Selectively monitoring of 'information flow' events??

[Robert Watson]

On Thu, 24 Nov 2005, Marcin Koziej wrote:

> The labels and access control of MAC modules is even more exciting, 
> because there might be a feedback from the AI app to the module to track 
> only object labeled 'tainted' or block activity detected as intrusion.
>
> As for asynchronous operations and message tracking -- I think that for 
> a start I'll just need the interaction patterns between system objects 
> -- it just matters that one process done a write on a IPC object, which 
> could be marked 'tainted', the read from the tainted IPC object would 
> taint the reader... I am, however, beginning to work on this -- so this 
> requirements might be not enough to build a functional ids. Another 
> thing is, I might not underestand all the nuances which asynchronous 
> operation brings (this will propably come up sooner or later).

You may want to take a look at the mac_lomac module -- it hasn't had a 
maintainer in a while, but implements the floating label integrity policy 
described in Biba's paper, and basically operates on a taint model: 
whenever a higher integrity subject reads from a lower integrity object, 
the subject label is floated downward to match the object.  This is based 
on work Tim Fraser did at TIS a number of years ago, and is described in 
Tim Fraser's "LOMAC: MAC You Can Live With" paper in the proceedings of 
USENIX/FREENIX 2001.  The current code was largely implemented by Brian 
Feldman based on the mac_biba module.  It's probably rotted a bit over 
time, but might be a useful starting point for looking at how to implement 
floating labels.

Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message