SimpleFlow: simple information-flow-based security module for Linux

Greg KH greg at kroah.com
Wed Apr 20 01:54:48 EDT 2016


On Tue, Apr 19, 2016 at 10:48:30PM -0400, W. Michael Petullo wrote:
> Some colleagues and I have been working on SimpleFlow, a simple
> information-flow-based security module for Linux. Our goal is to
> investigate the feasibility of implementing such a security model on
> top of LSM and to produce a prototype which is useful for education and
> certain computer-security competitions.
> 
> We have adopted a very simple view of information flow (we do not claim
> to approach HiStar, etc.). The system administrator designates some
> filesystem objects as "confidential" and some programs as "trusted"
> (both stored using extended attributes). Any process not loaded from
> a trusted program will become "tainted" upon reading a confidential
> object. The kernel transfers this taint status from process to process
> as a result of inter-process communication (i.e., an untainted process
> reads from a tainted process over an IPC channel). If a tainted process
> writes to the network, the packet gets its RFC 3514 evil bit set.
> 
> All of this seems to sort of work. We do our best to handle the forms
> of IPC including shared memory. The grand multi-source transformer X11
> poses a problem; we presently set X11 as trusted, but we have plans to
> deal with X11 in X11 as SELinux has attempted.
> 
> We tried to avoid making changes to the core kernel. One such change is
> an additional LSM call in fs/pipe.c. The other is a #define for the RFC
> 3514 evil bit.
> 
> For practical reasons, we have so far targeted 3.10.0. We intend to
> eventually port to a kernel that supports LSM stacking.

3.10.0 is almost 3 years old and very obsolete, please use a much newer
kernel as lots of stuff has changed in the vfs that you will have to
deal with eventually.

> We are presently preparing a paper that describes some of the things we
> have done with SimpleFlow, and we are interested in hearing any feedback
> on our approach or code. We attached a patch which represents our work
> so far. We realize this is niche work, and perhaps SimpleFlow itself does
> not belong in the mainline kernel. However, we would be keen to discuss
> the concept even with people who are mildly interested.

Try posting this to the linux-security list, they would be interested.

thanks,

greg k-h



More information about the Kernelnewbies mailing list