Scholarship Grant
$19,575 (1/1/01 -1 year)

Bio
Serge Hallyn received his B.S. in computer science in 1996 at Hope College in Holland, MI, and his M.S. in 1998 at the College of William and Mary.

Current Project Description

Domain and Type Enforcement in the Linux Kernel

Domain and Type Enforcement (DTE) assigns labels called types to files and domains to processes. It controls access from domains to types and domains to other domains, regardless of the user id associated with a process. Some advantages of this include protecting user files from system administrators, protecting the system from subverted daemons running as root, and the ability to provide temporary system administrators with trusted access under a restricted domain. This project will implement Domain and Type Enforcement for Linux 2.4. An existing, working and stable implementation exists for Linux 2.3.28, which was shown to be able to thwart a popular and well-publicized root compromise attack. Future work will consist of extending DTE to accommodate new mount semantics in 2.4, further increasing performance, and creation of intuitive GUI tools for visualizing and debugging DTE policies.

Current Status
A working implementation, detailed in the ALS2000 proceedings and available at the above website, exists for Linux 2.3.28. Work has begun on an implementation for Linux 2.4, which will increase performance, add new features, and include simple and intuitive GUI tools for policy administration.