Research of Dynamic Information Flow Monitoring Based on Finite State Automaton

Because the current information-processing system security analysis of the dynamic monitoring is not mature enough, this paper will make use of finite state automata techniques to improve dynamic information flow monitoring methods, and design its monitors. This method is the use of finite state automata theory, information flow from the dynamic monitoring of proceeding through a secure stack to real-timely monitor the user's operation. This method can prevent high-density users through covert channel from leaking secrets to the low-density users and reach the purpose of Protection System confidentiality.


Introduction
Confidentiality is the most basic and common requirement of the information system.Access control is tried to prevent the information diffusion from checking and controlling the operations, but it can only prevent the information diffusion from the explicit way of access operations and not from the indirect way of non-access operations like transmission by influencing the system status, this indirect information diffusion method is usually referred to hidden information flow, This problem has been studied previously (Yan Li, 2008, p.51-57).Under certain conditions, it also is known as the covert channel.In order to overcome the weakness of access control, information analysis came into being.
Information flow analysis is divided into two kinds of static analysis and dynamic analysis, as the static analysis is only in the compilation stage of implementation, it cannot change real-timely with the corresponding situation.Compare to that, dynamic analysis is more user-centric and achieve on-line monitoring.End-user can customize the security level; dynamic analysis can monitor the system based on the level.End-user can modify the strategy according to their security requirement (Gurvan, 2007, p.9-30).Because of this, dynamic analysis has been paid more attention and developing.
Feng Qin et al (2006, p.135-148) proposed that every storage is set up a security level, and then checks the data's security level in the storage.This method can be applied to security analysis of the code without the need for its code source, but it cannot handle the complicated implicit information flow; Xu, Bhatkar and Sekar(2006, p.121-136) added the protection in the code to track the information flow, it is easier to understand than Qin's method, but still cannot handle the complicated implicit information flow; Nagatou and Watanabe(2006, p.577-584) established a kind of security automata as a tool to monitor system to detect and prevent unauthorized dissemination of information flow through covert channels, compared with the previous two methods this mechanism can judge the more complex covert channel, but the mechanism security automaton based on the input events cannot reflex the information flow in the system, and the mechanism has the potential to become a tool of covert channel.In the real system, the system is described as the form of state transition; the system's current operation can be described as transferring state.Finite state machine which is used to describe the state of the system has been widely used.(Zi Xiao-Chao, 2008, p.1460-1466) Therefore, using the finite state machine as a tool to improve the dynamic information flow monitoring method, this method can real-timely monitor covert channel and handle it safely, so that the confidentiality of information systems is guaranteed.

Formal finite state machine
As the finite state machine of the static analysis has been studied (Zhang Yang, 2009, p.709-719), in this paper, the definition of the finite state machine is given directly.
The definition is FA (I, S, S 0 , L, O, F): (1) I defines all the way of the subject to access the object; (2) S defines all the security context of the subject and object; (3) S 0  S defines the initial state; (4) L is the state transition function, L:S×I→S, L defines the type(domain) relationship between the legal transformation; (5) O defines the finite state machine output which is not given in the literature (ZHANG Yang, 2009, p.709-719), we define O as O  {True, False}, if O is true, the transfer between states is legal, the direction of the information flow is decided by the read and write operation, if O is false, the transfer between states is not legal.
(6) F  S defines system final state.

Improvement of finite state machine
The finite state machine can analyze the security strategies and determine whether they are fit for the requirement, but it needs all the states to make judgments which cannot fit the real-time requirements.When analyzing, the machine use the information flow chain of the user's operation to determine the user's action which cannot fit the real-time requirements.To solve this problem, we need to improve this machine: Adding the stack , the alphabet,  = {H, L}, an empty stack is recorded as  .Stack is used to track security context to prevent the information flow from leaking.
Adding a flag to record the high-density user's illegal operation, range for the {H, L}, H represents dangerous operation of high-density user, L represents the normal operation or no operation.
Therefore, the definition of finite state machine is revised to FA (I, S, S 0 , L, O, F,  , flag ).
According to TCSEC requirement, the bandwidth of the covert channel above the 100 bits / s must be eliminated; the bandwidth below 1 bit / s can be accepted and bandwidth between 1 bit / s and 100 bits / s will be based on the actual situation to decide whether the auditors done to eliminate processing.According to these provisions, To determine whether a low-density user to get information through a cover channel whose bandwidth is above the specified value or not need to take the operations before into account.Because of the advanced features of the stack, it can be used to track the user to enhance the expression of the finite state machine capacity.
The modified finite state machine can show the transfer of system security status and determine whether the operation is dangerous or not based on the modified finite state machine output set O.
In the modified finite state machine, I define the operations which the subject takes; S defines the object's current security context; S 0 define initialized security context.

System model
The system in which users run applications is called the target system.In the target system, two users are considered as S H and S L .S H is a high-density user who can access the confidential information; S L is a low-density user who cannot access the confidential information.S H performs some actions to cause a series transfer in the target system, S L wants to observe the behavior of S H through the way of reading operation to output the result.If no matter what actions the S L performs, S L can observe nothing, In other words, there isn't a cover channel between S H and S L .
Therefore, In order to monitor the information flow, the above finite state machine is used in the target system to form a security automaton.It can receive the state transfer, check the legality of the information flow and determine whether the low-density user can observe the high-density user or not; the machine can guide the system based on the result.

Automatic machine monitoring system security principles
According to the current study, high-density S H sends information to low-density S L by changing O i 's properties A i through the encoding in advance.S L can observe the changes of object O i , made by S H to get the information from S H (Wang Chang-da, 2006, p.1488-1492), Fig 1 shows the principles of the cover channel.

(Insert Fig 1)
The security automatic machine mechanism: The security automatic machine is initialized.
Stack  is emptied.When the high-density S H operates on the object O, the automatic machine judges whether or not there is information flow into the object O.If there are influences on the S L made by S H , then the security automatic machine sets the flag with H .When the low-density S L operates on the object O, the security automatic machine pushes flag into the stack and set flag with L. the security automatic machine has a timer to trigger the checking mechanism, when the timer is trigged, the mechanism give the number of the stack values, if the number is over the rating, the mechanism silence the S L because of the cover channel is between the S H and S L .if the number isn't over the rating, the mechanism empties the stack.The timer and the rating can be changed by the security requirement of the system.The higher of the security level is, the shorter of the timer.Through the mechanism, the security of the system is ensured.
According to the principles of the cover channel, the high-density user can only send the information to the low-density user trough the object O and only one bit information a time.Then in order to explain how to use the security automatic machine mechanism to protect the system from harm, this paper gives a example to show the mechanism in the Table 1 There are two functions in the table, readlike and writelike.If the operation is similar like read operation, the function readlike return true, Otherwise return false; If the operation is similar like write operation, the function writelike return true, Otherwise return false; (Insert Table 1)

Realization of the security automatic machine mechanism
The security automatic machine mechanism can be realization to a security monitor system by the support of the SELinux system functions.When the system is loaded, the security monitor system can be loaded to monitor information flow to protect the system from the cover channel harm at the place shown in Fig 2.