Check out the new USENIX Web site. next up previous
Next: Exceptions for Compatibility Up: Application Previous: Dividing the Filesystem

Monitoring Processes

While file levels are static, process levels can decrease during run-time. In general, LOMAC assigns a new process the same level as the process who created it. At initialization time, LOMAC assigns the high integrity level to the first process (the idle/init process), which initializes the system by creating a new high-level process to handle various system tasks. These processes continue by creating more high-level children. As individual processes read from low-level files, LOMAC demotes them to the low integrity level. From that point on, all their children begin life at the low integrity level.

This demotion behavior allows LOMAC to automatically assign user sessions to the appropriate level. For example, with a console login, the init, getty, and login processes all run at a high level. Upon verifying a user's identity, login spawns a child which executes the user's shell. The shells of non-root users immediately read resource files from the low-level part of the system, causing LOMAC to demote them. From that point on, their children operate at a low level. LOMAC does not demote the root user's shell because the root user's home directory and its contents are at a high level. The root user's shell may therefore create high-level children, although LOMAC will demote them if they go on to read from the low-level part of the system. This automatic assignment of levels allows LOMAC to provide protection without being configured to recognize a site-specific list of users.

LOMAC also uses its demotion behavior to automatically confine programs that use the network to interact with (potentially malicious) remote entities. LOMAC treats all network interfaces as low-level files. As soon as a process reads from a network interface, LOMAC demotes it to the low integrity level. This scheme places network clients and servers at a safe, low level at the moment they first risk compromise - that is, as soon as they receive their first communication from the network. Furthermore, this scheme allows LOMAC to provide protection without being configured to recognize a site-specific list of potentially dangerous network-readers - LOMAC simply waits for a potentially dangerous network read operation and then makes the appropriate demotion.


next up previous
Next: Exceptions for Compatibility Up: Application Previous: Dividing the Filesystem
2001-04-30