Blare is an experimental policy-based, host-based intrusion detector for Linux. Its main purpose is to serve as a testbed environment for experimenting with a new intrusion detection approach.

Unlike other IDSes such as Snort or Snare, Blare requires neither attack signatures, learned profiles nor knowledge of program behavior. Its main goals are:

  • to detect all violations of an implemented security policy, including violations using unknown and/or novel attacks;
  • to report only actual policy violations (i.e. no false positives);
  • to allow dealing with usual security policies such as Discretionary Access Control, Bell-LaPadula etc.

Since March 2011, we have worked on applying Blare theoritical model to Android. We built a first information flow policy that identifies sensitive data and containers, and expresses how information can spread and mix inside the system.