Kaspersky Control Flow Monitor component

The Kaspersky Control Flow Monitor (KCFM) component is designed to monitor and control the performance of processes by monitoring the control flow.

The KCFM component lets you do the following in a KasperskyOS-based solution:

• Detect anomalies in the behavior of the monitored process.
• If an anomaly is detected, restart the monitored process.
• [optional] Automatically generate the part of the solution security policy for program IPC calls to the core endpoints and the VFS system program.

How the KCFM component works

By using the source code of a program that needs to be monitored, you can build a control flow graph (CFG) for the program. This graph defines the complete set of system calls and calls to library functions that can be executed while the program is running, and all possible sequences of their execution. The CFG is built during program build.

While a process (program) is running, function calls and IPC calls made by the process are monitored. If program behavior is unexpected (anomalous), the KCFM component lets you stop and restart the monitored program.

Important! The KCFM component is experimental and subject to limitations described below. The component is available to users for testing purposes and for providing feedback.

Limitations in the experimental version of the KCFM component

The KCFM component has the following limitations:

• Only one process can be monitored in a KasperskyOS-based solution.
• Only programs written in C are supported.
• When using computed pointers to call functions in the program code, the tools for building a control flow graph cannot explicitly determine the function being called. In this case, an assumption is made about possible function calls, a signature with these calls is built, and a warning is issued.
• A call to functions for using hardware interrupt handlers in the program code is ignored and an appropriate warning is issued.
• When using explicitly linked API functions for dynamic libraries, a warning is issued that a call to these functions cannot be processed.
• If anomalies are detected in a running process, the KCFM component restarts the process. A restart is the only action available.
• The control flow graph is built only upon the sequences of calls to the kernel and to the VFS system program.

Contents of the KCFM component

The component consists of the following files:

• Executable files of modules for building a control flow graph of a monitored program, monitoring calls for a running program, and detecting anomalies based on the control flow graph. These files are located in /opt/KasperskyOS-Community-Edition-<platform>-<version>/toolchain/bin and /opt/KasperskyOS-Community-Edition-<platform>-<version>/sysroot-*-kos/bin.
• Formal specification files located in /opt/KasperskyOS-Community-Edition-<platform>-<version>/sysroot-*-kos/include/kcfm.
• CMake libraries for adding KCFM component modules to the solution located in /opt/KasperskyOS-Community-Edition-<platform>-<version>/toolchain/lib/cmake/kcfm_tool.
• Examples of solutions for demonstrating use of the KCFM component in /opt/KasperskyOS-Community-Edition-<platform>-<version>/examples/.

Building a program control flow graph

The control flow graph is built during application build if the CMake command kcfm_generate_signature() has been added to the CMakeLists.txt file for building the program.

For more details, refer to kcfm_hello example.

Security audit data is used to monitor IPC calls made by the monitored program. To allow the KCFM component to access the security audit data of the monitored program and configure the Klog system program, add the CMake command kcfm_generate_audit_policy() to the CMakeLists.txt program build file.

The monitored program code can use static or dynamic libraries. In this case, these libraries must also be built via CMake, and the CMake commands kcfm_make_graph_lib() for building the call flow graphs of these libraries must be added to the build script.

For more details, refer to kcfm_http_server example.

Anomaly detection

Anomaly detection is performed by the FlowChecker module from the KCFM component. To add the FlowChecker module to a solution:

• Add its description and IPC channels for connecting to it to the init description.
• Add CMake commands for building and setting the values of environment variables and command line arguments to the CMakeLists.txt file for building the Einit program.

  The FC_GRAPH_FILENAME environment variable is used to specify the path to the file of the control flow graph built for the monitored program.

For more details, refer to kcfm_http_server example.

Anomaly processing

A detected anomaly is processed by the FlowMonitor module from the KCFM component. To add the FlowMonitor module to a solution:

• Add its description and IPC channels for connecting to it in the init description.
• Set the values of environment variables and command line arguments for it in the init description.

  The name of the monitored process is defined in the FM_ENTITY_NAME environment variable.

  The monitored process must not be started using Einit because it will be started by the FlowMonitor module, which uses the ExecutionManager system program for this purpose.

• Use the ExecutionManager component in the solution.

The FlowMonitor module performs the following actions:

• Starts the program using ExecutionManager.
• Monitors the status (started/stopped) of the program via ExecutionManager.
• If the program stops, it restarts the program using ExecutionManager.
• Receives and processes events for detecting anomalies in the behavior of the monitored process from the FlowChecker module. In this case, the FlowMonitor module performs the following actions:
  • Issue a command to stop the program.
  • Wait until the program terminates.
  • Issue a command to start the program.

Security policy generation

The KCFM component also lets you automatically generate part of the solution security policy in the form of a PSL file based on the program source code. The PSL file will list and allow all IPC calls to core endpoints and VFS system program interfaces that are used in the program code. The security policy is formed so as to allow the program to access the IPC calls in use and deny access to all of the unused ones.

To generate the PSL file, add the CMake command kcfm_generate_audit_policy() to the CMakeLists.txt file for building the program. The generated PSL file must be included in the solution security policy description.

For more details, refer to kcfm_hello example.

Page top