.g., ~\.bashrc). The overhead introduced by our measurement architecture is negligible even at boot time of the system when most measurements are recorded and extended into the TPM. Thus we believe our performance results are representative of a normal Linux environment.


next up previous
Next: Discussion Up: Results Previous: Performance Evaluation
sailer 2004-05-18