Providing policy control over object operations in a mach based system

In both secure and safety-critical systems it is desirable to have a very clear relationship between the system’s mandatory security policy and its proven operational semantics. This relationship is made clearer if the system architecture provides strong separation between the enforcement mechanisms and the policy decisions, and if the policy decision software is clearly identifiable in the system’s architecture. This paper describes a prototype Unix system based on Mach which provides mandatory control over all kernel-supported operations. The prototype work modified the Mach kernel by extending its limited control mechanisms based on the Mach port right. The control extensions allow a mandatory control policy to specify control over not only access to an object via a port right, but over the individual services supported by the object. The mandatory security policy is implemented in an external Security Server which provides very strong separation between policy enforcement and policy decision software. This makes it possible to support a wide range of security policies with no change to the kernel or applications

Assuring Distributed Trusted Mach

The Distributed Trusted Mach (DTMach) program is developing a design for a high-assurance, secure, distributed system based on Mach. To achieve this goal, it is first necessary to identify the general threats against which DTMach must protect. The next step is to identify control mechanisms that are sufficient to protect against each of the threats. The DTMach design makes extensive use of type enforcement in addressing the threats. This paper describes the general threats and the countermeasures provided by DTMach. Doing so provides more evidence of the usefulness of type enforcement in general and the high assurance provided by the DTMach type enforcement policy. 1 Introduction Distributed Trusted Mach (DTMach) is an operating system currently being designed by Secure Computing Corporation. The goal of the project is to use the Mach 3.0 kernel as the base for a secure, distributed system. The DTMach design is an outgrowth of three related efforts: Mach [12], TMach [1, 2], and LOCK ..