Flexible Mandatory Access Control

Introduction

This project will add the Flux Advanced Security Kernel (Flask) architecture and Type Enforcement (TE) to OpenSolaris. Flask and TE provide a flexible form of mandatory access control (MAC) that has been gaining popularity since its introduction in SELinux, SEBSD, and SEDarwin. Flask/TE has also been integrated into the Xen hypervisor and has been applied to applications such as the X server, D-BUS, and PostgreSQL.

The goal of this research project is to enhance and complement existing OpenSolaris security mechanisms with Flask and TE technologies.

The Flask architecture provides flexible support for a wide range of security policies. Flexibility is provided at two levels: one can plug and play different security servers (policy engines) behind a well-defined abstract security interface without needing to modify the rest of the system at all, and one can configure the example security server included in the reference implementation of Flask to achieve a wide range of security goals via its flexible TE and constraint-based models. The specific policy enforced by the kernel is dictated by the security server, and the example security server is driven by security policy configuration files which can include a diverse set of policy rules (e.g., type enforcement, role-based access control, and multi-level security). The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.

Type enforcement is the central security model implemented by the example security server in the reference Flask implementation; the other security models leverage it as a building block. Like traditional MAC schemes such as BLP or Biba, TE makes decisions based on security labels on processes and objects,  enforces access rules defined by administrators and/or organization, is able to confine malicious and flawed software, and is able to enforce system-wide security requirements. However, TE was designed to address the limitations of traditional mandatory mechanisms, such as providing protection and confinement of "trusted" subjects, expressing a wide range of security goals (confidentiality, integrity, least privilege, separation of duty, assured pipelines), taking the program/code being executed into account in security decisions in terms of its function and trustworthiness, and separating policy from enforcement. TE is a self-contained model; i.e., there is no external privilege mechanism on which it depends and analysis of its rule set is sufficient to understand the full ramifications of what is possible in the system, modulo bugs in the kernel. 

A project goal will be to preserve existing user-level APIs and only add new APIs to support additional functionality. This will ensure compatibility with existing OpenSolaris executables.

The project will be based on a Flask source version that is compatible with licensing terms for the OpenSolaris ON (OS/Net) consolidation.

The project will initially be staffed jointly by the United States National Security Agency and Sun Microsystems, Inc. Participation from the community is highly encouraged.

Source Code and Images

The project will provide a Mercurial repository and BFU archives.

Areas of Development

The initial focus of the project will be integrating Flask and TE into the OpenSolaris kernel, introducing the associated support into the OS utilities, and creating an example policy configuration for Solaris.

Other possible areas of interest to the project include but are not limited to the following:

Usability  

Policy Expression

Develop higher-level tools and languages for expressing policy goals and mapping them to the lower-level representation enforced by the operating system.  Also integrate policy development with existing application development tools in order to allow application developers to seamlessly create policy for their applications during the normal development lifecycle. This requires bridging the semantic gap between low-level access control checks and higher-level security goals meaningful to the user. Any work here should seek to leverage and build upon prior work, e.g., see the CDS Framework IDE at the Tresys Open Source Server.

Policy Messages

Develop tools that present policy failures that are easier to understand by system administrators and users.

Trusted Extensions

Investigate how Flask/TE and Trusted Extensions can interact with and complement one another in providing MAC functionality.

Securing the Desktop

Leverage the XACE framework and address other aspects of the desktop infrastructure required to enforce flexible MAC on the desktop.

Virtualization

Leverage the Flask/TE support in Xen 3.2 in combination with Flask/TE support in OpenSolaris to express and enforce an overall security goal for the platform.

Related Projects

• OpenSolaris Fine Grained Access Policy (FGAP) project

• OpenSolaris Labeled IPSec project

• Labeled NFS - Work with the ongoing labeled NFS project which is seeking to introduce support for MAC in NFSv4; (see the discussion list)