Check out the new USENIX Web site. next up previous
Next: Microbenchmark: LMBench Up: Testing and Functionality Previous: Modules

Performance Overhead

The LSM framework imposes minimal overhead when compared with a standard Linux kernel. The LSM kernel used for benchmarking this overhead included the POSIX.1e capabilities security module in order to provide a fair comparison between an unmodified Linux kernel with built-in capabilities support and a LSM kernel with a capabilities module.

The LSM framework is designed to enable sophisticated access control models. The overhead imposed by such a model is a composite of the LSM framework overhead and the actual policy enforcement overhead. Policy enforcement is outside the scope of the LSM framework, however the performance impact of an enhanced access control module is still of interest. The SELinux module is benchmarked and compared against a standard Linux kernel with Netfilter enabled to show an example of module performance in Section 5.2.3.


Chris Wright 2002-05-13