LSM OS 700-8530 3 1 1 matsuda@swlab.it.okayama-u.ac.jp tabata@cs.okayama-u.ac.jp 242-8502 1623 14 munetoh@jp.ibm.com OS Linux 2.6 Linux Security Modules LSM LSM Linux 4 OS OS LSM An Evaluation of Performance of Security Focused OS by Measuring the Overhead of LSM Naoto Matsuda Toshihiro Tabata Seiji Munetoh Graduate School of Natural Science and Technology, Okayama University matsuda@swlab.it.okayama-u.ac.jp tabata@cs.okayama-u.ac.jp IBM Tokyo Research Laboratory munetoh@jp.ibm.com Abstract Enterprise systems and individuals suffer from various attacks because of exploiting vulnerabilities of the systems. As a method resolving this problem, security focused operating system (OS) is an effective way. However, the performance of security focused OS has little chance to talk about. In Linux 2.6, since the function of security focused OS is implemented using Linux Security Modules (LSM), we have extended the function to measure the overhead of the LSM, and evaluated the performance of four typical security focused OS. In this paper, we describe the result of analysis of the overhead of security focused OS and the LSM hooks. 1 root IDS OS OS
MAC root Linux 1 OS Linux 2.6 Linux Security Modules LSM [1] Security-Enhanced Linux SELinux [2] AppArmor[3] OS OS OS LSM LSM Performance Monitor LSMP- MON Linux LSMP- MON LSM OS LSMPMON OS 2 2.1 OS 2.1.1 OS MAC OS OS DAC UNIX root Windows Administrator DAC 1 Linux Linus Torvalds /usr/sbin/httpd ラベル : httpd_t ino: 123 プロセス read /var/www/index.html ラベル : web_contents_t ino: 456 資源 1 Web Web MAC OS OS Linux SELinux, AppArmor, TO- MOYO Linux[4] LIDS[5] OS Web httpd Web 1 2.1.2 SELinux SELinux OS Linux OS SELinux 1 httpd t web contents t 2.1.3 AppArmor AppArmor Novell OS /usr/sbin/httpd /var/www/index.html 2.1.4 TOMOYO Linux TOMOYO Linux NTT OS AppArmor
AP AP (1) ユーザ空間 AP 制御, 結果の取得 (2) DAC チェック (3) LSM フック (5) システムコール処理 カーネル空間 (4) セキュア OS の MAC チェック DAC チェック LSM フック securityfs LSMPMON 時刻とフック箇所の情報を取得し, 結果を比較, 保存するセキュア OS の MAC チェック 2 LSM httpd OS httpd httpd 2.1.5 LIDS LIDS Xie Huangang Philippe Biondi OS LIDS i i vi emacs i 2.2 LSM LSM Linux 2.6 LSM OS LSM LSM 2 AP DAC システムコール処理 3 LSMPMON Linux 2.6.19 163 LSM OS 3 LSMPMON 3.1 OS OS OS LSM OS LSM LSM LSM Performance Monitor LSMPMON Linux 3.2 3.3 LSMPMON Linux 2.6.19.7 LSMPMON 3 LSMPMON LSM
1 OS SELinux AppArmor TOMOYO LIDS LSM 149 39 17 38 + i 2.4.6-80.fc6 March 07 v405 2.0 2.2.3rc1 2 LSMPMON :sec ApacheBench 0.357 0.348 LSM OS LSM securityfs securityfs LSMPMON 4 securityfs echo cat AP LSM min maxave count OS LSMPMON 2 ApacheBench 100 LSMPMON 2.5% LSMPMON % echo 1 > /sys/kernel/security/lsmpmon/control LSMPMON % echo 0 > /sys/kernel/security/lsmpmon/control % cat /sys/kernel/security/lsmpmon/result hook min max ave count --------------------------------------------. inode_create 97 1818075 105 3035605 inode_link inode_unlink 97 80903 114 3035600. 4 4.1 4 LSMPMON LSMPMON SELinux, AppArmor, LIDS, TOMOYO Linux LMbench[6] OS LSM 4.2 CPU: Intel Pentium 4 (3.0GHz) : 1GB, OS: Linux 2.6.19.7 OS None 2 4 OS 2 1 LMbench LMbench 5
2 LSMPMON LSM LSM LSMPMON LMbench 5 OS LSM OS 1 4.3 1 3 SELinux stat 58% stat 40% [7] SELinux 10KB 2 4 4 N/A 1,000 SELinux inode create i AppArmor inode create inode unlink 10 TOMOYO Linux inode permission 20 inode permission LIDS i LSM 3 LSM 4 5 LSM 3 4 5 SELinux 0K file create file create inode create TOMOYO Linux open/close open inode permission 1.76µsec TO- MOYO Linux read write open 10KB 4.4 SELinux AppArmor TO- MOYO Linux i LIDS i 5 LSM LSMP- MON OS
3 :µsec None SELinux AppArmor TOMOYO LIDS stat 1.67 2.65 ( 58%) 1.87 (12%) 2.02 ( 21%) 2.17 (30%) open/close 2.49 3.62 ( 45%) 4.16 (67%) 8.76 (252%) 3.27 (31%) 0K file create 9.67 25.92 (168%) 14.16 (47%) 16.00 ( 66%) 13.90 (44%) 0K file delete 5.58 8.61 ( 54%) 8.03 (44%) 9.88 ( 77%) 6.68 (20%) 10K file create 36.82 51.86 ( 41%) 40.30 ( 9%) 41.50 ( 13%) 39.38 ( 7%) 10K file delete 15.82 19.66 ( 24%) 19.44 (23%) 21.40 ( 35%) 18.62 (18%) 4 LSM :µsec None SELinux AppArmor TOMOYO LIDS inode create 0.035 4.411 1.701 3.047 N/A inode unlink 0.038 0.270 1.523 2.803 0.096 inode permission 0.034 0.152 0.110 0.142 0.156 inode setattr 0.041 0.285 0.261 2.899 0.152 inode getatttr 0.035 0.124 0.035 N/A N/A file permission 0.037 0.044 0.200 N/A 0.040 5 LSM LSM stat inode permission 2 inode getattr 1 open/close inode permission 3 file create inode permission 4 inode create 1 inode setattr 1 file permission 1 file delete inode permission 2 inode unlink 1 Linux OS Linux 4 OS OS LSM LSMPMON C&C [1] C. Wright, C. Cowan, J. Morris, S. Smalley, G. Kroah-Hartman, Linux Security Modules: General Security Support for the Linux Kernel, Proceedings of 11th Annual USENIX Security Symposium, pp 17 31, 2002. [2] P. Loscocco, S. Smalley, Integrating flexible support for security policies into the Linux operating system, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX 01), pp 29 42, 2001. [3] Novell, AppArmor, http://www.novell.com/linux/security/ apparmor/ [4] Linux Linux Conference 2005. [5] LIDS, http://www.lids.org/ [6] LMbench, www.bitmover.com/lmbench/ [7] D. Roselli, J. R. Lorch, T. E. Anderson, A Comparison of File System Workloads, Proceedings of 2000 USENIX Annual Technical Conference, pp. 41 54, USA, June, 2000.