Abstract

We hypothesize that a form of kernel-resident access-control-based integrity protection can gain widespread acceptance in Commercial Off-The-Shelf (COTS) environments provided that it couples some useful protection with a high degree of compatibility with existing software, configurations, and practices. To test this hypothesis, we have developed a highly-compatible free open-source prototype called LOMAC, and released it on the Internet. LOMAC is a dynamically loadable extension for COTS Linux kernels that provides integrity protection based on Low Water-Mark access control. We present a classification of existing access control models with regard to compatibility, concluding that models similar to Low Water-Mark are especially wellsuited to high-compatibility solutions. We also describe our practical strategies for dealing with the pathological cases in the Low Water-Mark model's behavior, which include a small extension of the model, and an unusual application of its concepts.

Citations

537	The protection of information in computer systems - Saltzer, Schroeder - 1975
381	Safe Kernel Extensions without Run-time Checking - Necula, Lee
366	Integrity considerations for secure computer systems - Biba - 1977
343	A comparison of commercial and military computer security policies - Clark, Wilson - 1987
340	A Secure Environment for Untrusted Helper Applications - Goldberg, Wagner, et al. - 1996
321	Protection in operating systems - Harrison, Ruzzo, et al. - 1976
304	The chinese wall security policy - Brewer, Nash - 1989
266	D.: Role-based access control - Ferraiolo, Kuhn - 1992
238	Dealing with disaster: Surviving misbehaved kernel extensions - Seltzer, Endo, et al. - 1996
154	Computer security technology planning study - Anderson - 1972
121	Hardening COTS software with generic software wrappers - Fraser, Badger, et al. - 1999
120	A practical alternative to hierarchical integrity policies - Boebert, Kain - 1985
114	The FLASK security architecture: System support for diverse security policies - Spencer, Smalley, et al. - 1998
83	SLIC: An Extensibility System for Commodity Operating Systems - Ghormley, Petrou, et al. - 1998
73	P.: Protection- principles and practice - Graham, Denning - 1972
69	The Inevitability of Failure: The flawed assumption of security in modern computing environments - LOSCOCCO, SMALLEY, et al. - 1998
67	A Domain and Type Enforcement UNIX Prototype - Badger - 1996
62	TCP WRAPPER: Network monitoring, access control, and booby traps. Paper presented at the 3rd UNIX Security Symposium - Venema - 1992
49	Confining root programs with Domain and Type Enforcement (DTE - Walker, Sterne, et al. - 1996
41	Non-discretionary controls for commercial applications - Lipner - 1982
39	KSOS - The Design of a Secure Operating System - McCauley, Drongowski - 1979
32	Using kernel hypervisors to secure applications - Mitchem, Lu, et al. - 1997
28	Using mandatory integrity to enforce “commercial” security - LEE - 1988
17	A security retrofit of VM/370 - Gold - 1979
11	Ucla secure unix - Popek, Kampe, et al. - 1979
4	Regel-basierte Zugriffskontrolle nach dem Generalized Framework for Access Control-Ansatz am Beispiel Linux - Ott - 1997
2	Security Agility for Dynamic Execution Environments - Petkac, Badger, et al. - 2000
1	Final Evaluation Report Trusted Information Systems, Inc. Trusted XENIX version 3.0 - Arnold, Havener, et al. - 1992
1	An Introduction to the C shell. In 4.4BSD User’s Supplementary Documents, chapter 4. O’Reilly & Associates - Joy - 1994