Browse Prior Art Database

System and Method for dynamic identification of refmon check necessity .

IP.com Disclosure Number: IPCOM000234759D
Publication Date: 2014-Feb-03
Document File: 3 page(s) / 60K

Publishing Venue

The IP.com Prior Art Database

Abstract

The traditional approach to security of AIX operating system has relied on the system calls having refmon checks. These Refmon check performs various access checks such as privileges, authorizations, discretionary access control checks etc. If the process is having all the privileges required to execute the system call,then refmon check will be successful and further instructions of the system call will be getting executed. otherwise refmon call will return EPERM saying permission denied. Problem statement: --------------------------------------- If refmon check is missing/wrong in any system call which is very much essential to be present there, then the process with out privileges can execute that system call . This will lead into wrong access to a system call and operating system objects result system security breach. There is no system or method to identify such security breach as there is no association between function and object that are accessing and privilege that they have. Our disclosure proposes a unique method to identify which all the system calls don't have refmon check and check the necessity of refmon check for those system calls. And this disclosure provides a unique way to identify the privileges required, depending on the history of calls (refmon check) made by other system calls while operating on specified objects (objects are kernel data structures). This disclosure is a method to add refmon check privileges dynamically based on the dependencies. Our disclosure identifies group of objects that needs same privileges and identify the functions operating on them with or without this privilege.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 41% of the total text.

Page 01 of 3

System and Method for dynamic identification of refmon check necessity .

The traditional approach to security of AIX operating system has relied on the system calls having refmon checks. TheseRefmon check performs various access checks such as privileges, authorizations, discretionary access control checks etc. If the process is having all the privileges required to execute the system call,then refmon check will be successful and further instructions of the system call will be getting executed. otherwise refmon call will return EPERM saying permission denied.

Problem statement:
---------------------------------------
If refmon check is missing/wrong in any system call which is very much essential to be present there, then the process with out privileges can execute that system call .

This will lead into wrong access to a system call and operating system objects result system security breach.

If refmon check is missing/wrong in any system call which is very much essential to be present there, then the process with out privileges also can execute that system call .

This wrong access to a system call and operating system objects resulting system security breach.

There is no system or method to identify such security breach as there is no association between function and object that are accessing and privilege that they have.

Our disclosure proposes a unique method to identify which all the system calls don't have refmon check and check the necessity of refmon check for those system calls.

And this disclosure provides a unique way to identify the privileges required, depending on the history of calls (refmon check) made by other system calls while operating
on specified objects (objects are kernel data structures). This disclosure is a method to add refmon check privileges dynamically based on the dependencies.

Our disclosure identifies group of objects that needs same privileges and identify the functions operating on them with or without this privilege.

For example:--->jfs_crfs() and jfs2 crfs () are two system calls responsible for creating jfs file system and jfs2 file system respectively. Consider jfs2_crfs() system call has PV_FS refmon check function where as Jfs_crfs () system call does not have PV_FS refmon check function(refmon check is not there or invalid refmon check ). But both have accessed the kernel file system management data structure . So here we have the way to find out jfs_crfs() system call does not have PV_FS refmon check function which is required for this system call .We identified it is missing by comparing with jfs2_crfs() refmon check as both have accessed to same data structure . So our implementation will help to find out the same and will add PV_FS refmon check function in jfs_crfs() automatically. So it will make our system more secure.

Advantage :

1> No system security breach.


2> System security increase with time

Our disclosure proposes an unique method to identify which all the system calls don't hav...