Check out the new USENIX Web site.

Providing Policy Control Over Object Operations in a Mach Based System

Spencer E. Minear

Secure Computing Corporation
2675 Long Lake Road,
Roseville, Minnesota 55113-2536


In both secure and safety-critical systems it is desirable to have a very clear relationship between the system's mandatory security policy and its proven operational semantics. This relationship is made clearer if the system architecture provides strong separation between the enforcement mechanisms and the policy decisions, and if the policy decision software is clearly identifiable in the system's architecture. This paper describes a prototype Unix system based on Mach which provides mandatory control over all kernel-supported operations. The prototype work modified the Mach kernel by extending its limited control mechanisms based on the Mach port right. The control extensions allow a mandatory control policy to specify control over not only access to an object via a port right, but over the individual services supported by the object. The mandatory security policy is implemented in an external Security Server which provides very strong separation between policy enforcement and policy decision software. This makes it possible to support a wide range of security policies with no change to the kernel or applications.

Download the full text of this paper in ASCII (51,335 bytes),
POSTSCRIPT (207,578 bytes),
and PDF (83,684 bytes) form.

To Become a USENIX Member, please see our Membership Information.