Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring

The economy of mechanism security principle states that program design should be kept as small and simple as possible. In practice, this principle is often disregarded to maximize user satisfaction, resulting in systems supporting a vast number of features by default, which in turn offers attackers a large code base to exploit. The Linux kernel exemplifies this problem: distributors include a large number of features, such as support for exotic file-systems and socket types, and attackers often take advantage of those. A simple approach to produce a smaller kernel is to manually configure a tailored Linux kernel. However, the more than 11,000 configuration options available in recent Linux versions make this a time-consuming and non-trivial task.

Resource Details

IBM logo
Provided by: