Self-revocation Free Downgrading (SRFD)
Introduction
Traditional information flow systems like Biba do not revise privileges of subjects: Once a subject is assigned with certain integrity level, the level will not change (even if it is safe to be lowered). This strict integrity model limits usability of the system because 1) it requires deciding ahead of time what is the proper integrity level, and 2) some operations that are safe cannot be performed. Low-water-mark policies relaxed the strict integrity policies by allowing subjects to be downgraded to lower integrity and solved both problems. It is strictly more usable as it allows all safe operations to be completed without security violations. However, letting subjects to be downgraded can result in self-revocation: subjects’ privileges are revoked as a result of downgrading, leading to unexpected failures that applications are not writtent to handle.Self-revocation Free Downgrading (SRFD) is, similar to LOMAC, an integrity policy that follows Low-water-mark policies and it can preserve system integrity while preventing self-revocation. Unlike LOMAC which relies on process group, SRFD tackle the self-revocation based on the actual information flow in the system. Hence, SRFD is more general and can handle sockets. SRFD maintains constraints about subjects and objects to identify potential self-revocation scenarios. It promotes early failure by constraining subjects from downgrading. Instead of denying write operations when subjects are downgraded, SRFD denies open operations when subjects open lower integrity files. This allows processes to handle failures more gracefully.
Key features
- system integrity assurance
- reasonable performance
- LSM module
Download and Installation
Shipped under GPLv3. The source code can be downloaded here. Please read the README file for more information. This module has been tested on Ubuntu 13.10 and Ubuntu 14.04.