Verifying the Reliability of Operating System-Level Information Flow Control Systems in Linux

Georget, Laurent; Jaume, Mathieu; Piolle, Guillaume; Tronel, Frédéric; Tông, Valérie Viêt Triêm

doi:10.1109/formalise.2017.1

Cited by 12 publications

(11 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use CamFlow [100] as the reference implementation throughout the paper, although there exist other whole-system provenance implementations; in § VI, we show that UNI-CORN works seamlessly with other capture mechanisms as well. CamFlow adopts the Linux Security Modules (LSM) framework [89] to ensure high-quality, reliable recording of information flows among data objects [45], [101]. LSM eliminates race conditions (e.g., TOCTTOU attacks) by placing mediation points inside the kernel instead of at the system call interface [61].…”

Section: B Whole-system Provenancementioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

127

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: B Whole-system Provenancementioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

127

111

View full text Add to dashboard Cite

show abstract

“…We built CamQuery on top of the CamFlow provenance capture system [3,79,80], our actively-maintained provenance monitor built as a stackable Linux Security Module (LSM) [69]. Compared to other existing capture techniques [34,72], an LSM-based approach ensures that CamFlow can observe and mediate all information flows between processes and kernel objects [27,31,36,51] (see § 4.2 for further discussion).…”

Section: Capture Mechanismmentioning

confidence: 99%

“…The LSM framework [69] was originally implemented to support Mandatory Access Control (MAC) schemes but not information flow tracking. Recent work by Georget et al [35,36] demonstrated, through static analysis of the kernel code base, that the LSM framework is applicable to information flow tracking, and that by adding a small number of LSM hooks, it was possible to properly intercept all information flows between kernel objects. Building on their work, we maintain a patch [5] to the LSM framework that allows CamFlow, and by extension CamQuery, to provide stronger guarantees than do previous whole-system provenance capture mechanisms.…”

Section: Ensuring Completeness and Accuracymentioning

confidence: 99%

Runtime Analysis of Whole-System Provenance

Pasquier

Han

Moyer

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security. * Part of this work was completed at Harvard University and at the University of Cambridge.

show abstract

“…We have leveraged the expertise from our previous work on LSM [3] to map our model onto the LSM framework. Some flows cannot possibly enter in a race condition with others and require no disabling hook.…”

Section: Implementation and Experimentsmentioning

confidence: 99%

“…In a previous work [3], we have developed an approach to verify that LSM hooks were available in each system call generating an information flow, so that an information flow tracker could monitor all of them. This is a necessary condition to implement a correct information flow tracker.…”

Section: Introductionmentioning

confidence: 99%

Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Georget

Jaume

Piolle

et al. 2017

Software Engineering and Formal Methods

Self Cite

View full text Add to dashboard Cite

Abstract. Information flow control can be used at the Operating System level to enforce restrictions on the diffusion of security-sensitive data. In Linux, information flow trackers are often implemented as Linux Security Modules. They can fail to monitor some indirect flows when flows occur concurrently and affect the same containers of information. Furthermore, they are not able to monitor the flows due to file mappings in memory and shared memory between processes. We first present two attacks to evade state-of-the-art LSM-based trackers. We then describe an approach, formally proved with Coq [12] to perform information flow tracking able to cope with concurrency and in-memory flows. We demonstrate its implementability and usefulness in Rfblare, a race conditionfree version of the flow tracking done by KBlare [4].

show abstract

Verifying the Reliability of Operating System-Level Information Flow Control Systems in Linux

Cited by 12 publications

References 13 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Runtime Analysis of Whole-System Provenance

Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Contact Info

Product

Resources

About