Studying Naive Users and the Insider Threat with SimpleFlow

Most access control systems prohibit illicit actions at the moment they seem to violate a security policy. While effective, such early action often clouds insight into the intentions behind negligent or willful security policy violations. Furthermore, existing control mechanisms are often very low-level; this hinders understanding because controls must be spread throughout a system. We propose SimpleFlow, a simple, information-flow-based access control system which allows illicit actions to occur up until sensitive information would have left the local network. SimpleFlow marks such illicit traffic before transmission, and this allows network devices to filter such traffic in a number of ways. SimpleFlow can also spoof intended recipients to trick malware into revealing application-layer communication messages even while blocking them. We have written SimpleFlow as a modification to the Linux kernel, and we have released our work as open source.

[1]  Stephen T. Kent U.S. Department of Defense Security Options for the Internet Protocol , 1991, RFC.

[2]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[3]  Randall J. Atkinson,et al.  Common Architecture Label IPv6 Security Option (CALIPSO) , 2009, RFC.

[4]  Steven M. Bellovin,et al.  The Security Flag in the IPv4 Header , 2003, RFC.

[5]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[6]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[7]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[8]  Daniel J. Bernstein,et al.  Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[9]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[10]  Doug Kilpatrick,et al.  Securing The X Window System With SELinux , 2003 .

[11]  Limin Wang,et al.  Jailx protecting users from x applications , 2006 .

[12]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[13]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[14]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[15]  Toshihiro Yamauchi,et al.  SEEdit: SELinux Security Policy Configuration System with Higher Level Language , 2009, LISA.

[16]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[17]  Ryan Hand,et al.  The Use of Cyber-Defense Exercises in Undergraduate Computing Education , 2016, ASE @ USENIX Security Symposium.

[18]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[19]  Have You Driven an SELinux Lately? , 2010 .

[20]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[21]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[23]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[24]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.