The Flask Security Architecture: System Support for Diverse Security Policies
Ray Spencer (Secure Computing Corporation)
Stephen Smalley, Peter Loscocco (National Security Agency)
Mike Hibler, David Andersen, Jay Lepreau (University of Utah)
flask@cs.utah.edu
http://www.cs.utah.edu/flux/flask/
August 1999
Abstract
Operating systems must be flexible in their support for security
policies, providing sufficient mechanisms for supporting the wide
variety of real-world security policies. Such flexibility requires
controlling the propagation of access rights, enforcing fine-grained
access rights and supporting the revocation of previously granted
access rights. Previous systems are lacking in at least one of these
areas. In this paper we present an operating system security
architecture that solves these problems. Control over propagation is
provided by ensuring that the security policy is consulted for every
security decision. This control is achieved without significant
performance degradation through the use of a security decision caching
mechanism that ensures a consistent view of policy decisions. Both
fine-grained access rights and revocation support are provided by
mechanisms that are directly integrated into the service-providing
components of the system. The architecture is described through its
prototype implementation in the
Flask microkernel-based operating system,
and the policy flexibility of the prototype is evaluated. We
present initial evidence that the architecture's impact on both
performance and code complexity is modest. Moreover, our architecture
is applicable to many other types of operating systems and
environments.
Full paper (ps.gz or
pdf)
appears in the Proceedings of
The Eighth USENIX Security Symposium,
August 1999, pages 123-139. Also available in HTML format.
Slides from the briefing.