Top NSA Banner

Researchers in the National Information Assurance Research Laboratory of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask. The NSA integrated the Flask architecture into the Linux® operating system to transfer the technology to a larger developer and user community. The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work.

Two papers provide background information for the project:

• The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments explains the need for mandatory access controls in operating systems.
• The Flask Security Architecture: System Support for Diverse Security Policies describes the operating system security architecture through its prototype implementation in the Fluke research operating system.

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
FreeBSD® is a registered trademark of the FreeBSD Foundation.
Solaris™ and OpenSolaris™ are trademarks or registered trademarks of Sun Microsystems, Inc in the United States and other countries.
Secure Computing® is a registered trademark of Secure Computing Corporation