Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernelbased operating system, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture’s impact on both performance and code complexity is modest. Moreover, our architecture is applicable to many other types of operating systems and environments. 1

This paper argues that security design for Open Distributed Processing (ODP) would benefit from a shift of focus from the infrastructure to individual servers as the owners and enforcers of security policy. It debates the policy nuances, mechanisms, and protocol design consequences, that would follow from such a change of emphasis. In ODP, physically separate systems federate into heterogeneous networks of unlimited scale, so there can be no central authority, nor ubiquitous security infrastructure. Servers that offer, trade, supply and consume services must maintain their own security policies and defend themselves. For servers to take security policy and enforcement decisions, design is concerned with how they might seek advice and guidance from higher authority. This contrasts with an administrator imposed policy on a closed homogeneous network, where an infrastructure enforces administrator declared access rights to potential clients, including rights to delegate rights. 1

encapsulated devices are often passive entities, in contrast to their underlying hardware. Security requirements for devices, however, differ significantly from those for either storage objects or controlled processes: . External policy on use of the system requires that devices pass information only to authorized users. 8 I/O handling often accounts for 30 percent or more of an entire operating system. [TANE87, Preface] . Devices may transport either unlabeled data or labeled data and are classified as single level or multilevel devices accordingly. . At B2 and above, the TCSEC requires that every device have a minimum and maximum device level that represents constraints imposed by the physical environment in which the device is located. Authorized use of a device may be enforced by requiring that any piece of information output by the device have a security level that is dominated by the clearance and authorization of the recipient. A combination of procedural and automated metho...

encapsulated devices are often passive entities, in contrast to their underlying hardware. Security requirements for devices, however, differ significantly from those for either storage objects or controlled processes: . External policy on use of the system requires that devices pass information only to authorized users. 8 I/O handling often accounts for 30 percent or more of an entire operating system. [TANE87, Preface] . Devices may transport either unlabeled data or labeled data and are classified as single level or multilevel devices accordingly. . At B2 and above, the TCSEC requires that every device have a minimum and maximum device level that represents constraints imposed by the physical environment in which the device is located. Authorized use of a device may be enforced by requiring that any piece of information output by the device have a security level that is dominated by the clearance and authorization of the recipient. A combination of procedural and automated met...

CNS-0430566. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. This report was prepared by: