Blare is a model for policy-based intrusion detection systems. It works by
tracking information flows. The model has been implemented for the Linux kernel
as well as for the Java Virtual Machine and Android. This talk will present the
model and show how we implemented it for the kernel as a Linux Security Module
in order to leverage existing hooks to intercept system calls.
Blare is a family of policy-based intrusion detection systems (IDS). These IDSs
are based on a common information flow monitoring model. The user defines the
policy by specifying authorised flows beforehand and these IDSs dynamically
check this policy in different types of systems.
KBlare is an implementation of this model at the Linux kernel level. It is a
security extension using the LSM framework to intercept system calls and add
meta-information, called security labels, to the different types of information
containers in the system (files, memory pages). KBlare updates these labels
depending on the flows it tracks ie. based on executed system calls. It throws
alerts whenever one of these flows does not satisfy the policy ie. whenever one
of the security property becomes invalid for a container's label.
We will briefly present the theoretical model and proceed to explain how we
implemented it in the Linux kernel. Using the LSM framework, we intercept
system calls and deduce information flows. We will also show a brief
demonstration of KBlare detecting an intrusion.