SimpleFlow implements a very simple view of information flow within the Linux kernel. (We do not claim to approach the sophistication of IX, HiStar, etc.) We have found the design of SimpleFlow useful in education and certain computer-security competitions, and we are also interested in the use of SimpleFlow to study post-compromise exfiltration and insider threats.
Under SimpleFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted (SimpleFlow stores both using extended attributes). Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over an IPC channel). If a tainted process writes to the network, the kernel sets the packet's RFC 3514 evil bit; this allows for a variety of filtering or spoofing strategies which might help determine the intention of the principal who read the confidential data in the first place.
SimpleFlow Virtual Machine
SimpleFlowDemo-0.3-linux-3.10.0.ova provides in OVA format a virtual machine which contains a SimpleFlow kernel along with a CentOS 7 installation. Some useful SimpleFlow-related commands include:
- getfattr -n security.simple-flow.confidential -v true PATH
- Set the confidential flag on the file at PATH.
- getfattr -x security.simple-flow.confidential PATH
- Remove the confidential flag from the file at PATH.
- getfattr -n security.simple-flow.trusted -v true PATH
- Set the trusted flag on the program at PATH.
- getfattr -x security.simple-flow.trusted PATH
- Remove the trusted flag from the program at PATH.
- ps auxZ
- Enumerate the running processes, including whether they are tainted.
- echo 1 > /proc/PID/attr/current
- Taint the process matching PID.
- echo 0 > /proc/PID/attr/current
- Untaint the process matching PID.
- dmesg -w
- Watch SimpleFlow (and other kernel) events.
The SimpleFlow project is also available as a Git repository. To clone the repository, execute
git clone https://www.flyn.org/git/simple-flow-kernel -b v3.10-simpleflow