Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Fig. 2. Possible scenarios of data leakage<br />
Rys. 2. Możliwe scenariusze celowej utraty danych<br />
User takes some screen captures of confident data. Images<br />
are stored in clipboard by default. User copies these images<br />
do graphics editor and perform some changes (cropping,<br />
adding some random points). Performed operations can reduce<br />
the probability of positive matching the screen captures<br />
taken by user in case of embedded watermark in print screen.<br />
Later user writes the screenshots to file and creates encrypted<br />
archive. After all the archive is sent using SSL protocol.<br />
Alternative scenario can be like this: user copies a fragment<br />
of protected text document to clipboard. Then he performs<br />
a simple, reversible obfuscation of this text. Text after<br />
obfuscation is directed to input of steganography application.<br />
The result of this operation is image. This image is sent by instant<br />
messager.<br />
Analysis of example scenarios show how wide range of IT<br />
system has to be mentioned and controlled. It also shows that<br />
protecting only some selected output channels will only delay<br />
the discreditation of DLP system.<br />
Available solutions<br />
Nowadays DLP system can be software implementation (for<br />
Windows) or hardware.<br />
Software implementation are offered by (e.g.): Websense,<br />
RSA, McAffe, Symantec, Nitrobit, Trend Micro i GSS. The<br />
leader of DLP software for Windows is Websence. It’s Data<br />
Security package is made of four fully integrated components:<br />
Data Discover, Data Monitor, Data Protect and Data Endpoint.<br />
System is based on user policies and rules. Policy determines<br />
access range for each group of users to documents (context)<br />
and allowed output channels. The PreciseID technology using<br />
ThreatSeeker solution (determines whether remote source of<br />
data is safe or can be dangerous to computer) makes possible<br />
classifying corporation data on workstation (end-point protection)<br />
and also in whole the Internet.<br />
Controlled channels are network traffic (HTTP, SMTP and<br />
IM) and workstation supervision (removable storages, printing,<br />
print screen, clipboard). Administrator set the policies used in<br />
case of violation. Some of possible actions are force encryption<br />
when writing to removable storage, denial or quarantine [7].<br />
Another solution in data loss prevention comes from Nitrobit<br />
company and is called Policy Extension. Due it’s name<br />
it is a set of policies which extends standard Windows security<br />
policies. This software is available for Windows OS version<br />
2000 to Vista, 32 and 64 bits. It supports removable media,<br />
system registry, services and network storages. Removable<br />
media can be configured using it’s serial number, type and<br />
vendor [8]. Disadvantage is less flexibility of configuration.<br />
Popular solution for Windows platform is security policies<br />
based package LeakProof made by Micro Trend company. It<br />
is made of three components: DataDNA Technology (documents<br />
watermarking), Server and Client module (installed on<br />
employees’ computers). Both DLP network and end-point protection<br />
modes are supported. This software allows to control<br />
removable media, also plugged to COM and LPT ports and<br />
printers. Blocking print screen is also possible.<br />
Features of control: removable media, optical discs drives,<br />
USB memory, e-mail and webmail (also encrypted), HTTPS<br />
and FTP protocols, IM protocols. An interesting feature is controlling<br />
Bluetooth interfaces and WiFi networks. LeakProof can<br />
also work with on- and off-line computers.<br />
System can deny disloyal or absent-minded employee, or<br />
display on his screen a message window with policy information<br />
and message that try of violation is possible. When such<br />
employee tries to move data to removable media, system can<br />
force encryption of file [9].<br />
All the above solutions, despite the fact they can not guarantee<br />
full security of sensitive or confident information, they reduce<br />
the risk of consequences caused by neglect of employees.<br />
For computer geeks hacking DLP system is possible. Main<br />
problem and the topic of this paper is a question why there is<br />
no DLP system for Linux similar to described or released as<br />
Open Source.<br />
Experiment of implementation DLP<br />
solution for Linux<br />
Others also were looking for an answer to this question [5],<br />
we started searching a reason of this fact. General idea of the<br />
experiment was to find out why the vendors of DLP systems<br />
for Windows have not tried to take over the market of DLP solutions<br />
for Linux platform. Is this fact for the reasons of difficulties<br />
related to Linux, or maybe because of unwillingness of<br />
business to Linux caused by many myths about this system?<br />
To find it out, a small DLP system for Linux have been written.<br />
It’s aim is to keep sensitive corporate data within the company.<br />
System PXX works in end-point mode with same laws<br />
for each user. It’s task is to block all the possible output channels<br />
for selected processes to prevent data leakage, but without<br />
making any problem to user. PXX is made of two<br />
components. First - PXX-lkm is a loadable Linux kernel module<br />
(2.6.18 and higher). His task is exchanging original system<br />
calls of open, close, send, sendto and sendmsg functions with<br />
own implementations, and communication with second component<br />
- PXX daemon. The service is responsible for parsing<br />
configuration file with paths of protected files and logging the<br />
incidents in local log and system log. Both elements communicate<br />
by netlink socket. This communication architecture allows<br />
tear the components apart to insert own element<br />
between to improve functionality.<br />
Fig. 3. Architecture Rys. 3. Architektura<br />
After launching the service and loading kernel module<br />
service tries to access /etc/files files, which contains protected<br />
files list. The module swaps original kernel’s system calls with<br />
own functions (listing 1).<br />
sys_call_table[__NR_open]=my_sys_open;<br />
sys_open=sys_call_table[__NR_open];<br />
sys_close=sys_call_table[__NR_close];<br />
sys_call_table[__NR_close]=my_sys_close;<br />
ELEKTRONIKA 11/<strong>2009</strong> 49