Design and implementation of the Trusted BSD MAC framework

Developing access control extensions for operating systems is an expensive and time-consuming task. Mechanisms available for access control extension lag behind industry standard extension solutions for file systems, process schedulers, and device drivers, and suffer from a number of serious flaws in modem multi-processor, multi-threaded kernels. In this paper we explore the limitations of current technologies for security extension. We describe the Trusted BSD MAC Framework, a flexible and modular environment for operating system access control extensions on the open source Free BSD platform. The TrustedBSD MAC Framework permits extensions to be introduced at compile-time, boot-time, or at run-time, and provides a number of services to support dynamically introduced policies, including policy-agnostic object labeling services and application interfaces. We discuss the design and implementation of the framework, as well as the an implementation of a fixed-label Biba integrity policy based on the framework.