Check out the new USENIX Web site. next up previous
Next: Acknowledgements Up: LOMAC: MAC You Can Previous: Related work


Conclusions

LOMAC's present implementation shows that it is possible to apply Mandatory Access Control techniques to standard off-the-CD-ROM Linux kernels. LOMAC uses interposition at the system call interface to gain supervisory control over kernel operations, and implicit attribute mapping to mark files with persistent labels.

By confining network-reading applications to the low integrity level, LOMAC prevents compromised servers, worms, and malicious remote users from harming the integrity of the high-level part of the system, even when they have root privilege. By demoting processes that read or execute low-integrity data, LOMAC ensures that network-imported virus and Trojan horse programs will be similarly confined, even if they are initially read or executed by root-privileged high-level processes. Due to this confinement, such malicious programs cannot copy themselves or be copied by others into the high-integrity part of the system.

Furthermore, LOMAC's protection scheme requires no support from applications. LOMAC's access control functionality is automatic: Applications do not need to request that it be applied. It is also transparent: LOMAC interposes itself at the kernel's system call interface, requiring only the standard parameters, and returning only the standard error codes. LOMAC does not require users or applications to explicitly choose roles [8] or domains [6]. Because of the automatic and transparent nature of its protection mechanism, LOMAC can operate with existing applications, even those distributed in binary-only form.

LOMAC is designed to be compatible with existing software, largely invisible to traditional Linux users, and applicable without site-specific configuration. In short, it is designed to be a form of MAC that typical users can live with.


next up previous
Next: Acknowledgements Up: LOMAC: MAC You Can Previous: Related work
2001-04-30