Halting the hacker: a practical guide to computer security
Halting the hacker: a practical guide to computer security
Linux Security Modules: General Security Support for the Linux Kernel
Proceedings of the 11th USENIX Security Symposium
| Hi-index | 0.00 |
This paper describes "HP Secure OS Software for Linux" (HP-LX) - a version of Linux that incorporates modifications into the kernel to improve security. A common attack strategy is to exploit a bug in a service causing it to execute code that downloads additional executables, and overwrites existing system executables and web pages. If the attack is in the form of a "worm", it will then probe the network looking for new targets. This paper argues that incorporating additional features into the underlying operating system best resists such attacks. HP-LX has mechanisms that contain a process within a known part of the system and place severe limits on the damage that can be caused by attacks. These mechanisms restrict communication to constrain the ability to interfere with and probe the network or other processes. They protect the file system and can prevent even root from overwriting files. In addition HP-LX has extensive auditing mechanisms for detecting compromised processes.