A Framework for Enforcing Information Flow Policies

Abstract

Reactive approaches for ensuring security, like signature based scanning and behavior monitoring, have been around for quite some time. However they have failed to provide assurances about overall system integrity, and can easily be defeated by sophisticated techniques like code obfuscation and encryption. Another class of attacks includes those that occur in multiple steps (often referred to as multi-step attacks). Information flow based approaches provide a basis for mediating and tracking dependencies between system entities, and can thus prove to be helpful in overcoming these shortcomings. However, success in applying information flow based techniques to modern COTS operating systems has been limited, since a strict application of information flow policy can break existing applications and OS services. One common case of poor usability is when an application is denied write access to a high integrity file in the middle of the write-operation as a result of reading from a low integrity file.Our framework attempts to address this issue of loss in usability by maintaining integrity constraints for each subject (process) and object (files, sockets, IPC channels etc.) in the system, and permitting or denying access requests by ensuring that no invariant is violated. To achieve this, our approach maintains a per-process list of objects being accessed. For each new read-open request made by an application, our policy enforcer propagates integrity constraints from the objects in the application's list to the new object that the application wishes to open. The success or failure of the request then depends on the new object's ability to honor these constraints. This strategy restricts service denials to early failures, which the applications handle far more gracefully than read or write denials. To provide completeness to the solution, our framework enforces policies for all different types of objects (files, links, pipes, sockets, devices, IPC channels). The implementation of our framework utilizes Linux Security Module (LSM) hooks. A considerable portion of our work also deals with understanding and documenting the flow of the Linux kernel code involved in the LSM framework and mapping the abstract operations of our framework to the appropriate LSM hooks.