Brussels / 1 & 2 February 2014


Blare: policy-based intrusion detection systems

Blare can track information flows in the linux kernel, android and the JVM

Blare is a model for policy-based intrusion detection systems. It works by tracking information flows. The model has been implemented for the Linux kernel as well as for the Java Virtual Machine and Android. This talk will present the model and show how we implemented it for the kernel as a Linux Security Module in order to leverage existing hooks to intercept system calls.

Blare is a family of policy-based intrusion detection systems (IDS). These IDSs are based on a common information flow monitoring model. The user defines the policy by specifying authorised flows beforehand and these IDSs dynamically check this policy in different types of systems. KBlare is an implementation of this model at the Linux kernel level. It is a security extension using the LSM framework to intercept system calls and add meta-information, called security labels, to the different types of information containers in the system (files, memory pages). KBlare updates these labels depending on the flows it tracks ie. based on executed system calls. It throws alerts whenever one of these flows does not satisfy the policy ie. whenever one of the security property becomes invalid for a container's label. We will briefly present the theoretical model and proceed to explain how we implemented it in the Linux kernel. Using the LSM framework, we intercept system calls and deduce information flows. We will also show a brief demonstration of KBlare detecting an intrusion.


Guillaume Brogi