kernelSec

.:Home:.

We used kernelSec at UIC in CS 587, Computer Systems Security in Fall, 2006, thus entering into alpha testing. We plan to have a software release in 2007.

.

• November 2006, Poster and demo at Operating System Design and Implementation in Seattle (Radhakrishnan)
• September 2006, Poster at the Midwest Security Workshop in Urbana-Champlain (Radhakrishnan)
• August 2006 poster as Usenix Security (Radhnakrishnan)

.

• November 2006, at Georgia Institute of Technology, Atlanta (Solworth)
• November 2006, at IEEE TrustCol in Atlanta (Solworth)
• October 2006, at IWSEC in Kyoto (Dranger)
• May 2006, at the Midwest Security Workshop in Chicago (Radhakrishnan)
• April 2006, at IEEE International Workshop on Information Assurance in London (Solworth)
• March 2006, at ACM AsiaCCS in Taiwain (Solworth)

The kernelSec project is developing a new authorization model (also known as access control model) in an operating system. Its goal is to provide strong, policy neutral mechanisms which are also (relatively) simple to use. The success of this project will result in better protected computer systems. It will be easier and safer to install applications and services (and to use existing ones).

An authorization model is customized by a configuration, producing the organization's authorization system. An authorization system implements the organization's policy, by determining whether a requested operation is allowed or denied. Thus the authorization model must be general purpose while an authorization system implements a particular organization's policy.

Why a new authorization model? Popular authorization models base their decision of what is allowed based on the user who is executing the program. For example, a banking application runs with the same permissions as a game. The game can thus access your bank files, perhaps sending out a copy of your transactions on the network. It can masquerade as your bank program (it may have to trick you into giving it your password), and transfer the balance of your account to some country where it would be exceedingly difficult to get it back. Without authorization models, your computer is defenseless against against any program installed on your computer. Strong authorization models limit the damage that applications can do, making it safer to add new applications and services.

KernelSec is implemented in the Linux operating system kernel using Linux Security Modules (LSM). Our implementation currently consists of 7,000 lines of kernel code and another 8,000 lines of user space configuration code. We are also developing various tools to make it easier to configure and analyze kernelSec-based systems.

The kernelSec authorization model is able to implement a wide range of authorization properties where needed. These include:

1. separation of duty making sure that for important tasks there is concurrence by multiple users.
2. (overt) information flow which enforces write-after-read controls determining how information can propagate in the system.
3. executable constraints which can restrict the programs which can access sensitive data.

The above constraints are often called Mandatory Access Controls (MACs) because they apply system wide; in addition to MACs, kernelSec can implement traditional Discretionary Access Controls (DACs) as contained in Unix or Windows.

It is not difficult to build an authorization model with sufficiently strong protections. What is difficult is doing so in a way which is not too complex. We have been working on developing implementation, tools, and theory which reduce the complexity of configuring and analyzing authorization systems.