NCI WEBSITE
NORMA eResearch @NCI Library

Evaluating LSM-Based MAC Policies in Kernel Space for IoT Device Protection

Tools

Mamani Yucra, Alexander (2025) Evaluating LSM-Based MAC Policies in Kernel Space for IoT Device Protection. Masters thesis, Dublin, National College of Ireland.

[thumbnail of Master of Science]
Preview
 PDF (Master of Science)
Download (1MB) | Preview
[thumbnail of Configuration Manual]
Preview
 PDF (Configuration Manual)
Download (862kB) | Preview

Abstract

Environments with resource constraints, such as IoT devices, face a significant footprint challenge in implementing security policies. Previous research concluded that traditional Mandatory Access Control (MAC) systems like SELinux and AppArmor introduced considerable overhead, since these are executed in user space. Therefore, there is a need to optimize such security policy enforcement. Solutions like tuning embedded MAC into IoT devices were also tackled by other research, but complex modifications were involved in the kernel, and interoperability across different IoT devices was not guaranteed. To address such need, the effectiveness of enforcing security policies in kernel space was evaluated by using the Extended Berkeley Packet Filters (eBPF), while minimizing both the resource footprint and modifications in the kernel. Experiments based on the Mirai attack were carried out to assess the effectiveness of these security policies under real-world conditions against IoT malware, successfully preventing Remote Login, DoS, and Infection of other IoT devices. Results showed that LSM BPF has an acceptable memory consumption of only 5.2% and better adoption on devices with only 128 MB of RAM compared to AppArmor. LSM BPF also enforced a per-file control over common file systems used in IoT, demonstrating no dependency on extended attributes like SELinux or Smack. Finally, analysis of OpenWrt firmware demonstrated a rapid adoption of kernel version 5.7+ (required for LSM BPF) in IoT devices from 2022 to 2024.

Item Type: Thesis (Masters)
Supervisors:
Name
Email
Sahni, Vikas
UNSPECIFIED
Subjects: T Technology > T Technology (General) > Information Technology > Cloud computing
Q Science > QA Mathematics > Computer software > Computer Security
T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > Telecommunications > Computer networks > Internet of things
Divisions: School of Computing > Master of Science in Cloud Computing
Depositing User: Ciara O'Brien
Date Deposited: 30 Mar 2026 10:09
Last Modified: 30 Mar 2026 10:09
URI: https://norma.ncirl.ie/id/eprint/9243

Actions (login required)

View Item View Item