Open Source

Projects
Patches

Top Projects

SimpleFlow
libtlssep
guestrace
libdmapsharing
dmapd

System Integration

Notes
SRPMs

SimpleFlow

A simple information-flow-based security module for Linux

Overview

SimpleFlow implements a very simple view of information flow within the Linux kernel. (We do not claim to approach the sophistication of IX, HiStar, etc.) We have found the design of SimpleFlow useful in education and certain computer-security competitions, and we are also interested in the use of SimpleFlow to study post-compromise exfiltration and insider threats.

Under SimpleFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted (SimpleFlow stores both using extended attributes). Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over an IPC channel). If a tainted process writes to the network, the kernel sets the packet's RFC 3514 evil bit; this allows for a variety of filtering or spoofing strategies which might help determine the intention of the principal who read the confidential data in the first place.

SimpleFlow Virtual Machine

SimpleFlowDemo-0.3-linux-3.10.0.ova provides in OVA format a virtual machine which contains a SimpleFlow kernel along with a CentOS 7 installation. Some useful SimpleFlow-related commands include:

getfattr -n security.simple-flow.confidential -v true PATH
Set the confidential flag on the file at PATH.
getfattr -x security.simple-flow.confidential PATH
Remove the confidential flag from the file at PATH.
getfattr -n security.simple-flow.trusted -v true PATH
Set the trusted flag on the program at PATH.
getfattr -x security.simple-flow.trusted PATH
Remove the trusted flag from the program at PATH.
ps auxZ
Enumerate the running processes, including whether they are tainted.
echo 1 > /proc/PID/attr/current
Taint the process matching PID.
echo 0 > /proc/PID/attr/current
Untaint the process matching PID.
dmesg -w
Watch SimpleFlow (and other kernel) events.

Papers

 
Ryan Johnson, Jessie Lass, and W. Michael Petullo. Studying naïve users and the insider threat with SimpleFlow. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST '16, pages 35-46, New York, NY, USA, October 2016. ACM. [ bib | paper ]
Email: webpage@flyn.org — ✉ 315A South Moore Loop; West Point, New York 10996; USA