SimpleFlow implements a very simple view of information flow within the Linux kernel. (We do not claim to approach the sophistication of IX, HiStar, etc.) We have found the design of SimpleFlow useful in education and certain computer-security competitions, and we are also interested in the use of SimpleFlow to study post-compromise exfiltration and insider threats.

Under SimpleFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted (SimpleFlow stores both using extended attributes). Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over an IPC channel). If a tainted process writes to the network, the kernel sets the packet's RFC 3514 evil bit; this allows for a variety of filtering or spoofing strategies which might help determine the intention of the principal who read the confidential data in the first place.

SimpleFlow Virtual Machine

SimpleFlowDemo-0.3-linux-3.10.0.ova provides in OVA format a virtual machine which contains a SimpleFlow kernel along with a CentOS 7 installation. Some useful SimpleFlow-related commands include:

getfattr -n security.simple-flow.confidential -v true PATH
Set the confidential flag on the file at PATH.
getfattr -x security.simple-flow.confidential PATH
Remove the confidential flag from the file at PATH.
getfattr -n security.simple-flow.trusted -v true PATH
Set the trusted flag on the program at PATH.
getfattr -x security.simple-flow.trusted PATH
Remove the trusted flag from the program at PATH.
ps auxZ
Enumerate the running processes, including whether they are tainted.
echo 1 > /proc/PID/attr/current
Taint the process matching PID.
echo 0 > /proc/PID/attr/current
Untaint the process matching PID.
dmesg -w
Watch SimpleFlow (and other kernel) events.

Related publications


The SimpleFlow project is also available as a Git repository. To clone the repository, execute

git clone -b v3.10-simpleflow