Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernelbased operating system, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture’s impact on both performance and code complexity is modest. Moreover, our architecture is applicable to many other types of operating systems and environments. 1

Providing efficient device driver support in the Fluke operating system presents novel challenges, which stem from two conflicting factors: (i) a design and maintenance requirement to reuse unmodified legacy device drivers, and (ii) the mismatch between the Fluke kernel's internal execution environment and the execution environment expected by these legacy device drivers. This thesis presents a solution to this conflict: a framework whose design is based on running device drivers as usermode servers, which resolves the fundamental execution environment mismatch. This approach

been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). Copies may be requested from IBM T. J. Watson Research Center, P.

This paper discusses the enhancement of security in general purpose operating systems, especially related to threats caused by internetworking, using extensions to operating systems. Such mechanisms have a significantly larger basis for reaching security policy decisions than older host-level security mechanisms and firewalls. By layering defensive mechanisms yet enforcing a consistent security policy across the security layers, goals such as workload distribution, vulnerability compartmentalization, and hierarchical refinement of security policies can be achieved.

Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control. 1

The reference monitor as a structuring mechanism for operating system design were proposed by Anderson [1] based on earlier work by Schell. It has since been used as a guiding principle for the design of secure operating systems or in adding security facilities to existing systems, arguably due to

In today’s world, the use of computers and networks is growing and the vision of a single infrastructure for voice and data is becoming a reality. However, with different technologies and services using the same networking infrastructure, the realization of this vision requires higher levels of security to be implemented in computer systems. Current security solutions do not address all of the security challenges facing today’s computer systems, including clustered platforms, in one comprehensive and coherent fashion. This paper presents the previous work done in the area of access control and then focus on new mechanisms for clustered Linux servers as part of the research project at the Ericsson Open Systems Lab. In this paper, we address the design and implementation of a framework for the mandatory access control in the distributed security infrastructure (DSI). The ongoing work is mainly based on the Flask architecture and the Linux Security Module (LSM) framework with a focus on Linux clustered servers. The paper also addresses the effects of the cluster security on the performance of the distributed system, since enforcing security may introduce degradation in the performance, an increase in administration, and some annoyance for the user. We are implementing cluster-aware access control mechanisms in the Linux kernel. We expect that our work will help position Linux as a secure operating system for clustered servers.

We discuss our findings on how well the Linux 2.4 and 2.5 TCPIP stack scales with multiple network interfaces and with the SMP network workloads on 100/1000 Mb Ethernet networks. We identify three hotspots in the Linux TCPIP stack: 1) inter-processor cache disruption on SMP environments, 2) inefficient copy routines, and 3) poor TCPIP stack scaling as network bandwidth increases.

Hardware virtualization allows physical hardware of a single computer to be shared between multiple operating systems in a nearly transparent manner. A virtual machine monitor provides each operating system virtual resources which are backed by physical resources of the hardware. Though increasing system complexity somewhat, hardware virtualization saves costs and has a number of other benefits. As the deployment of virtualization increases, dependence on the technology increases accordingly, thus emphasizing the importance of the security of virtualization mechanisms. We present a literature survey of commodity x86 hardware virtualization. We also consider virtualization security from two viewpoints: we first develop a security model for virtualization using an asset-threats approach, and then consider how virtualization can be used to improve system security. Finally, we discuss security oriented virtualization architectures, and the relationship between trusted computing, the Trusted Platform Module (TPM), and virtualization.

This paper summarizes existing and describes ongoing work on securit ypolicy definition and particularly enforcement in heterogeneous distributed systems. Based on a formal model of operating systems and interactions among networked nodes in a distributed system axiomatizing relations among and abstractions in distributed systems, arbitrary security policies can be defined over the same model; automated reasoning techniques can be used to dynamically derive the compliance of operations with all applicable security policies. A key component for enforcing such security policies in operating system network stacks is described along with instrumentation techniques for the Microsoft Windows NT family of operating systems. Information assurance in distributed, heterogeneous systems frequently requires that formal and informal security policies be enforced by technical means. The expressiveness required by security models and, more generally, policies [21], however, frequently exceed the capabilities of the mechanisms available in currently deployed networking components and general purpose operating systems.