CENTRALIZED KERNAL MODULE LOADING

US 20120311341A1
Filed: 05/31/2011
Published: 12/06/2012
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a computing system programmed to perform the following, comprising:

detecting a kernel module load event to load a kernel module into a kernel of a client;

upon detection of the kernel module load event, computing a cryptographic hash of the kernel module;

sending the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash;

receiving a response from the access control server to permit or deny the kernel module load event; and

permitting or denying the kernel module load event based on the response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for centralized kernel module loading are described. In one embodiment, a computing system detects a kernel module load event to load a kernel module into a kernel of a client. Upon detection of the kernel module load event, the computing system computes a cryptographic hash of the kernel module, and sends the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash. The computing system receives a response from the access control server to permit or deny the kernel module load event, and permits or denies the kernel module load event based on the response.

39 Citations

View as Search Results

25 Claims

1. A method, implemented by a computing system programmed to perform the following, comprising:
- detecting a kernel module load event to load a kernel module into a kernel of a client;
  
  upon detection of the kernel module load event, computing a cryptographic hash of the kernel module;
  
  sending the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash;
  
  receiving a response from the access control server to permit or deny the kernel module load event; and
  
  permitting or denying the kernel module load event based on the response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - registering a second kernel module as an event listener for kernel module load events; and
      
      monitoring for the kernel module load events by the second kernel module, wherein the second kernel modules computes the cryptographic hash.
  - 3. The method of claim 1, further comprising executing a user space application in a user space of the client, wherein the user space application sends the cryptographic hash to the access control server.
  - 4. The method of claim 2, wherein the user space application is an untrusted user space helper process.
  - 5. The method of claim 1, wherein the access control server is to verify the cryptographic hash is a permitted hash by checking if the cryptographic hash is in a list of explicitly permitted or denied hashes.
  - 6. The method of claim 1, wherein said receiving the response comprises receiving a message from the access control server, and wherein the message comprises:
    - the cryptographic hash;
      
      a decision to permit or deny the kernel module load event on the client; and
      
      a cryptographic signature of the cryptographic hash and the decision, wherein the access control server generates the cryptographic signature using a private key of the access control server.
  - 7. The method of claim 6, wherein said permitting or denying the kernel module load event comprises checking the message for validity using a public key loaded into the kernel.
  - 8. The method of claim 7, wherein said permitting or denying the kernel module load event further comprises matching the message to the kernel module load event that is outstanding.
  - 9. The method of claim 8, wherein said matching comprises comparing the computed cryptographic hash against the cryptographic graphic received in the message.
  - 10. The method of claim 1, wherein said sending the cryptographic hash comprises sending the cryptographic hash to the access control server via a network.
  - 11. The method of claim 1, wherein said sending the cryptographic hash comprises sending the cryptographic hash to the access control server via a hypervisor upcall to the access control server.
  - 12. The method of claim 1, wherein said computing the cryptographic hash comprises:
    - copying contents of the kernel module into memory of the client;
      
      calculating the cryptographic hash of the contents; and
      
      storing the cryptographic hash in the memory.
  - 13. The method of claim 12, further comprising:
    - linking the contents of the kernel module and executing the kernel module when the kernel module load event is permitted; and
      
      removing the contents of the kernel module from the memory when the kernel module load event is denied.
  - 14. The method of claim 1, wherein the client is a virtual machine executed by the computing system.
  - 15. The method of claim 1, wherein the client is the computing system.

16. A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform a method comprising:
- detecting a kernel module load event to load a kernel module into a kernel of a client;
  
  upon detection of the kernel module load event, computing a cryptographic hash of the kernel module;
  
  sending the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash;
  
  receiving a response from the access control server to permit or deny the kernel module load event; and
  
  permitting or denying the kernel module load event based on the response.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the method further comprises:
    - registering a second kernel module as an event listener for kernel module load events; and
      
      monitoring for the kernel module load events by the second kernel module, wherein the second kernel modules computes the cryptographic hash.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the method further comprises executing a user space application in a user space of the client, wherein the user space application sends the cryptographic hash to the access control server.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein said receiving the response comprises receiving a message from the access control server, and wherein the message comprises:
    - the cryptographic hash;
      
      a decision to permit or deny the kernel module load event on the client; and
      
      a cryptographic signature of the cryptographic hash and the decision, wherein the access control server generates the cryptographic signature using a private key of the access control server.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein said permitting or denying the kernel module load event comprises:
    - checking the message for validity using a public key loaded into the kernel; and
      
      matching the message to the kernel module load event that is outstanding.
  - 21. The non-transitory computer readable storage medium of claim 16, wherein said computing the cryptographic hash comprises:
    - copying contents of the kernel module into memory of the client;
      
      calculating the cryptographic hash of the contents; and
      
      storing the cryptographic hash in the memory.
  - 22. The non-transitory computer readable storage medium of claim 16, wherein the client is a virtual computing system executed by the computing system.

23. A computing system, comprising:
- a data storage device; and
  
  a processing device, coupled to the data storage device, to;
  
  detect a kernel module load event to load a kernel module into a kernel of a client;
  
  compute a cryptographic hash of the kernel module upon detection of the kernel module load event;
  
  send the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash;
  
  receive a response from the access control server to permit or deny the kernel module load event; and
  
  permit or deny the kernel module load event based on the response.
- View Dependent Claims (24, 25)
- - 24. The computing system of claim 23, further comprising a network connection coupled to a network, wherein the processing device is configured to send the cryptographic hash to the access control server via the network connection.
  - 25. The computing system of claim 23, wherein the processing device is configured to execute a centralized kernel module loader comprising:
    - an event listener to monitor for kernel module load events and to execute a user space application to send the cryptographic hash to the access control server;
      
      a decision module to permit or deny the kernel module load event based on the response; and
      
      a messaging module to check the validity of a message received as the response from the access control server using a public key of a key pair, the message including a digital signature encrypted by the access control server using the private key of the key pair, wherein the digital signature includes the cryptographic hash and a decision to permit or deny the kernel module load event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Horman, Neil, Paris, Eric

Granted Patent

US 9,111,099 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/179
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

H04L 9/3236 using cryptographic hash fu...

CENTRALIZED KERNAL MODULE LOADING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

CENTRALIZED KERNAL MODULE LOADING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links