The Flask security architecture: System support for diverse security policies

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David G. Andersen, Jay Lepreau
[Google Scholar] [DBLP] [Citeseer]
Read: 06 October 2019

Proceedings of the 8th Conference on USENIX Security Symposium
Washington, D.C.
USENIX Association
Berkeley, CA, USA
Pages 11-11
Topic(s): os
Note(s): information flow
Papers: efstathopoulos:sosp:2005, zeldovich:osdi:2006, krohn:sosp:2007

This paper by some of my former colleagues in the Flux group at the University of Utah describes the Flask microkernel-based operating system. Like its successor SE-Linux, Flask adds fine-grained protection checks into the operating system and separates mechanism from policy by making decisions in a separate policy module that is free to implement whatever policy you want. That is, you are not stuck with whatever Linux or Windows or … provides by default.

The paper emphasises the importance of being able to control the propagation of a permission once it has been granted and of being able to revoke a permission (including aborting any in-flight operations that depend on the permission). These are key differences from capability systems.

The design is implemented in the Fluke micro kernel but they emphasise that it is broadly applicable. (Part of their mechanism allows for delegation to allow a server to act on behalf of several different clients using the permissions of those clients. It is not clear to me whether that would be as easy in a monolithic kernel.) For performance reasons, they cache permissions.

The gap in the story is that creating policies and ensuring that the set of checks you implement implements your desired policy is quite hard. This gap was tackled in a succession of other OSes such as Asbestos, HiStar and Flume.

Personal note: I joined the Flux group as Flask was being completed. I think part of the plan was that I would work on creating a policy language for Flask. Alas, I had no idea how to tackle this problem so I worked on component-based operating systems instead.