Printer-Friendly
Version
|
Next: OS Extensibility
Up: 12-mungi
Previous: Discretionary Confinement in Mungi
Subsections
- Using domain and type enforcement (DTE)
model[EH01a]:
- Each object has a type label
- Each APD has a domain label
- Each thread has:
- a type label (because it's an object)
- a domain label (because it belongs to an APD)
- a PDX object has:
- a type label (because it's an object)
- a domain label (because it has an associated PD)
- System-wide security policy is a relation on types and domains
- MAC policy relation is represented in (user-level) policy object
- Kernel consults on each access validation:
- Object access: domain has access to type
- APD creation / PDX call:
- thread has access to invoked object
- caller APD has right to transfer to target APD
- Policy object consists of a number of (mostly simple) validation functions
- invoked via PDX
==> also subject to MAC!
- MAC validations are cached in separate validation cache
- discretionary access control validates entry points and
invocation right
- mandatory access control validates right to use target PD
- discretionary and mandatory access
control validate data access
|
- Can use this as the basis for secure system extensions!
- Component model based on PDX for extending system
Next: OS Extensibility
Up: 12-mungi
Previous: Discretionary Confinement in Mungi
Gernot Heiser
2002-10-24
|