Check out the new USENIX Web site. next up previous
Next: 3 Piranha Audit details Up: Piranha Audit: A Kernel Previous: 1 Introduction

2 General overview

The standard Linux Kernel meets Division C, Class 2 "partially'' in Audit context, since there is no system routine which records events of object introduction or deletion.

Once this problem was solved, to reach Division B, Class 1:

(a)
the audit record will have to include, for each event that either introduces an object into a user's address space ot it deletes an object, the name of the object and the object's security level.
(b)
Moreover, the system manager would have to be able to selectively audit the actions of any one or more users based on individual identity and/or object security level.
(c)
Finally, it must be possible to audit any override of human-readable output markings.
To reach Class 3,

(d)
one of the required features is the presence of a mechanism that is able to monitor the occurrence or accumulation of security auditable events that may indicate an imminent violation of security policy. This mechanism will have to be able to immediately notify the security administrator when thresholds are exceeded, and, if the occurrence or accumulation of these security relevant events continues, the system will have to take the least disruptive action to terminate the event.
(e)
Moreover, we would need some mechanisms for the identification of events that may be used in the exploitation of the usage of covert storage channels.
In this paper, we will describe an extension of the standard Linux Kernel to reach Division C, Class 2 and that solves problems (a)-(d) as well. Problem (e) currently is solved for a particular case: File Flag Communication. With this term we intend a illegal communication from root to user processes based on file presence that indicates, for example, a bit information, but this needs more work.

Now we will describe a list of typical attacks [2].

New forms of attacks appear every day. This list can only be a short example.


next up previous
Next: 3 Piranha Audit details Up: Piranha Audit: A Kernel Previous: 1 Introduction
2000-08-07