Screen Version

School of Computer Science & Engineering
University of New South Wales
 Advanced Operating Systems 
 COMP9242 2002/S2 

Mandatory Access Control in Mungi

• Using domain and type enforcement (DTE) model[EH01a]:
  • Each object has a type label
  • Each APD has a domain label
  • Each thread has:
    • a type label (because it's an object)
    • a domain label (because it belongs to an APD)
  • a PDX object has:
    • a type label (because it's an object)
    • a domain label (because it has an associated PD)
• System-wide security policy is a relation on types and domains

Mandatory access control operation

• MAC policy relation is represented in (user-level) policy object
• Kernel consults on each access validation:
  • Object access: domain has access to type
  • APD creation / PDX call:
    • thread has access to invoked object
    • caller APD has right to transfer to target APD
• Policy object consists of a number of (mostly simple) validation functions
  • invoked via PDX ==> also subject to MAC!
  • MAC validations are cached in separate validation cache

PDX again...

• discretionary access control validates entry points and invocation right
• mandatory access control validates right to use target PD
• discretionary and mandatory access control validate data access

• Can use this as the basis for secure system extensions!
  • Component model based on PDX for extending system