A Host Based Method for Data Leak Protection by Tracking Sensitive Data Flow

This paper describes a method for data leak protection (DLP) based on tracking sensitive information as it flows inside file system on a host. The method is based on the idea that every flow from sensitive to non-sensitive object increases the security level of the target object to that of the source object. Any process which reads an object that contains sensitive data automatically itself becomes tagged as sensitive. When a process gets tagged, all subsequent write operations to any object make target objects also tagged. Any process created by a tagged process is also tagged. By spreading tags over all objects touched by a sensitive process, we have a guarantee that no one bit of sensitive information resides in a non-sensitive objects. Using any software tool to process a sensitive object results in a new sensitive object, this prevents bypassing security mechanisms. All objects tagged as sensitive are checked before being transferred out of the host according to security policy. The main goal of this method is to prevent covert channels for information leakage which use steganography, data modification, compression or encryption. It is implemented in Linux OS as a kernel module. It works with legacy applications, since all changes are on OS level.