The Flask Security Architecture: System Support for Diverse Security Policies

Ray Spencer (Secure Computing Corporation)
Stephen Smalley, Peter Loscocco (National Security Agency)
Mike Hibler, David Andersen, Jay Lepreau (University of Utah)

flask@cs.utah.edu
http://www.cs.utah.edu/flux/flask/

August 1999

Abstract

Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernel-based operating system, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture's impact on both performance and code complexity is modest. Moreover, our architecture is applicable to many other types of operating systems and environments.

Full paper (ps.gz or pdf) appears in the Proceedings of The Eighth USENIX Security Symposium, August 1999, pages 123-139. Also available in HTML format.

Slides from the briefing.