Flask: Flux Advanced Security Kernel
Flask is an operating system security architecture that
provides flexible support for security policies. The architecture was
prototyped in the Fluke research
operating system. Several of the Flask interfaces and components were
then ported from the Fluke prototype to the
The Flask architecture is now being implemented in the Linux operating system
(Security-Enhanced Linux) to transfer the
technology to a larger developer and user community.
The following papers are useful in understanding Flask and its
implementation in Fluke:
Three reports describe the implementation of the Flask architecture
History of Flask
In 1992 and 1993, researchers at the National Security Agency (NSA)
and Secure Computing Corporation (SCC) worked on the design and
implementation of Distributed Trusted Mach  (DTMach), an
outgrowth of the TMach  project and the
LOCK  project. DTMach integrated a
generalization of type enforcement [3,1], a
flexible access control mechanism, into the Mach microkernel.
The DTMach project was continued in the
Distributed Trusted Operating System [8,9] (DTOS) project. The DTOS
project improved upon the earlier design and implementation work,
yielding a prototype that was released to universities for research
(e.g. Secure Transactional Resources ,
Furthermore, the DTOS project produced a
lessons learned report,
formal specifications of the system,
an analysis of security policies and their characteristics,
a study of composability techniques, and
a study of the security and assurability of a variety of microkernel-based systems. These reports are available here.
As the DTOS project approached its completion, a new joint effort was started
by the NSA, SCC, and the University of Utah's
to transfer the DTOS security architecture into the
Fluke research operating system.
During the integration of the architecture into Fluke,
the architecture was enhanced to provide better support for dynamic
security policies. This enhanced architecture was named Flask
Several of the Flask interfaces and components were subsequently
ported from Fluke to the OSKit.
The architecture is now being implemented by the NSA in the
Linux operating system (Security-Enhanced Linux)
to transfer the technology to a larger developer and user community.
Other contributors to the Security-Enhanced Linux system include
NAI Labs, Secure Computing Corporation, and MITRE.
Up to Flux project home page
Stephen Smalley, National Security Agency
Last modified Dec 26 2000