security/measure kernel directory and is thus very easy to port
to new Linux kernel versions as long as the LSM interface does not
change. We need to add another 2 loc into the load_module
routine of kernel/module.c to measure loading kernel modules.
To instrument the bash shell, we insert 2 loc at the places
where source files are loaded or script files are interpreted. These
user level measure calls are based on a header file of 42 loc that
translates the user level measure request macro into a proper write on
/sys/security/measure. Porting the architecture from a 2.6.2 to
a 2.6.5 Linux kernel took about 10 minutes. Moving from a non-LSM
implementation in a 2.4 kernel to an LSM-based version of our
integrity measurement architecture in the 2.6 kernel reduced the
complexity of our implementation and increased its portability
considerably.
We have successfully stacked our integrity measurement architecture as
an LSM module on top of SELinux, which required small modifications of
SELinux to call our hooks and to share security substructures in the
file and inode kernel structures. These changes are
minor but they are necessary because the current Linux LSM
implementation leaves most of the stacking implementation to the
modules themselves.
Our experiences show that a standard RedHat 9.0 Linux system including
the Xwindow server and the Gnome Desktop system accumulates about
500-600 measurement entries after running about one week, including
about 60-100 bash script and source file measurements. Those bash
measurements cover all bash service startup and shutdown scripts as
well as local source scripts (e.g., ~\.bashrc). The overhead
introduced by our measurement architecture is negligible even at boot
time of the system when most measurements are recorded and extended
into the TPM. Thus we believe our performance results are
representative of a normal Linux environment.