Skip to content
/ ulsm Public
forked from argussecurity/ulsm

User-space Linux Security Module for fast research and development security concepts over LSM

License

Notifications You must be signed in to change notification settings

yeger00/ulsm

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ULSM

User-space Linux Security Module for fast research and development security concepts over LSM.

What is LSM?

LSM is a framework for developing security modules in Linux kernel. The framework enables such modules to register to actions with a callback function. When such actions occur, the function will be called and will be able to decide whether to allow or block the action. For example, an LSM can register a callback to be called on process execution (by implementing the bprm_check_security() function). When such process execution will occur, the callback function will be called, and the LSM can decide to block this execution.

What is ULSM?

ULSM is a lightweight implementation of security module, that enables the developer to write the decision logic in user space. Each callback function extracts all the data from the kernel space and serializes it. Then it sends it to a user space process and waits for the verdict. The communication is performed with netlink. The user space process (ulsmd) waits for new messages. When it receives a message it deserializes it, applies the logic and decides on verdict. It then sends this verdict back to the ULSM. The ULSM receives the verdict and acts accordingly. For example you can see the following diagram:

When to use

The main advantage of the ULSM is fast logic development. It enables the developer to write, test, and receive feedback on its logic much quicker. This method is good especially for quick & dirty POCs, and for testing new security concepts.

When not to use

The main disadvantages of the ULSM are: Performance - Transferring each action to the user space increases the overhead of the LSM which hits performance. Security - Adding serialization to the kernel is bad practice and increases the attack surface. Synchronization - Need to be very careful with the operations you can perform from the user process in order to avoid deadlock. Because of these disadvantages it is not advised to use ULMS on production system.

More Resources

A record of the sesion about ULSM from KTLV in hebrew can be found here

Getting started

Prerequisites

  • Install Cap'n PRoto by following the instructions on the repository.

  • Install c-capnproto (C library for the Cap'n Proto) by following the instructions on the repository. Note: currently the kernel support is not in the official c-capnproto repository.

Adding ULSM to your kernel

  • Clone the code from the repository:
git clone https://github.com/argussecurity/ulsm.git
cd ulsm
  • Copy the ULSM source code into the kernel source directory
KERNEL_PATH=/path/to/kernel
cp -r security/ulsm $KERNEL_PATH/security/
  • Copy the c-capnproto lib into the kernel source directory
C_CAPN_PATH=/path/to/c-capnproto
cp -r $C_CAPN_PATH/lib/ $KERNEL_PATH/security/ulsm/capn
  • Patch the kernel security Makefile and Kconfig to enable ULSM complation. In the security/ there is a patch file tested on linux-4.19.60. If you use this version, you can:
cd /path/to/linux-4.19.60/security/
patch -p0 < /path/to/ulsm-repo/security/Kconfig.patch
patch -p0 < /path/to/ulsm-repo/security/Makefile.patch

If not, you need to adapt for other version as well.

  • Compile process.capnp
capnp compile -o$C_CAPN_PATH/capnpc-c -I $C_CAPN_PATH/compiler/ $KERNEL_PATH/security/ulsm/process.capnp
  • Compile the kernel Configure the kernel to use ULSM. Compile the kernel. Install the kernel. On next boot you will start to see ULSM messages
dmesg | grep ulsm

Running pyulsmd

  • Install pycapnp (Python bindings for the Cap'n Proto) by following the instructions on the repository.

  • Run pyulsmd

cd pyulsmd
python pyulsmd.py

About

User-space Linux Security Module for fast research and development security concepts over LSM

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 69.0%
  • Python 21.7%
  • Makefile 8.8%
  • Cap'n Proto 0.5%