Skip to Main content Skip to Navigation

Suivi de flux d'information correct pour les systèmes d'exploitation Linux

Laurent Georget 1, 2
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : We look forward to improving the implementations of information flow control mechanisms in Linux Operating Systems. Information Flow Control aims at monitoring how information disseminates in a system once it is out of its original container, unlike access control which can merely apply rule on how the containers are accessed. We met several scientific and technical challenges. First of all, the Linux codebase is big, over fifteen millions lines of code spread over thirty three thousand files. The first contribution of this thesis is a plugin for the GCC compiler able to extract and let a user easily visualize the control flow graphs of the Linux kernel functions. Secondly, the Linux Security Modules framework which is used to implement the information flow trackers we have reviewed (Laminar, KBlare, and Weir) was designed in the first place to implement access control, rather than information flow control. One issue is thus left open: is the framework implemented in such a way that all flows generated by system calls can be captured? We have created and implemented static analysis to address this problem and proved its correction with the Coq proof assistant system. This analysis is implemented as a GCC plugin and have allowed us to improve the LSM framework in order to capture all flows. Finally, we have noted that current information flow trackers are vulnerable to race conditions between flows and are unable to cover some overt channels of information such as files mapping to memory and shared memory segments between processes. We have implemented Rfblare, a new algorithm of flow tracking, for KBlare. The correction of this algorithm has been proved with Coq. We have showed that LSM can be used successfully to implement information flow control, and that only formal methods, leading to reusable methodology, analysis, tools, etc., are a match for the complexity and the fast-paced evolution of the Linux kernel.
Document type :
Complete list of metadata

Cited literature [100 references]  Display  Hide  Download
Contributor : Guillaume Piolle Connect in order to contact the contributor
Submitted on : Wednesday, December 6, 2017 - 2:14:14 PM
Last modification on : Monday, April 4, 2022 - 9:28:19 AM


thesis - with proofs.pdf
Files produced by the author(s)


  • HAL Id : tel-01657148, version 1


Laurent Georget. Suivi de flux d'information correct pour les systèmes d'exploitation Linux. Système d'exploitation [cs.OS]. Université Rennes 1, 2017. Français. ⟨NNT : 2017REN1S040⟩. ⟨tel-01657148v1⟩



Record views


Files downloads