Providing Policy Control Over Object Operations
in a Mach Based System
Spencer E. Minear
Secure Computing Corporation
2675 Long Lake Road,
Roseville, Minnesota 55113-2536
Email: minear@sctc.com
Abstract
In both secure and safety-critical systems it is desirable to have a
very clear relationship between the system's mandatory security policy
and its proven operational semantics. This relationship is made
clearer if the system architecture provides strong separation between
the enforcement mechanisms and the policy decisions, and if the policy
decision software is clearly identifiable in the system's
architecture.
This paper describes a prototype Unix system based on Mach which
provides mandatory control over all kernel-supported operations. The
prototype work modified the Mach kernel by extending its limited
control mechanisms based on the Mach port right. The control
extensions allow a mandatory control policy to specify control over
not only access to an object via a port right, but over the individual
services supported by the object. The mandatory security policy is
implemented in an external Security Server which provides very strong
separation between policy enforcement and policy decision
software. This makes it possible to support a wide range of security
policies with no change to the kernel or applications.
Download the full text of this paper in
ASCII (51,335 bytes),
POSTSCRIPT (207,578 bytes),
and PDF (83,684 bytes) form.
To Become a USENIX Member, please see our
Membership Information.