Selectively monitoring of 'information flow' events??
Robert Watson
rwatson at FreeBSD.org
Thu Nov 24 15:44:44 GMT 2005
On Thu, 24 Nov 2005, Marcin Koziej wrote:
> The labels and access control of MAC modules is even more exciting,
> because there might be a feedback from the AI app to the module to track
> only object labeled 'tainted' or block activity detected as intrusion.
>
> As for asynchronous operations and message tracking -- I think that for
> a start I'll just need the interaction patterns between system objects
> -- it just matters that one process done a write on a IPC object, which
> could be marked 'tainted', the read from the tainted IPC object would
> taint the reader... I am, however, beginning to work on this -- so this
> requirements might be not enough to build a functional ids. Another
> thing is, I might not underestand all the nuances which asynchronous
> operation brings (this will propably come up sooner or later).
You may want to take a look at the mac_lomac module -- it hasn't had a
maintainer in a while, but implements the floating label integrity policy
described in Biba's paper, and basically operates on a taint model:
whenever a higher integrity subject reads from a lower integrity object,
the subject label is floated downward to match the object. This is based
on work Tim Fraser did at TIS a number of years ago, and is described in
Tim Fraser's "LOMAC: MAC You Can Live With" paper in the proceedings of
USENIX/FREENIX 2001. The current code was largely implemented by Brian
Feldman based on the mac_biba module. It's probably rotted a bit over
time, but might be a useful starting point for looking at how to implement
floating labels.
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list