发明名称 |
Centralized kernel module loading |
摘要 |
Methods and systems for centralized kernel module loading are described. In one embodiment, a computing system detects a kernel module load event to load a kernel module into a kernel of a client. Upon detection of the kernel module load event, the computing system computes a cryptographic hash of the kernel module, and sends the cryptographic hash to an access control server to verify whether the cryptographic hash is a permitted hash. The computing system receives a response from the access control server to permit or deny the kernel module load event, and permits or denies the kernel module load event based on the response. |
申请公布号 |
US9111099(B2) |
申请公布日期 |
2015.08.18 |
申请号 |
US201113149808 |
申请日期 |
2011.05.31 |
申请人 |
Red Hat, Inc. |
发明人 |
Paris Eric;Horman Neil |
分类号 |
G06F21/10;G06F21/57;G06F21/60;H04L9/32 |
主分类号 |
G06F21/10 |
代理机构 |
Lowenstein Sandler LLP |
代理人 |
Lowenstein Sandler LLP |
主权项 |
1. A method comprising:
detecting, by a centralized kernel module loader executing by a client computing system, a kernel module load event to load a kernel module into a kernel of the client computing system; upon detection of the kernel module load event, computing a cryptographic hash of the kernel module; storing the computed cryptographic hash of the kernel module; sending the computed cryptographic hash over a client-server network to an access control server executing by a server computing system to verify whether the cryptographic hash is a permitted hash; receiving a response from the access control server to control loading of the kernel module for the kernel module load event, wherein the response indicates that the kernel module is a different version of a corresponding approved kernel module; determining whether to deny the kernel module load event on the client computing system in view of the received response; controlling the loading of the approved kernel module for the kernel module load event in view of on the received response; and removing the stored computed cryptographic hash of the kernel module in response to determining to deny the kernel module load event on the client computing system. |
地址 |
Raleigh NC US |