Integration of Integrity Enforcing Technologies into Embedded Control Devices: Experiences and Evaluation

Rauter, Tobias; Höller, Andrea; Iber, Johannes; Krisper, Michael; Kreiner, Christian

doi:10.1109/prdc.2017.29

Cited by 6 publications

(2 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In manufacturing and power generation plants, the Supervisory Control and Data Acquisition (SCADA) system includes constrained devices that may see negative performance impacts from a verification mechanism. Application of IMAbased remote attestation provides trust with less performance impact [11,27], but IMA measurement lists are large and storage in constrained prover devices can be an issue. The potential solution is the incremental update approach in measurement maintenance.…”

Section: Prior Researchmentioning

confidence: 99%

“…Such an approach can help lower Central Processing Unit (CPU) time spent on hash processing. Additionally, limiting the number of binaries to be measured can reduce the size of the Measurement List (ML), which is critical for constrained devices [11]. Moreover, this approach addresses the nondeterminism problem, enabling the verification of the integrity of critical executables without the need to obtain an ML.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies

Litchfield

2023

Applied Sciences

View full text Add to dashboard Cite

The Integrity Measurement Architecture subsystem on the Linux platform is a critical security component in the kernel to ensure the integrity of the running system. However, the default Integrity Measurement Architecture policy mechanisms based on options such as file owner and FSMAGIC cannot achieve a file-level configuration. Although Integrity Measurement Architecture supports the Linux Security Module policy rules to be close to the goal of fine-grained configuration, it is not easy to be managed because the Linux Security Module was not originally designed for integrity measurement. Moreover, the Linux Security Module-based policy does not apply in some use cases considering the type of Mandatory Access Control tools chosen by users. This paper presents a new policy configuration option, named XFilter, that achieves a fine-grained policy configuration method. The XFilter includes two policy matching mechanisms, XLabel and XList, which share the same policy token created for XFilter exclusively. XLabel marks the files for measurement using a label in the file’s extended attribute (xattr). By contrast, XList stores the measurement information in a list of file paths. To simplify the deployment, an automatic configuration process is implemented for integrating into the package management system. The evaluation results suggest that both mechanisms satisfy the requirements of file-level IMA policy control and create a performance burden for system operation in the acceptable range. They also reveal a positive correlation between the increment of the system latency and the growth of the length of file paths list for the XList mechanism.

show abstract

Section: Prior Researchmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%