Check out the new USENIX Web site. next up previous
Next: Acknowledgments Up: Design and Implementation of Previous: Discussion


We presented the design and implementation of a secure integrity measurement system for Linux. This system extends the TCG trust concepts from the BIOS all the way up into the application layer for a general operating system. We extend the operating system with hooks to measure when the first code is loaded into a process (file_mmap LSM hook), provide a measure sysfs entry to request subsequent measurements, and detect when changes to measured inodes occur. This mechanism enables the measurement of dynamic loaders, shared libraries, and kernel modules in addition to the executed files. Further, the approach is extensible, such that applications can measure their specialized loads as shown for bash. The result is that we show that many of the Microsoft NGSCB guarantees can be obtained on today's hardware and today's software and that these guarantees do not require a new CPU mode or operating system but merely depend on the availability of an independent trusted entity. Such a system can already detect a variety of integrity issues, such as the presence of rootkits or vulnerable software. Our measurements show that the non-development systems can be practically measured and that the measurement overhead is reasonable.

The measurement system is extensible and we believe that we can ultimately achieve guarantees beyond those of Microsoft NGSCB. The application of mandatory access control policy can ensure that dynamic data cannot be modified except by trusted sources [17]. Identification of low integrity data flows can enable the possibility of control over whether these flows should be allowed, whether effective restriction can be put on them at the system-level or within applications.

We are currently in the process of making the source code of our integrity measurement architecture implementation publicly available as open-source and pursue efforts to integrate it into the kernel as an optional LSM kernel module.

next up previous
Next: Acknowledgments Up: Design and Implementation of Previous: Discussion
sailer 2004-05-18