Check out the new USENIX Web site. next up previous
Next: Protection Up: LOMAC: MAC You Can Previous: LOMAC: MAC You Can


Introduction

Over the last 25 years, many projects have demonstrated useful Mandatory Access Control (MAC) features on UNIX systems. Two early examples include KSOS [18] and UCLA Secure UNIX [23]. More recent examples include DTE [3], and Security-Enhanced Linux [17]. However, despite their success, these demonstrations have not prompted widespread adoption of MAC in mainstream UNIX kernels.

One likely explanation for this lack of widespread adoption may be overall cost of use: In these demonstrations, the new MAC features came at the cost of incompatibility with existing kernel and application software, increased administrative overhead, or a disruption of traditional usage patterns. Among typical users, the overall cost of adopting the new MAC features outweighed the perceived benefits, discouraging widespread mainstream adoption.

The LOMAC project is an attempt to bring simple but useful MAC integrity protection to Linux in a form that:

In short, LOMAC aims to provide a form of MAC that typical users can live with [19]. LOMAC implements a form of Low Water-Mark MAC integrity protection [5] in a Loadable Kernel Module (LKM). Administrators can load the LOMAC LKM into standard, off-the-CD-ROM Linux 2.2 kernels, including both kernels distributed in binary form and kernels built from standard sources. Once loaded, the LOMAC LKM protects the integrity of critical system processes and files from viruses, worms, Trojan horses, and malicious remote users. Because of its compatible design, LOMAC can be used to provide integrity protection for presently-deployed systems based on standard Linux kernels with little impact on their normal operation.

Several theoretical aspects of the LOMAC project have been discussed in a previous paper [9]. These aspects include LOMAC's application of Low Water-Mark model, the UNIX compatibility benefits of models like Low Water-Mark over many better-known models, and some of the drawbacks of LOMAC's LKM-based implementation with regard to the reference monitor approach [1]. This paper, on the other hand, will focus on the details of LOMAC's implementation, paying particular attention to the techniques required to enhance standard Linux kernels without patching their source, and to manage security attributes without kernel and filesystem support.

The discussion begins with section 2, which describes the integrity protection provided by LOMAC. This is followed by a detailed examination of LOMAC's architecture and implementation in section 3, focusing on LOMAC's use of interposition and implicit attribute mapping to maintain compatibility with standard Linux kernels. Section 4 explains how LOMAC applies its protection mechanism in a manner that encourages application compatibility and avoids administrative overhead. Section 5 presents the results of some performance benchmarks, and discusses potential optimizations. Section 6 addresses usability concerns and lists some future directions for LOMAC, including strategies to overcome some of its present shortcomings and an upcoming port to FreeBSD. Section 7 follows with a summary of related efforts to enhance the security of Linux kernels. Finally, section 8 presents some conclusions.


next up previous
Next: Protection Up: LOMAC: MAC You Can Previous: LOMAC: MAC You Can
2001-04-30