Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
2Activity
×
0 of .
Results for:
No results containing your search query
P. 1
A Linux Kernel Module for Locking Down Applications on Linux Clients

A Linux Kernel Module for Locking Down Applications on Linux Clients

Ratings: (0)|Views: 1,113|Likes:
Published by ijcsis
Preventing the installation and execution of unauthorized software should be a high priority for any organization. Allowing users to install and execute unauthorized software can expose an organization to a variety of security risks. In this paper we present a graylisting solution to control application execution on Linux clients using a loadable kernel module. Our developed kernel based solution, Locking Applications on Linux Clients or LALC is a new Linux subsystem which adds a graylisting application lockdown capability to Linux kernel. The restriction policy applied by LALC to specific client is based on the preconfigured security level of the client’s group and on the application the client desire to execute or to install. LALC is flexible enough to support the business needs as well as new applications and new versions of existing applications. And it is so secure that no end user can circumvent its configuration.
Preventing the installation and execution of unauthorized software should be a high priority for any organization. Allowing users to install and execute unauthorized software can expose an organization to a variety of security risks. In this paper we present a graylisting solution to control application execution on Linux clients using a loadable kernel module. Our developed kernel based solution, Locking Applications on Linux Clients or LALC is a new Linux subsystem which adds a graylisting application lockdown capability to Linux kernel. The restriction policy applied by LALC to specific client is based on the preconfigured security level of the client’s group and on the application the client desire to execute or to install. LALC is flexible enough to support the business needs as well as new applications and new versions of existing applications. And it is so secure that no end user can circumvent its configuration.

More info:

Published by: ijcsis on Mar 08, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

10/29/2013

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 2011
A Linux Kernel Module for Locking DownApplications on Linux Clients
 
Noureldien A. Noureldien
dept. of Computer ScienceUniversity of Science and TechnologyKhartoum, Sudannoureldien@hotmail.com
Abubakr A. Abdulgadir
dept. of Computer EngineeringUniversity of GeziraMadani, Sudanbakrysalih@gmail.com 
Abstract
Preventing the installation and execution of unauthorized software should be a high priority for anyorganization. Allowing users to install and execute unauthorizedsoftware can expose an organization to a variety of security risks.In this paper we present a graylisting solution to controlapplication execution on Linux clients using a loadable kernelmodule. Our developed kernel based solution, LockingApplications on Linux Clients or LALC is a new Linuxsubsystem which adds a graylisting application lockdowncapability to Linux kernel. The restriction policy applied byLALC to specific client is based on the preconfigured securitylevel of the client’s group and on the application the client desireto execute or to install. LALC is flexible enough to support thebusiness needs as well as new applications and new versions of existing applications. And it is so secure that no end user cancircumvent its configuration.
Keywords-Application Lockdown; Linux Kernel Module;Restriction Policy; Whitelisting; Blacklisting; Graylisting.
I.
 
I
NTRODUCTION
 The rising number of computer security incidents since1988 [3][4] suggests that malware is an epidemic.Malware is referred to by numerous names. Examplesinclude malicious software, malicious code and malcode. Manydefinitions have been offered to describe malware. Forinstance, [7] describe a malware instance as a program whoseobjective is malevolent. Malicious codes defined in [6] as “anycode added, changed, or removed from a software system inorder to intentionally cause harm or subvert the intendedfunction of the system.”Nowadays, in many organizations, employees can peruseweb sites, send and receive email, download software, andinstall applications whenever they want. On one hand, suchopenness helps business flow by empowering workers to useinformation freely; on the other, it can risk the security andintegrity of both computers and data as it opens a wide windowfor malware and malicious attacks.Often the first defensive step is to run an anti-virus andanti-malware protection software. These programs perform athorough cleaning of existing virus and malware infections,returning the systems to a relatively stable state. However, theyare typically just behind the hacker curve. Computers arevulnerable to newly released viruses or attacks until themalware code is identified and the anti-virus agents are updatedon every machine.Using these methods makes a “zero day attack” almostimpossible to prevent using anti-virus software. And due to thisfailure of anti-malware, organizations take the choice of locking down their entire networking environments.Locking down a network client can mean a lot of differentthings. In this paper we refer to a client as being locked down if it is configured in such a way that prevents unauthorizedapplications from being installed or executed.It is obvious that locking down clients will stop users frominstalling or executing an application that contains spyware, aTrojan, a virus, or some other form of malware. This willresult in a tremendous security improvement and businesscontinuity.Locking down client machines can be done using differentmethods. The problem with many of these methods, however,is that they are either impractical, costly or places a heavyburden on the network administrators.In this paper, we develop a kernel based solution forLocking Application on Linux Clients (LALC) applying agraylisting approach. LALC uses a central server that controlsapplications running on clients. The server was configured todefine client’s security levels and their associate allowable anddisallowable applications. Clients are configured to requestserver permission on executing an application. The serverpermits or denies client requests by comparing the hash valueof the requested application to those pre-stored values. Forflexibility and ease of use, the solution provides a ServerConfiguration Utility for managing clients groups, theirsecurity levels and their associate restriction lists.This paper is organized as follows. In Section II, we revisethe basic locking down approaches, and we discuss the designof LALC in Section III. In Section IV we show how weimplement and test LALC and we conclude the paper inSection V.
37 http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 2011
II.
 
LOCKING
 
DOWN
 
APPROCHESBasically, there are three major approaches for lockingdown client applications; blacklisting, whitelisting andgraylisting.
A.
 
Blacklisting Approach
This approach applies the security premise “what is notexpressly defined to be prohibited must be allowed”. So in thisapproach only those applications that have been defined to beunwanted, the blacklist, will not be executed, all otherapplications will be allowed to run. Clearly this approach willnot defend against malicious applications not previouslyidentified in the blacklist.
B.
 
Whitelisting Approach
This is the reverse approach to blacklisting, it applies thesecurity premise “what is not expressly defined to be allowedmust be prohibited”. Application whitelisting is emerging asthe security technology that gives a true defense-in-depthcapability, filling in the gaps that anti-virus was never designedto cover. Application whitelisting is characterized by theability to identify authorized executables and associated filesand to treat as an attack any program or file that is not on theauthorized whitelist. Recent advances in applicationwhitelisting, including automatically approving files fromtrusted sources to reduce administrative overhead or allowingend-users to personalize their endpoint for greater useracceptance, has made application whitelisting an attractivechoice.Application whitelisting is a technique gatheringmomentum in commercial security systems. Most implementadditional access controls within the operating system to stopunauthorized programs from running. Products from companiessuch as CoreTrace [5], SolidCore [10] and Bit9 [2] all useapplication whitelists to create a safer working environment.
C.
 
Graylisting
 
Approach
This approach combines the previous two approaches; ituses three lists, while, black and a gray. This approach worksby focusing on valid whitelisting applications and allow onlythose applications to run. All the applications in the blacklistare not allowed to run. When an application is not in the whitelist or in the black list, it will be placed in the gray list forfurther justification. This approach uses software authenticationto reduce the problem of malware and other unwanted software[9].III.
 
LOCKING
 
APPLICATIONS
 
ON
 
LINUX
 
CLIENTS
 
(LALC)LALC is a graylisting solution that restricts applicationexecution on network Linux clients. The solution maintainsthree lists, a white list for applications that are authorized torun, a black list for applications that are solely prohibited and agray list for applications that are neither white nor black.LALC deploys client group restriction policy which allowestablishment of different client groups that have differentsecurity levels. For system flexibility LALC implements threesecurity levels, namely, Lockdown, Block-and-Ask andMonitor. In Lockdown level, only whitelisted applications areallowed to run. In Block-and-Ask a confirmation message forexecuting the application is sent to the user when theapplication is gray. In the Monitor level the gray applicationsare allowed to be executed without user confirmation. In allsecurity levels, the gray applications are added to the gray listfor later administrator analyses.
A.
 
LALC Components
LALC is a client/server application. On the client side, webuild two components, a Loadable Kernel Module (LKM) tointercept client attempts to execute applications, and an Agentprogram which was designed to calculate the hash value of thedesired application file using MD5 algorithm and tocommunicate with the server. Although the Agent Moduleemploys MD5 algorithm but any other hashing algorithm canbe used instead.On the server side we build a Server program to receiveclient’s requests and to generate responses, and a ServerConfiguration Utility to allow administrators to manage clientgroups, security levels and application lists.
1)
 
Client Components:
Two components are deployed oneach client; the Loadable Kernel Module (LKM) and theAgent.
a)
 
The Loadable Kernel Module (LKM):
The LKM isbuilt based on the facts that; a loadable kernel module is apiece of code that can be dynamically loaded or unloaded fromthe Linux kernel, and once it loaded it becomes a part of thekernel [8]. And Linux kernel dedicates a specific system call,namely execve, to handle client request to the kernel forexecuting a program file [1].LKM was designed to intercept client requests on behalf of the original execve, and to invoke the Agent. Based on thereturn value LKM may or may not allow original execve tohandle the client application.LKM comprises four functions; initialization(),custom_execev(), write() and read().
 
Initialization() :When LKM is loaded into the kernel itexecutes the initialization(). This function redirectsclient calls from the original execve system call to thecustom_execve function inside the LKM.Initialization() performs redirection by replacing theexecve address in the kernel table by the address of thecustom_execve(), and saving the original execveaddress. Also the initialization() prepares acommunication channel to the Agent process via a/proc file. It creates a /proc file and connect itsread/write operations with read() and write() inside theLKM. Also it creates two buffers to be used by LKMother functions, namely, Request Buffer and ResponseBuffer. Generally, /proc file system is a method usedfor communication between the kernel and userprocesses [9]. Fig. 1 shows how LKM initializationfunction works.
38 http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 2011
 
custom_execve(): The purpose of this function is toreplace the original execve system call, and therefore itwill be executed whenever a client process desires toexecute an application file. It saves the name of theapplication file to be executed in the Request Bufferand sets a flag to indicate that a request to execute anapplication file is pending (Request_Pending = 1).After that it wakes up the Agent to handle the pendingrequest, and it renders itself in awaiting state. Aftercustom_execve wakes up by the write(), it reads theRequest Buffer and resets the pending flag. Based onthe value in the buffer, custom_execve either allowsthe execution of the application or denies it. Onallowing execution custom_execve executes theoriginal execve system call, and on denying, it returnsan error code on behalf of the original execve systemcall. Fig.2 shows how the custom execve functionworks.
Figure 1. KLM Initialization Function
 
read(): When the Agent tries to read the /proc file thisfunction is executed. It waits until the variableRequest_Pending is set. Once the variable is set, itreturns the contents of the Request Buffer - which isthe application file name- to the Agent module.
 
write(): When the Agent tries to write to the /proc filethis function is executed. The purpose of write() is towrite to Response Buffer the message that the Agentdesire to write to the /proc file and then it call uponcustom_execve function.
Figure 2. LKM custom_execve function
b)
 
The
 
Agent:
The Agent program is a user levelprogram that runs in the client machine. Its purpose is tocalculate the hash value for the application file content, and toforward it to the server combined with the requesting clienthostname and the application file name. Later, the Agent hasto forward back the server’s response to the LKMcustom_execve function through writing to /proc file. Fig.3shows how Agent works.
Figure 3. Agent program main loop
2)
 
Server Components:
Two components are deployed onthe server side; the Server program and the ServerConfiguration Utility.
39 http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->