SimpleFlow: simple information-flow-based security module for Linux

SimpleFlow: simple information-flow-based security module for Linux

[W. Michael Petullo]

Some colleagues and I have been working on SimpleFlow, a simple
information-flow-based security module for Linux. Our goal is to
investigate the feasibility of implementing such a security model on
top of LSM and to produce a prototype which is useful for education and
certain computer-security competitions.

We have adopted a very simple view of information flow (we do not claim
to approach HiStar, etc.). The system administrator designates some
filesystem objects as "confidential" and some programs as "trusted"
(both stored using extended attributes). Any process not loaded from
a trusted program will become "tainted" upon reading a confidential
object. The kernel transfers this taint status from process to process
as a result of inter-process communication (i.e., an untainted process
reads from a tainted process over an IPC channel). If a tainted process
writes to the network, the packet gets its RFC 3514 evil bit set.

All of this seems to sort of work. We do our best to handle the forms
of IPC including shared memory. The grand multi-source transformer X11
poses a problem; we presently set X11 as trusted, but we have plans to
deal with X11 in X11 as SELinux has attempted.

We tried to avoid making changes to the core kernel. One such change is
an additional LSM call in fs/pipe.c. The other is a #define for the RFC
3514 evil bit.

For practical reasons, we have so far targeted 3.10.0. We intend to
eventually port to a kernel that supports LSM stacking.

We are presently preparing a paper that describes some of the things we
have done with SimpleFlow, and we are interested in hearing any feedback
on our approach or code. We attached a patch which represents our work
so far. We realize this is niche work, and perhaps SimpleFlow itself does
not belong in the mainline kernel. However, we would be keen to discuss
the concept even with people who are mildly interested.

Thank you,

-- 
Mike

:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-3.10.0-327.el7-simple-flow.patch.gz
Type: application/gzip
Size: 13694 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160419/d3b35377/attachment.bin 

SimpleFlow: simple information-flow-based security module for Linux

[Greg KH]

On Tue, Apr 19, 2016 at 10:48:30PM -0400, W. Michael Petullo wrote:
> Some colleagues and I have been working on SimpleFlow, a simple
> information-flow-based security module for Linux. Our goal is to
> investigate the feasibility of implementing such a security model on
> top of LSM and to produce a prototype which is useful for education and
> certain computer-security competitions.
> 
> We have adopted a very simple view of information flow (we do not claim
> to approach HiStar, etc.). The system administrator designates some
> filesystem objects as "confidential" and some programs as "trusted"
> (both stored using extended attributes). Any process not loaded from
> a trusted program will become "tainted" upon reading a confidential
> object. The kernel transfers this taint status from process to process
> as a result of inter-process communication (i.e., an untainted process
> reads from a tainted process over an IPC channel). If a tainted process
> writes to the network, the packet gets its RFC 3514 evil bit set.
> 
> All of this seems to sort of work. We do our best to handle the forms
> of IPC including shared memory. The grand multi-source transformer X11
> poses a problem; we presently set X11 as trusted, but we have plans to
> deal with X11 in X11 as SELinux has attempted.
> 
> We tried to avoid making changes to the core kernel. One such change is
> an additional LSM call in fs/pipe.c. The other is a #define for the RFC
> 3514 evil bit.
> 
> For practical reasons, we have so far targeted 3.10.0. We intend to
> eventually port to a kernel that supports LSM stacking.

3.10.0 is almost 3 years old and very obsolete, please use a much newer
kernel as lots of stuff has changed in the vfs that you will have to
deal with eventually.

> We are presently preparing a paper that describes some of the things we
> have done with SimpleFlow, and we are interested in hearing any feedback
> on our approach or code. We attached a patch which represents our work
> so far. We realize this is niche work, and perhaps SimpleFlow itself does
> not belong in the mainline kernel. However, we would be keen to discuss
> the concept even with people who are mildly interested.

Try posting this to the linux-security list, they would be interested.

thanks,

greg k-h