Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
sys_write=sys_call_table[__NR_write];<br />
sys_call_table[__NR_write]=my_sys_write;<br />
sys_send=sys_call_table[PXX_SEND_ADDR];<br />
sys_call_table[PXX_SEND_ADDR]=my_sys_send;<br />
sys_sendmsg=sys_call_table[PXX_SENDMSG_ADDR];<br />
sys_call_table[PXX_SENDMSG_ADDR]=my_sys_sendmsg;<br />
sys_sendto=sys_call_table[PXX_SENDTO_ADDR];<br />
sys_call_table[PXX_SENDTO_ADDR]=my_sys_sendto;<br />
The service and module exchange their names and software<br />
version. Initialization is done.<br />
In second phase module waits for any application to call<br />
system function open. Disk files are identified by i-node values.<br />
Function which gets i-node value from file descriptor is<br />
shown in listing 2.<br />
static unsigned long get_ino(int fd)<br />
{<br />
unsigned long ino=0;<br />
struct file * f;<br />
}<br />
if (fdf_dentry->d_inode->i_ino;<br />
fput(f);<br />
}<br />
return ino;<br />
A PID number of parent process and it’s father’s is pushed<br />
to the array of PID of applications whose requested opening<br />
protected file.<br />
If any application tries to call any data write function or<br />
send it using socket, kernel module looks for it’s or it’s father<br />
PID in PID array. If found, kernel module sends application’s<br />
PID to daemon, which logs the event. Module rejects to execute<br />
write/send function.<br />
When an application calls close function, it’s PID number<br />
(and it’s father’s PID) are pulled from a PID list.<br />
An array of protected files’ i-nodes (got using absolute<br />
path) is created once when PXX daemon starts. Each path is<br />
parsed to check whether it is correct. After all PXX daemon<br />
fills the protected files structure (listing 3).<br />
struct protected_files<br />
{<br />
unsigned int qty;<br />
ino_t * inos_t;<br />
char ** names_t;<br />
};<br />
An array containing i-node values is taken from protected_files<br />
structure and send to kernel module via netlink<br />
socket.<br />
Difficulties related with implementation<br />
of full functional DLP system for Linux<br />
The discussed solution bases on i-nodes despite of it is neither<br />
perfect one, nor unequivocal. The values of i-node are unique<br />
but only in one filesystem, but there is no better solution.<br />
An experiment drove to some conclusion. One of these<br />
can be an answer to question why there is still no DLP application<br />
to Linux. Most important are discussed below.<br />
It was not possible to write full functional, working in kernel<br />
space function, which can preprocess any path to absolute<br />
path, cause it is impossible to determine caller’s work directory<br />
from kernel space. Another idea is using algorithm implemented<br />
in Tomoyo [6] Linux, which has realpath function, but<br />
also this solution could not be good enough because of hard<br />
links, whose can be wrong interpreted by this function. Apparently<br />
best solution could be mapping file to pair disk-block, but<br />
in filesystem other than “ext” this method could be not well<br />
working because of block suballocation (e.g.: Reiser 4). Block<br />
suballocation is used to more effective management with files<br />
which are smaller than size of block. In filesystem with no block<br />
suballocation occupies one block, so the disk space is wasted.<br />
Block suballocation let keep some small files in single block.<br />
Unfortunately - relation between file and block is ambiguous.<br />
None effective method of blocking the clipboard have been<br />
found. This „tiny” weak point determines the weakness of<br />
whole system. Clipboard works in user space and is managed<br />
by window manager. To block possibility of making copies to<br />
clipboard source of window manager and it’s recompilation is<br />
required. In Windows system it is possible, because there is<br />
only one window manager. Linux users has a freedom of<br />
choice one of many solutions (GNOME, KDE, XFCE etc.)<br />
System does not protect files in situation, when protected<br />
file is opened, then it’s content is saved to memory and after<br />
that file is closed. An effective implementation of protecting<br />
files in such situation were not implemented yet.<br />
Most important problem related with developed system is<br />
it’s disability to work in real-life environment where aggressor<br />
has wide knowledge and suitable tools. For computer<br />
geek who understand idea of DLP system cracking this implementation<br />
is a matter of time. It is important to mention<br />
that aim of this project was implementation of only a stub of<br />
project, which will be developed by more programmers. The<br />
aim was to begin talk about DLP system for Linux and determining<br />
it’s hardest challenges and difficulties caused by<br />
specificity of Linux.<br />
Conclusions<br />
The experiment of implementation DLP system for Linux<br />
could be recognized as successful, but authors feel insufficiently.<br />
The implemented system is not cross-platform and<br />
does not look like it could be soon. Only the implementation<br />
done for specific architecture, kernel version and graphical<br />
interface. Currently it can not be recognized as universal solution<br />
even within single distribution because of unsupported<br />
protection of clipboard.<br />
The hardest thing for DLP system for Linux creator is -<br />
irony of fate - an architecture of Linux. It’s kernel has many<br />
variants, some of distributions (e.g. Ubuntu) provides it’s own<br />
implementation of kernel. The problem is leak of uniform specification<br />
which could describe all the kernels of all distributions.<br />
This is the expression of Linux’s freedom, but on the other<br />
hand - serious hindrance. Often changes in kernel architecture<br />
also are not helpful.<br />
Creating perfect one DLP application for Linux would require<br />
remaking of significant part of Linux Kernel to allow to<br />
“transport” in process information additional flags related with<br />
security. After that only these filesystems could be accepted,<br />
which allow to identify any disk file using uniform value. To get<br />
this idea done, recompilation of graphical environment would<br />
50 ELEKTRONIKA 11/<strong>2009</strong>