kernelSec

.:Layered Design:.

We used kernelSec at UIC in CS 587, Computer Systems Security in Fall, 2006, thus entering into alpha testing. We plan to have a software release in 2007.

.

• November 2006, Poster and demo at Operating System Design and Implementation in Seattle (Radhakrishnan)
• September 2006, Poster at the Midwest Security Workshop in Urbana-Champlain (Radhakrishnan)
• August 2006 poster as Usenix Security (Radhnakrishnan)

.

• November 2006, at Georgia Institute of Technology, Atlanta (Solworth)
• November 2006, at IEEE TrustCol in Atlanta (Solworth)
• October 2006, at IWSEC in Kyoto (Dranger)
• May 2006, at the Midwest Security Workshop in Chicago (Radhakrishnan)
• April 2006, at IEEE International Workshop on Information Assurance in London (Solworth)
• March 2006, at ACM AsiaCCS in Taiwain (Solworth)

OS based authorization models are based on the access matrix, in which a given process is associated with a domain. Within the domain, permissions are defined on various objects.

While a process's domain are an efficient mechanism to determine whether a process has a given permission, it is tedious to encode the access matrix permissions. Moreover, to analyze what can happen in the access matrix, it is necessary to simulate both

• how the access matrix can change and
• how transistions are made between domains.

Finally, the access matrix is fragile, since small changes to the access matrix may result in the loss of needed protections.

For these reasons, we have been investigating a high level design which is (mostly) stateless, succinct, and composable. Because it is (mostly) stateless, simulation of state tansitions are almost completely avoided. Because it is succinct, it is easy to read. Finally, because it is composable, changes are relatively easy to express.

In addition, kernelSec has administrative controls to enable changes to the allowed operations. These administrative controls are conservative in preserving authorization properties such as information flow, separation-of-duty, etc.