Blare is an experimental policy-based, host-based intrusion detector for Linux. Its main purpose is to serve as a testbed environment for experimenting with a new intrusion detection approach.

Unlike other IDSes such as Snort or Snare, Blare requires neither attack signatures, learned profiles nor knowledge of program behavior. Its main goals are:

• to detect all violations of an implemented security policy, including violations using unknown and/or novel attacks;
• to report only actual policy violations (i.e. no false positives);
• to allow dealing with usual security policies such as Discretionary Access Control, Bell-LaPadula etc.

Since March 2011, we have worked on applying Blare theoritical model to Android. We built a first information flow policy that identifies sensitive data and containers, and expresses how information can spread and mix inside the system.

The information flow policy can be downloaded from : https://docs.google.com/leaf?id=0B4PQg0KLMkHhN2UxZjkyNjktNzRlYS00YTFiLTlhZTItZjkwZmZmZmRkMjIz&hl=en_US

We presented our tool at a French conference named c&esar. You can get a copy of the demo and slides here: http://dl.free.fr/fUoPcg0WS . The password is : 11f602f9 .

You can find more information on the Documentation and Papers pages