In June, 2000, I submitted an unsolicited white paper, “Poligraph,” to Dr. Douglas Maughan at DARPA, proposing a flexible access control policy framework for operating systems. The goal of the design was to revisit the relationship between the operating system kernel and its access control policies in order to facilitate research, better sup- port development of trusted operating systems, and improve support for third-party security extensions. The opportunity to investigate the practical implementation of these ideas arose through the DARPA Composable High-Assurance Trustworthy Sys- tems (CHATS) programme, which would fund research into open source security and security composability.
Over the next three years, I was principal investigator of the Community-Based Open Source Security (CBOSS) project at NAI Labs (later McAfee Research) that prototyped the MAC Framework on FreeBSD2. Table 3.1 provides a rough timeline of
the evolution of the framework, first as a DARPA research project, and then as a new security technology deployed in an increasing number of open source and commercial products.
The TrustedBSD MAC Framework narrows my original Poligraph proposal by in- vestigating a subset of the security extension problem: rather than abstracting base OS security policies (such as DAC and UNIX user isolation), the framework allows policy modules to augment or supplement the base policy. This approach leaves existing poli- cies inlined in the kernel source, but facilitates the creation of mandatory access control policy modules, a particular interest given the limited technology transfer successes of MAC in 2000.
A central thrust of the project was the creation of reference policy modules that would validate the research approach, exercise the features of the framework, and pro-
2Many members of this team are thanked in the acknowledgements of this thesis: sizeable research
2000 TrustedBSD Project announced with MAC design goal. 2000 “Poligraph” white paper submitted to DARPA.
2001-2004 DARPA CHATS programme; NAI Labs CBOSS project de- velops MAC Framework in public FreeBSD Perforce.
2002 MAC Framework merged to FreeBSD 5 development tree. 2003 Framework appears in FreeBSD 5.0 marked “experimental”. 2004-2007 US Navy sponsors NAI Labs improvements to the framework,
SEBSD policy, and port to Mac OS X.
2006 nCircle sponsors privilege analysis of FreeBSD kernel, frame- work extensions to allow privilege management.
2006 Apple ships MAC OS X Leopard desktop with MAC Framework-based sandboxing.
2007 Secure Computing Corporation contributes improvements from Sidewinder transition to FreeBSD; evaluated EAL 4+. 2007-2008 Institute of Software, Chinese Academy of Sciences static
analysis studies of MAC Framework.
2008 Apple introduced MAC Framework in iPhone OS 2.0 to sand- box applications distributed via App Store.
2008 Seccuris contributes framework improvements for IPC and networking while adding Biba to monitoring service.
2009 DTrace instrumentation added to MAC Framework at Cam- bridge, in support of Google-sponsored TESLA project. 2009 MAC Framework upgraded to “production” feature in Free-
BSD 8.0, enabled in kernel by default.
2010 Apple completes Mac OS X EAL3+ evaluation with MAC Framework enforcement; iPad ships with MAC Framework.
Table 3.1: Development and deployment of the TrustedBSD MAC Framework over ten years – from a DARPA white paper to a security technology used in routers, firewalls, desktops, servers, and even smart phones and tablet computers. My PhD research at the University of Cambridge began in 2005.
vide many open source users access to MAC policies for the first time. Initial ref- erence modules were information flow policies grounded in trusted systems research: Bell-LaPadula multi-level security (MLS) and a fixed-label Biba policy. We also im- plemented Fraser’s LOMAC low-watermark floating label integrity policy [45], which, while also a labeled information flow policy, requires dynamic changes to subject labels on object read, and therefore has significantly different synchronisation requirements from MLS and Biba. Previous LOMAC prototypes instrumented kernels using system call interposition, provide an opportunity for us to compare the two approaches.
As the research project proceeded, we expanded our scope to adapt SELinux’s FLASK/TE [127] to FreeBSD – this was done before the inception of Linux Security Modules (LSM) [148], and established a model for how FLASK, itself an abstract security extension framework, might interact with a concrete extension system such as the MAC Framework or LSM. We also developed several UNIX-centric policies, which we felt would be of interest Internet Service Providers (ISPs), another significant FreeBSD consumer chafing under the limitations of traditional UNIX access control. UNIX-centric policies rely on existing subject and object meta-data – credentials, file ownership, and file permissions – and illustrate the flexibility of the MAC Framework in supporting differing points on the security vs. performance spectrum.
The CBOSS Project also developed general-purpose OS infrastructure components necessary to support features such as mandatory access control. These included a new Pluggable Authentication Modules (PAM) implementation, OpenPAM [125], allowing the login process to be more easily extended, and UFS2, a significant revision to the UFS file system in order to provide more reliable, semantically rich, and high-performance extended attributes to store security labels [81].
In 2004, the US Navy sponsored an adaptation of the TrustedBSD MAC Frame- work to Apple’s relatively new Mac OS X operating system [11]. At first a research project [130], the port later matured into the security framework shipped in Mac OS X to sandbox video CODECs and other high-risk code, as well as Apple’s iOS [10], to sandbox third-party applications distributed to the iPhone and iPad via Apple’s AppStore.
In 2005, I began my PhD in computer security at the Computer Laboratory at the University of Cambridge, and continued my involvement in the MAC Framework project as an operating system security researcher, open source contributor, and independent contractor. This allowed me to engage in further development and technology transfer of the MAC Framework to a broad range of products, observing and participating in its adaptation to diverse environments.
Further transfer successes on FreeBSD included adoption of the MAC Framework by Juniper Networks in the JunOS SDK [70], Seccuris’s instrusion monitoring prod- ucts [121], nCircle’s policy enforcement appliances [93], and in McAfee’s high-assurance Sidewinder firewall3 [79]. The MAC Framework design has influenced other research,
including, notably, the Asbestos operating system [36], which applied the MAC Frame- work’s notion of policy-agnostic labels to application-level policy enforcement. Detailed discussion of practical experience in deploying the MAC Framework in FreeBSD, the Mac OS X and iOS ports, and enhancement of the MAC Framework for use in nCircle’s appliance, may be found in Chapter 4.
3Ironically, despite McAfee Research having developed the MAC Framework, the framework only
entered the McAfee product line through their acquisition of Secure Computing Corporation (SCC), who adopted the framework through the FreeBSD operating system.