Check out the new USENIX Web site. next up previous
Next: Implementation Up: LOMAC: MAC You Can Previous: Introduction


Protection

Figure 1: LOMAC's 2-level partitioning of a system.
\includegraphics[]{Figures/circle2.eps}

LOMAC provides protection by dividing a system into two integrity levels: high and low. The diagram in figure 1 illustrates this division. The high level contains critical system components that must be protected, such as the init process, kernel daemons, system binaries, libraries and configuration files. The low level contains the remaining components, such as client and server processes that read from the network, local user processes and their files. Once LOMAC assigns a file to one level or the other, its level never changes. This is not so for processes: LOMAC can ``demote'' high-level processes by reducing their levels to low during run-time. LOMAC never increases the level of a process. Section 4 describes how LOMAC decides which files and processes belong in which part; this section summarizes how LOMAC uses this division to provide protection.

When LOMAC is running, a process's level determines how much power it has to modify other parts of the system. Given the above division of the system into two levels, LOMAC provides integrity protection with two main mechanisms. First, LOMAC prevents low-level processes from modifying (writing, truncating, deleting) high-level files or signalling high-level processes. Since non-administrative users, their network clients, and all network servers run at the low level, these restrictions protect the high-level part of the system from direct attacks by malicious remote users and compromised servers.

Second, LOMAC ensures that (potentially dangerous) data does not flow from low-level files to high-level files. A process could attempt to cause such a flow by reading from a low-level file (as data or as program text) and subsequently writing to a high-level file. LOMAC prevents such flows through demotion: whenever a high-level process reads from a low-level file, LOMAC reduces the process's level to low. Once at the low integrity level, LOMAC's first mechanism prevents the process from modifying high-level files, as described above. This combination of mechanisms prevents indirect attacks by viruses, worms and Trojan horses.

LOMAC cannot distinguish between a program that has read low-integrity data but is still running properly and one that has read low-integrity data and has been compromised. However, LOMAC can ensure that processes which read potentially dangerous low-level data during run-time are demoted to the low integrity level. Once at this low level, LOMAC's other mechanisms prevent them from harming high-integrity processes or files.

Figure 2: LOMAC Loadable Kernel Module Architecture
\includegraphics[]{Figures/arch1.eps}


next up previous
Next: Implementation Up: LOMAC: MAC You Can Previous: Introduction
2001-04-30