A Domain and Type Enforcement UNIX Prototype

Th following ppr ws originlly pblishd in th Procdings of th Fifth USENIX UNIX Scrity Symposim Slt Lk City, Uth, Jn 1995. A Domin nd Typ Enforcmnt UNIX Prototyp L Bdgr, Dnil F. Strn, Dvid L. Shrmn, Knnth M. Wlkr, nd Shil A. Hghight Trstd Informtion Systms, Inc. For mor informtion bot USENIX Assocition contct: 1. Phon: 510 528-8649 2. FAX: 510 548-5738 3. Emil: offic@snix.org 4. WWW URL: http://www.snix.org

A Domin nd Typ Enforcmnt UNIX Prototyp L Bdgr Dnil F. Strn Dvid L. Shrmn Knnth M. Wlkr Shil A. Hghight Trstd Informtion Systms, Inc. 3060 Wshington Rod Glnwood, Mrylnd 21738 Abstrct UNIX systm scrity tody oftn rlis on corrct oprtion of nmros privilgd sbsystms nd crfl ttntion by xprt systm dministrtors. In th contxt of globl nd possibly hostil ntworks, ths trditionl UNIX wknsss ris lgitimt qstion bot whthr UNIX systms r pproprit pltforms for procssing nd sfgrding importnt informtion rsorcs. Domin nd Typ Enforcmnt (DTE) is n ccss control tchnology for prtitioning host oprting systms sch s UNIX into ccss control domins. Sch prtitioning hs promis both to nforc orgniztionl scrity policis tht protct spcil clsss of informtion nd to gnriclly strngthn oprting systms ginst pntrtion ttcks. This ppr rviws th primry DTE concpts, discsss thir ppliction to IP ntworks nd NFS, nd thn dscribs th dsign nd implmnttion of DTE UNIX prototyp systm. 1 Introdction As UNIX systms bcom mjor prt of th Ntionl Informtion Infrstrctr, UNIX scrity mchnisms r coming ndr incrsing prssr to rsist ttcks by highly motivtd individls, compnis, nd govrnmnts. Crrntly, UNIX scrity rsts on protction bits, th root sr, nd th stid/stgid mchnism, which plc grt dl UNIX is rgistrd trdmrk in th Unitd Stts nd othr contris, licnsd xclsivly throgh X/Opn Compny Ltd. of scrity rsponsibility on privilgd ppliction progrms nd xprt systm dministrtion. This hs two importnt consqncs. Th rst is tht UNIX systms oftn xhibit \wkst link" phnommon in which compromis of ny privilgd sbsystm (.g., ngrd, lpd, rdist) mks n ntir host vlnrbl. Th scond is tht rlinc on nmros privilgd pplictions incrss th diclty of implmnting coordintd scrity policis tht provid niform protction to dt nd procssing rsorcs. Ths two problms motivt lgitimt concrn ovr whthr UNIX systms r pproprit pltforms for procssing nd sfgrding importnt informtion rsorcs in globl nd possibly hostil ntworks. UNIX (nd othr oprting systms) cn in thory b hrdnd ginst thrts inhrnt in sch nvironmnts by dding n ccss control lyr tht rstricts privilgd procsss so tht dmg rslting from compromis or rror is limitd. This bnt, howvr, hs not bn rlizd by minstrm UNIX systms vn thogh nmbr of ccss control mchnisms [4, 2,6,9,8,18]hv bn vilbl for yrs. On rson my b tht scrity nhncmnts oftn impos signicnt costs rslting from mor complx systm dministrtion, ppliction incomptibility (or nvilbility), nd dditionl sr trining. This riss cntrl qstion for prcticl UNIX scrity: cn signicnt nhncmnts b ddd in wy tht is ndrstndbl, ctiv, nd nobtrsiv? This ppr prsnts or xprincs with nw

form of ccss control, Domin nd Typ Enforcmnt (DTE) [1] nd prototyp DTE UNIX systm. In rcognition of th fct tht ccss control tchniqs hv not bn sily ccptd by oprting systm vndors (or srs), DTE hs bn formltd spciclly to ddrss rqirmnts of grtst concrn for both vndors nd srs, nmly: xibility, simplicity, oprting systm introprbility, binry ppliction comptibility, nd prformnc. This ppr rviws DTE, 1 discsss how DTE cn b pplid to IP ntworks nd NFS nd thn discsss dsign nd implmnttion isss of th DTE UNIX krnl. Finlly this ppr rviws rltd work nd discsss or plns for frthr dvlopmntofdteovr th nxt fw yrs. 2 DTE DTE is n nhncd form of typ nforcmnt, tbl-orintd ccss control mchnism originlly proposd by Bobrt nd Kin [9] nd ltr rnd in th LOCK systm [21]. As with mny ccss control schms, typ nforcmnt viws systm s collction of ctiv ntitis (sbjcts) nd collction of pssiv ntitis (objcts). In typ nforcmnt for UNIX, n ccss control ttribt clld domin is ssocitd with ch sbjct (procss), nd nothr ttribt clld typ is ssocitd with ch objct (l, mssg, shrd mmory sgmnt, tc.). A globl tbl, th Domin Dnition Tbl (DDT), rprsnts llowd ccss mods btwn domins nd typs (.g., rd, writ, xct), nd nothr tbl, th Domin Intrction Tbl (DIT), rprsnts llowd ccss mods btwn domins (.g., signl, crt, dstroy). As systm rns, ccss ttmpts r mditd sing tbl lookps: ccss ttmpts for mods not thorizd in th tbls r dnid. Althogh typ nforcmnt isvry xibl, th ccss control tbls cn qickly bcom too complx, nd typ nforcmnt is diclt to s in prctic. Additionlly, th prsnc of typ ttribts on ls pprs to rqir nw nd incomptibl l systm formt. To ddrss ths isss, DTE nhncs typ nforcmntintwowys: 1. DTE policis r spcid in DTE Lngg (DTEL), high-lvl lngg sitbl for xprssing rsbl ccss control congrtions tht r comptibl with crrnt pplictions nd systm congrtions. 2. Dring systm xction, DTE l scrity ttribts r not stord on-to-on with ls on 1 DTE is dscribd in mor dtil in [1]. disk, bt r instd mintind implicitly in form tht cpitlizs on th dirctory hirrchy to compctly rprsnt portions of l hirrchy tht hv idnticl ttribts. Using implicit typing, DTE cn thrfor b pplid to xisting ls with no chng to l systm formts. DTE is congrbl, krnl-lvl ccss control mchnism. At ch systm boot, DTE UNIX systm procsss DTEL spciction nd stblishs ccss controls dring UNIX krnl initiliztion. All procsss, inclding root procsss, r sbjct to DTE controls. DTEL crrntly provids for 2 primry sttmnts for xprssing DTE con- grtion: typ Dclrs on or mor objct typs to b vilbl to othr prts of DTEL spciction. domin Exprssd s list of tpls, dns rstrictd xction nvironmnt composd of thr prts: 1) \ntry point" progrms, idntid by pthnm, tht procss mst xct in ordr to ntr th domin (.g., (/bin/login)), 2) ccss rights to typs of objcts (.g., (rwx->foo t)), nd 3) ccss rights to sbjcts in othr domins (.g., (sigkill->sr d)). A DTEL domin controls procss's ccss to ls, procss's ccss vi signls to procsss rnning in othr domins, nd procss's bility to crt procsss in othr domins by xcting thir ntry point progrms. For bckwrd binry comptibility, th domin sttmnt lso provids n ccss dsigntor to forc domin trnsitions on oldr progrms tht r not wr of DTE: if domin A hs to ccss rights to nothr domin B, sbjct in A tomticlly crts sbjct in B whn it xcts, vi xc(), n ntry point progrm of B. initil domin Slcts th domin of th rst procss. ssign Associts typ with on or mor ls. An ssign sttmnt my b rcrsiv, in which cs it pplis to dirctory nd vrything blow, nd on ssign sttmnt my ovrrid nothr for instnc, n ssign sttmnt for /tmp/foo myovrrid rcrsiv ssign sttmnt for/tmp. 2 For brvity w omit priphrl DTEL sttmnts nd ftrs nd lso rstrict or ttntion hr to implmntd ftrs with which w hv ctl xprinc.

/* * DTEL Exmpl Policy. */ typ nix t, /* norml UNIX fils, progrms, tc. */ spcs t, /* nginring spcifictions */ bdgt t, /* bdgt projctions */ rts t /* lbor rts */ #dfin DEFAULT (/bin/sh), (/bin/csh), (rxd->nix t) /* mcro */ domin nginr d = DEFAULT, (rwd->spcs t) domin projct d = DEFAULT, (rwd->bdgt t), (rd->rts t) domin cconting d = DEFAULT, (rd->bdgt t), (rwd->rts t) domin systm d = (/tc/init), (rwxd->nix t), (to->login d) domin login d = (/bin/login), (rwxd->nix t), (xc-> nginr d, projct d, cconting d) initil domin systm d /* systm strts in this domin */ ssign -r nix t / /* dflt for ll fils */ ssign -r spcs t /projcts/spcs ssign -r bdgt t /projcts/bdgt ssign -r rts t /projcts/rts Figr 1: Exmpl DTEL Policy An importnt gol for DTE is to sprimpos sfl scrity policis on xisting UNIX congrtions whil sing implicit typing to mintin bckwrd comptibility with xisting dt formts nd pplictions. Figr 1 shows DTEL spciction of commrcil policy dsignd to provid dt protction nd sr thoriztions in n nginring orgniztion. To vlidt tht or xmpl spciction is not trivil, w hv rn it on or prototyp DTE systm nd fond it to provid sfl protction. This spciction provids thr typs of protctd sr dt, on typ of systm dt, thr sr domins, nd two spporting systm domins. Th sr domins corrspond to job dscriptions, sch s nginr or ccontnt, nd th systm domins provid oprting systm spport. Additionlly, this spciction ssigns typ ttribts to ll ls. A DTE systm rnning th spciction of gr 1 strts th rst procss in th systm d domin, which is thn inhritd for ll othr systm procsss xcpt th login progrm. Th spciction ss th to mchnism to rn login in th login d domin vn thogh th xisting gtty progrm dos not rqst th domin trnsition. Th login d domin hs th thority to crt th sr domins (nginr d, projct d, nd cconting d), bsd on sr thntictions. Ech sr login sssion is connd by on of th sr domins controlling ccss to protctd dt, which rsids in thr dirctoris ndr /projcts. Thogh simpl, this smpl spciction cn b incrmntlly rnd to dd dditionl sr domins, distingish btwn consol nd ntwork sr sssions, simltnosly spport dditionl orgniztionl policis, nd hrdn UNIX itslf by rnning its root dmons in tightly constrind domins. 3 DTE Ntworking Sinc UNIX systms r slly ntworkd, DTE systms mst work ntrlly whil commnicting both with othr DTE systms nd with non-dte systms. In prticlr, mltipl DTE systms mst provid mchnisms llowing coordintd protction of informtion mong thmslvs, nd DTE systms mst protct thmslvs from non-dte

systms. To ccomplish this, DTE dds two ttribts to ntwork commnictions crrying sr dt: 1) th typ of th dt writtn by th snding procss nd 2) th domin of th procss tht snt th dt, th \sorc domin." A rciving procss cn lwys viw th dt's typ, which th rcivr mst know to dqtly protct th dt, or possibly to protct itslf from th dt. Additionlly, rcivr cn lwys viw th sndr's domin DTE srvr tht rcivs rqst cn thrfor s th clint's domin to dcid whthr to prform th rqstd fnction. To mintin comptibility with xisting ntwork protocols nd pplictions, DTE ttribts r crrid s IP options, 3 with no chng to pckt contnts. DTE mdits commnictions ovr stndrd dtgrm nd strm-orintd srvics. In ch cs, DTE imposs ccss control mdition both t snd tim nd rciv tim: to sccssflly snd dt of typ t, procss's domin mst prmit writ ccss to t, nd to sccssflly rciv dtof typ t, procss's domin mst prmit rd ccss to t. For dtgrm protocols sch sudp, singl typ lbls th contnts of n ntir pckt. For strm protocols sch stcp, dirnt portions of strm my hv dirnt typs of dt sqnc of contigos byts hving th sm typ is sbstrm. Ths dsign choics giv high prioritytocom- ptibility ndintroprbility. Or dtgrm pproch is not nsl, nd homognosly typd dtgrms work wll for xisting pplictions sinc thy r nwr of DTE nd thrfor only gnrt on typ of dt. Or strm pproch, howvr, is lss typicl. A simplr pproch wold bind scrity ttribt to strm sockt nd thrfor to ll dt commnictd on it. Typicl UNIX srvic intrctions, howvr, mk this pproch problmtic. An importnt xmpl is intd, which rcivs sockt connctions for srvics it spwns: intd mst b bl to connct to sockt nd thn hnd th dscriptor to child procss tht myrn in dirnt domin. Th s of sbstrms rmovs th nd for intd to rn in n ll-powrfl domin. Progrms lik tlnt nd rlogin provid othr xmpls: if sr rns progrm tht prodcs otpt of mltipl typs, singl connction cn crry th otpt bck to th clint inmltipl sbstrms, bt stticlly typd connctions wold 3 For xprimntl prposs, w crrntly ssm tht ntwork pckts r not stoln or modid. W pln to tk dvntg of known nd mrging cryptogrphic tchniqs nd protocols for commnictions thntiction [15], intgrity, nd condntility[10, 11] s pproprit. forc dynmic crtion of nw TCP connctions to snd th dt. Whil mltipl connctions cold b sd to trnsmit mltipl typs of dt, this wold chng ppliction-lyr protocols (lik rcmd) nd prvnt DTE ntwork pplictions from introprting with thir non-dte prs. In ddition to mintining comptibility with UNIX ntwork bstrctions nd ppliction-lvl protocols, it is lso ncssry to dn how DTE systms introprt with non-dte systms. In ordr for DTE systm to proprly control ntwork pplictions, ll commnictions mst crry typ nd sorc domin ttribts. At th sm tim, howvr, DTE pplictions mst introprt with pplictions rnning on non-dte systms tht do not provid DTE ttribts. Toprovid introprbility withot wkning DTE, DTE hosts ssocit domin with vry forign non-dte host nd mdit ll ntwork trc with tht host so tht th ct of th mdition is s thogh th host wr ctlly rnning DTE nd th procss snding (or rciving) from tht host wr rnning in th ssocitd domin. Using DTEL, DTE systm cn ssocit singl domin with th \nivrs" of forign non-dte hosts, ssocit dirnt domin to ch clss A, B, or C ntwork, nd nlly ssocit spcic domins to individl non- DTE hosts tht, for vrios rsons (sch s qlity of dministrtion), r mor or lss trstworthy thn thir LAN. This tchniq hs prformd wll in or corport LAN, llowing s to ppropritly \trst" spcid non-dte hosts. Althogh w r sing sorc-ddrss \thntiction" for comptibility t prsnt, or plns incld moving to strongr thntiction, sch sisnvisiond for IP6, s th ovrll ntwork infrstrctr volvs. Althogh or xprinc with DTE ntworking is still somwht limitd, w hv bn bl to rn xisting UNIX pplictions sch s rsh, rlogin, tlnt, ping, sp, nd mont in sitbl DTE domins nd w hv ncontrd no \show stopprs." W hv discovrd, howvr, tht lthogh TCP/IP hosts shold drop IP options thy don't rcogniz, tht dosn't lwys hppn nd SnOS 4.1.1 on Sn 3 systms, in prticlr, crshs whn prsntd with n nrcognizd option. As rslt, w hv ddd ftrs to or systms tht prvnt th snding of DTE ttribts to hosts tht r not known to b crrntly rnning DTE. W r now formlting th rqirmnts of DTE protocol tht wold mintin timly informtion on th DTE stts of mchin s wll s provid DTE policy ngotition fnctions tht nsr tht dirnt mchins \mn" th sm thing by DTE ttribts thy x-

Gst Usr Propritry Dt DTE Systm Existing Fil Srvr Non-snsitiv Dt Locl Disk Figr 2: DTE NFS Clints chng. Althogh w only hv xprinc to dt with UDP nd TCP, or tchniqs ppr to pply to rw IP, nd potntilly lso to mlticst protocols sch s ISIS [5] nd PSYNC [22]. 4 DTE NFS Th biqitos s of NFS highlights th nd for DTE to both spport NFS on DTE systms nd lso to introprt with non-dte systms tht s NFS. An intgrtion of DTE nd NFS for DTEwr clints nd srvrs is rltivly simpl nd involvs snding nd rciving DTE ttribts btwn DTE systms tht thn s th ttribts for mdition in th sm wy thy s loclly stord DTE ttribts. To mk DTE sfl in th short trm, howvr, introprbility with non-dte NFS clints nd non-dte NFS srvrs mybvn mor importnt. A signicnt bnt of implicit typing [1] in this rgrd is tht DTE clint worksttions loclly ssocit typs with ll ls, vn ls providd ovr NFS by l srvrs tht r not DTE-wr. This bility hs llowd s to s DTE worksttions to mk slctd portions of or corport l srvr vilbl to slctd grops of srs with minimm of dministrtiv ort. As lctronic commrc incrss th nd for cooprtion btwn orgniztions, w xpct this scnrio to bcom mor common. Figr 2 displys th concpt. A gst sr hs n ccont only on DTE systm. This systm monts from n xisting l srvr nd pplis th typ \propritry dt" to som ls on th importd l systm nd th typ \non snsitiv dt" to th othrs. All gst sr procsss rnning on th DTE systm r rstrictd ccording to th locl DTE policy to ccss only th nonsnsitiv dt. DTE ntwork ftrs llow DTE systm to rfs commniction with slctd non-dte hosts nd to prvnt importnt typs of dt from bing xportd to non-dte hosts (rgrdlss of which commniction srvic is sd). If commniction with non-dte NFS srvr is llowd, th clintsid DTE/NFS sbsystm ssocits typs with importd ls bsd on thir pthnms. A prmis of or work is tht ccss controls mst b xibl: it is p to th systm dministrtor of DTE systm to dtrmin whthr non-dte host shold b trstd to proprly mintin dt of vrios typs. Althogh ll th dt rcivd t th IP lyr will b typd ccording to th DTE domin ssocitd with th non-dte l srvr, th DTE/NFS sbsystm on th clint systm rsids in th DTE UNIX krnl nd is trstd to ovrrid th dflt commnictions typ with corrct l typs s spcid in th systm's DTEL spciction. Initilly, w ddd DTE only to th NFS clint sid, s dscribd bov. W r crrntly tsting DTE/NFS srvr tht cn srv clints on both DTE nd non-dte systms. Whn th clint is on DTE systm, ll NFS rqsts r lbld by th clint systm with th sorc domin of th r-

qsting procss. Th DTE/NFS srvr thn ss th sorc domin s clint crdntil to conslt th systm's DTEL spciction nd dtrmin whthr th rqst is thorizd. In ddition, ch IP pckt tht crris th contnts of l ccssd vi DTE/NFS is lbld with th typ ssocitd with tht l. A potntil bnt of this pproch is tht both sorc domin nd typ ttribts r rdily visibl to rotrs nd ntwork rwlls nd cold llow ftrvrsions of sch dvics to conslt thm whn mking ltring nd roting dcisions. An dditionl bnt is tht th NFS protocol nd not b modid. Althogh NFS clint rqsts snt by non-dte systms lck sorc domin ttribts, th DTE/NFS srvr's IP sbsystm ttchs thm (in ccordnc with th DTE systm's DTEL spciction) bfor pssing th rqsts to th DTE/NFS sbsystm for mdition. From th non-dte clint's point of viw, th DTE/NFS srvr bhvs lik non-dte srvr, xcpt tht ccss my b dnid for som rqsts whr, in th bsnc of DTE, th rqst wold hv bn grntd. Th NFS protocol is dsignd so tht NFS srvr systms my crsh, rboot, nd rsm NFS srvic withot rqiring clints to prform nw lookp oprtions on ls tht wr opn t th tim of th crsh. Ech NFS rqst contins n NFS l hndl tht idntis th l by lnmbr, which llows typicl UNIX systm to ccss th l dirctly withot prforming nm trnsltion. Unlik th prmission bits nd ownr idntirs ssocitd with l, howvr, th implicit DTE ttribts r not stord within inods bt in sprt ttribt dtbs orgnizd by pthnm instd of l nmbr. If nwly rbootd DTE/NFS l srvr cold not loct scrity ttribt informtion for n NFS rqst, it wold hv torfs th rqst, rslting in stl l hndl t th clint ppliction. To prvnt this, th DTE/NFS prototyp rconstrcts pthnms bsd on inod nmbrs by mintining cch of prnt inod nmbrs for non-dirctory ls ccssd vi NFS, thrby prmitting it to nd l ttribts in th DTE ttribt dtbs. On or DTE/NFS prototyp, th NFS dmon, lik ll othr procsss, rns in its own domin nd is constrind in ccordnc with th systm's DTEL spciction. On most systms, this domin will likly b congrd to giv th dmon th bility to ccss nd xport mnytyps of informtion. Nvrthlss, it is not ncssry to mk ll typs ccssibl to it. If highly snsitiv or criticl typs of informtion r stord on systm, it my b highly dsirbl to prvnt thm from bing xportd. Stndrd NFS provids ftrs for limiting th xporting of ls, bt ths ftrs r corsgrind, dling only with whol l systms nd r vilbl only to systm dministrtor. By mking crtin typs of ls inccssibl to th NFS dmon, DTE provids strong dditionl mchnism tht cn b mployd by dministrs to prvnt individl ls on rbitrry l systms from bing xportd. Or xprinc with DTE/NFS srvrs is still vry limitd howvr, or initil rslts r ncorging: NFS clints on DTE or non-dte systms cn b grntd n-grind rstrictd ccss to NFS-xportd l hirrchis withot chng to pplictions or to non-dte systm congrtions. Th DTE prototyp systm's scrity ttribt mngmnt strtgy rqirs implmnttion of nw systm cch nd scondry storg to stor th cch cross systm rboots. Th cch, howvr, rqirs littl hmn dministrtion nd rqirs only smll mont of dditionl I/O tht only occrs in th contxt of I/O lrdy rqird by NFS. 5 DTE UNIX Prototyp To gin xprinc with DTE concpts, w hv implmntd prototyp DTE UNIX systm bsd on OSF/1 MK4.0. Althogh or systm is bsd on Mch microkrnl, th DTE ftrs r loctd in rltivly high lyrs of th UNIX srvr's rchitctr, rqir no knowldg of microkrnl intrfcs, nd r thrfor rsonbly portbl to krnlizd UNIX systms. W hv lso rcntly portd th DTE prototyp to rn on TMchVrsion 0.2 [7], high-ssrnc trstd compting bs dsignd to stisfy DoD scrity rqirmnts s spcid in th Trstd Comptr Systm Evltion Critri [20]. Evn thogh TMch mploys TMch-spcic l systm formt, th intgrtion rqird lmost no chng to th DTE implmnttion bcs th intgrtion points btwn th UNIX srvr nd TMch r gnrlly t low lyrs in th UNIX rchitctr, whrs DTE is mostly implmntd in th ppr lyrs of th UNIX \krnl." Figr 3 shows th prototyp's rchitctr. To nhnc portbility, th mjority of th DTE implmnttion is loctd in n isoltd sbsystm consisting of 7 300 lins of commntd C cod nd 3 600 lins of commntd lx nd ycc cod. Othr UNIX krnl sbsystms cll into th DTE sbsystm to rqst scrity srvics. This prt of th intgrtion consists of nothr 7 200 lins of

UNIX procss DTE UNIX procss UNIX procss UNIX procss UNIX systm cll intrfc DTE intrfc OSF/1 Srvr DTE sbsystm Intrfc Mch Krnl or TMch Krnl+Srvrs Hrdwr Figr 3: DTE Systm Architctr cod, bringing th totl DTE intgrtion to pproximtly 17 000 lins of krnl-rsidnt cod. Th DTE prototyp's krnl provids 20 nw systm clls for DTE-wr pplictions to s for rtriving scrity ttribts for disply to th sr nd for implmnting scrity rlvnt fnctions. In ddition to krnl chngs, w hv implmntd DTE vrsion of th login progrm tht thnticts srs for spcic rols [17, 3, 26] nd thn conns sr sssions to spcic domins sing domin trnsitions thorizd by th DTEL spciction. To llow srs to viw DTE ttribts for procsss nd ls, w hv implmntd DTEwr vrsions of nmbr of UNIX tilitis sch s ls nd ps, nd w hv implmntd DTE-wr vrsion of mcs 19:22 tht displys typ ttribts of l brs nd llows srs to simltnosly viw nd mniplt lbld informtion in mltipl windows. As th prototyp boots, it rds its DTEL spciction nd conns ll procsss, rgrdlss of UNIX root privilgs, to spcid domins. DTE is ctiv bfor singl-sr mod hs bn rchd. According to its DTEL spciction, th prototyp lbls ls, ntwork pckts, nd procsss dtrmins domin intrctions nd mdits procss ccss rqsts. W hv tstd nmbr of policis sing th prototyp, inclding policy to prtition th componnts of simltd commnd nd control systm, policy to strngthn UNIX by con- ning UNIX root procsss in 27 sprt domins, nd n ntrpris dt protction policy (similr to tht of gr 1). Additionlly, w s DTE clint worksttions to prmit bt sfly limit ccss by \gst" srs who r thorizd to s som bt not ll TIS snsitiv dt. Th DTE prototyp's dsign nd implmnttion hv givn high priority to mintining oprting systm introprbility nd binry ppliction comptibility. Thr spcts of th DTE prototyp r cntrl to chiving ths gols: 1) prsrving xisting dt formts by mploying implicit scrity ttribts, 2) nsring tht implicit ttribts r rcovrbl in th prsnc of systm shtdowns nd powr filrs, nd 3) dding DTE ntworking spport withot chng to xisting protocols.

5.1 Implicit Attribts For ntitis tht mst b rcrtd t ch systm boot (sch s procss strctrs or IP dtgrms), th DTE prototyp ttchs scrity ttribts xplicitly to ch objct. Comptibility nd prformnc cn b mintind with this strtgy bcs modictions nd not ct scondry mmory dt formts or rqir dditionl I/O. Fils, howvr, prsnt mor diclt cs both bcs scrity ttribts mst b mintind on disk to srviv systm rboots nd bcs ls r slly nmros. To ddrss ths isss, th prototyp ssocits scrity ttribts with ls \implicitly" bsd on thir loctions within dirctory hirrchis. For portbility, most of th prototyp's fnctions for l scrity ttribts r implmntd t th Virtl Fil Systm (VFS) lyr nd bild ssocitions btwn vnods [19] nd scrity ttribts. Sinc ll crrntly ccssd ls r rprsntd by vnods, ll ls in s hv ssocitd scrity ttribts. Whn th prototyp boots, it crts in krnl mmory tr of mp nods tht dscrib how scrity ttribts r bond to th hirrchicl l nm spc. Althogh or crrnt prototyp simply kps this tr ntirly in mmory, it cn in principl b pgd to disk s ncssry. A sqnc of mp nods procding from th root mp nod to lf mp nod nms n xisting pth in th hirrchicl lsystm nm spc. Ech mp nod optionlly ssocits on or mor scrity ttribts with th pth componnt ssocitd with it. Th prototyp crrntly mintins two kinds of scrity ttribts bond to ls: typ nms nd domin ntry points. To rprsnt ttribts implicitly, mp nod my lso ssocit scrity ttribts with ls whos pthnms mrly incld th mp nod s prx. Sch mp nods rprsnt \implicit" ssocitions. For ch scrity ttribt, mp nod provids th following options: implicit t Th ttribt is bond to this pth componnt. In th bsnc of highr-priority mp nods tht conict with this mp nod, th ttribt is lso bond to ll pthnms hving this pth componnt s prx. implicit ndr Th ttribt is not bond to this pth componnt, bt, in th bsnc of conicting highr priority mp nods, th ttribt is bond to ll pthnms hving this pth componnt s prx. xplicit Th ttribt is bond to this pthnm only. Informlly, th prototyp rsolvs mp nod con- icts by giving priority to th mp nod tht rprsnts longr pth, intrprting implicit ndr ttribts to b \longr" thn implicit t ttribts for th sm pth nd lwys giving priority to xplicit ttribts. "sr" "bin" "login" "/" foo_d root_t nix_t "dt_policy" Figr 4: Mp Nods criticl_t Ech pth providd to domin or ssign sttmnt potntilly gnrts mp nod for vry componnt of th pth. For xmpl, pth \//b/c" givn in DTEL sttmnt gnrts thr mp nods (th root mp nod is tomticlly prsnt). Mp nods r shrd, howvr, so if scond DTEL sttmnt spcis \//b/c/d," only on nw mp nod is gnrtd. DTEL provids gs to st th initil options of mp nods: th DTEL ssign sttmnt, which ssocits typs with ls, tks \-r" option to dsignt implicit t nd \-" option to dsignt implicit ndr. DTEL domin sttmnts tomticlly gnrt xplicit ssocitions for thir ntry point ttribts. For xmpl, th following DTEL sttmnts gnrt th mp nods displyd in gr 4. ssign root t / ssign - nix t / ssign criticl t /dt policy domin foo d = (/sr/bin/login),... Tht gr shows v mp nods, on for ch niq componnt in th pths \/sr/bin/login" nd \/dt policy." Ech mp nod rcords th nm of its pth componnt nd optionlly rcords ttribt ssocitions (in gr 4, \" for xplicit, \"

"/" "/" root_t nix_t "sr" "sr" "dt_policy" criticl_t "gorg" "bin" "bin" "pprs" "login" "login" foo_d "snix" Lgnd mp nod vnod Figr 5: Attribt Associtions for implicit t, nd \" for implicit ndr). Figr 4 shows tht th root mp nod is xplicitly of typ \root t" nd tht ll ls ndr th root \inhrit" th typ \nix t." This inhritd typ is ovrriddn, howvr, for th l \/dt policy," which hs n xplicit typ ttribt of \criticl t." Th domin \foo d" hs n ntry point progrm, \/sr/bin/login," nd tht l thrfor hs n xplicit domin ttribt nd it lso inhrits th typ \nix t." Attribts rprsntd by mp nods r rltd to ls by ssocition with stndrd vnod strctrs tht hv bn slightly xtndd to intrct with th mp nod tr. At systm initiliztion, th root vnod is ssocitd with th root mp nod. Sbsqntly, ll nm rsoltion oprtions stblish bindings so tht vry vnod is rltd to mp nod. In th cs tht mp nod xists for l rprsntd by vnod, nm rsoltion oprtion ttchs th vnod dirctly to th mp nod. If mp nod dos not xist, th nm rsoltion mchnism ttchs th vnod to its prnt vnod sinc vry rsoltion oprtion oprts from known bsolt or rltiv pth, vry nw ttchmnt is rltiv to known vnod, nd ll vnods r vntlly connctd to th mp nod tr throgh chin of prnt vnod pointrs. To mintin prnt vnod pointrs, th DTE prototyp rfrncs prnt vnods, rslting in somwht incrsd krnl mmory rqirmnt for ctiv vnods. Figr 5 shows th vnod ssocitions tht rslt from procss ccss to th ls \/sr/gorg/pprs/snix" nd \/sr/bin/login." Bcs th login progrm's pthnm is flly rprsntd by mp nods, vnods for th pth ttch dirctly. For th pth to Gorg's snix ppr, th rst two vnods of th pth connct dirctly to mp nods, nd th rst point to th lst mp nod in th pth. Both ls hv th typ \nix t," which is providd by th root mp nod. By binding ttribt vls to vnod strctrs, th DTE prototyp nsrs tht ttribts r lwys vilbl bfor thy r ndd vn thogh th ttribts my not b stord on-to-on on scondry storg. Th DTE prototyp rtrivs ttribt vls of ls sing simpl lgorithm tht follows vnod prnt pointrs p ntil th rst mp nod is rchd nd thn optionlly follows mp nods ntil th \govrning" mp nod is rchd. Ecincy is primry concrn for th DTE prototyp. Th ovrhd of ssociting nw vnods with pproprit mp nods dring nm rsoltion is ngligibl, rqiring smll nd constnt nmbr of pointr mnipltions. Th ttribt rtrivl oprtion is mor likly cs of prformnc dgrdtion, bt w bliv it is lso smll. In th DTE prototyp, th UNIX krnl fnction

iccss() (nd hndfl of similr fnctions) cll DTE fnctions tht rtriv l scrity ttribts. Most UNIX ccss control fnctions fnnl down to th iccss() fnction, which is clld with grt frqncy sinc vry systm cll rqsting n oprtion on pthnm mst cll iccss t lst onc for vry componnt of th pth. In th worst cs, ch ttribt rtrivl cold rqir srch to th root mp nod. Givn th modst dpth of typicl UNIX pthnms nd th in-mmory stts of th mp nod tr, howvr, this pprs smll rltiv to othr ovrhds of UNIX krnls. At th cost of dditionl complxity, howvr, vrios optimiztions cold b tkn to short-circit ttribt rtrivl srchs s rqird. 5.2 Rcovry Mchnisms Althogh sfl scrity congrtions cn b constrctd tht \lock down" th mppings btwn rs of th hirrchicl lsystm nm spc nd scrity ttribts, rslting in sttic tr of mp nods, mor common cs in or xprinc is to llowthmpnodtrtovolv s ls r movd nd crtd to rct th nds of pplictions tht s ls. For xmpl, n ppliction might crt l of typ \foo t" in n r of th nm spc tht inhrits \br t " sch n vnt wold dd DTEL ssign sttmnt, with its mp nods, to th systm congrtion. Similrly, rnm() oprtion my rqir tht th mp nod tr b ditd so tht th rnm oprtion dosn't indvrtntly chng th typ of l s sid ct. In gnrl, th DTE prototyp mlts th smntics of on-to-on ttribt storg vn thogh th ttribts r not in fct mintind in tht mnnr. Givn th criticlity of ccrt scrity ttribt ssocitions, dynmism in th mp nod tr introdcs th nd to mintin p-to-dt ssocitions vn in th prsnc of systm rboots or crshs. Writing mp nods to scondry storg poss n obvios risk to prformnc th DTE prototyp ddrsss this sing combintion of ltrnt snpshot ls nd logging. Evry thirty sconds, th mp nods r writtn to disk. 4 Additionlly, mor timly informtion is kpt in two ltrnt log ls: t systm rboot, th most rcnt snpshot nd log l is rd to rconstrct th most rcnt vlid stt. Th btchd writs of th policy impos littl ovrhd sinc no progrm wits for th writs to complt. In contrst, th log ls rqir synchronos I/O nd mst b pdtd s 4 For lrg policis, th mchnism cold b nhncd to priodiclly writ ot only th chngd portion. littl s possibl. Two bsic clsss of oprtions ct th mp nod tr: crt oprtions nd rnm oprtions. In ch cs, th DTE prototyp incrs no dditionl ovrhd if th oprtion dos not prodc n dit of th mp nod tr. If th oprtion crts nw objct (.g., nw mpty l t n nsd pthnm, or rnm to n nsd pthnm), rcovry is simpl sinc th ttribts cn b writtn rst. Mintnnc of DTE rcovry informtion in this cs rqirs on synchronos writ oprtion in ddition to th two synchronos writ oprtions prformd by UNIX to crt or rnm l. If n oprtion ovrwrits n xisting objct, howvr, th s of implicit ttribts complicts th rcovry strtgy: bcs vry l is lwys ssocitd with ttribts inhritd from th root dirctory, nithr ordr of oprtions: 1. rplc l rst nd thn rcord th nw ttribt, or 2. rcord th nw ttribt rst nd thn rplc th l, prvnts mislbling if th systm crshs btwn th two oprtions. To ddrss this, th DTE prototyp rcords this informtion s sqnc of optimizd trnsctions tht mks spring s of synchronos I/O nd, most importntly, tht nvr convrts mmory-spd oprtion to disk spd. Both th crt nd rnm VFS-lyr oprtions cn ovrwrit n xisting l s sid ct. In th cs of crt, th UNIX VFS lyr knows if thr is n xisting l to ovrwrit nd trncts it for rs with nw idntity. To prvnt crsh from rlbling xisting l contnts, th DTE prototyp dds n fsync oprtion, nsring tht th l is mpty, nd thn writs th nw ttribt to th log l, rslting in worst-cs scnrio of two dditionl synchronos I/O oprtions for l crtion. A rnm oprtion rnm(\foo", \br") is ssntilly: nlink(\br") link(\foo", \br") nlink(\foo") If br xists, n pdt to log l mst b md conditionl on sccssfl compltion of th rnm oprtion or th log l pdt my rlbl th originl br. Th log l pdt cnnot b writtn ftr th rnm oprtion bcs systm crsh cold prvnt writing of th pdt. For this oprtion,

th DTE systm writs n ncommittd trnsction to th log l contining th l nmbr of th ltobmovd nd, on th nxt writ to th log l, piggy-bcks th commit of th prvios trnsction. Dring systm rcovry, th lst trnsction cn b vrid throgh n xmintion of on-disk l nmbrs. This strtgy holds th rcovry I/O brdn to t most on synchronos I/O for vry rnm oprtion. In gnrl, th prototyp dsign rqirs no dditionl disk ccss on pr-systm cll bsis. This pproch promots high prformnc sinc most DTE-rltd ovrhd is in mmory oprtions whr dt strctrs cn b optimizd. For rcovry, howvr, it is ncssry to dd disk writs dring l crts tht cs chngs in th ttribt ssocition dtbs. Dpnding on systm's congrtion, it cold b tht non, som, or ll l crts wold cs ttribt ssocitions to chng. 5.3 Ntwork Implmnttion In ddition to ssociting ttribts with ls nd procsss nd prforming ccss control ovr thos ntitis, th DTE prototyp lso insrts DTE ttribts into IP dtgrms nd provids mdition of ntwork mssgs. A fndmntl gol of DTE ntwork mdition is to prsrv introprbility with non-dte systms: this rqirs sing xisting IP, UDP, TCP, nd NFS srvics nd, s mch s possibl, prsrving ppliction lyr protocols sch s rsh nd rlogin. Althogh w xpct tht it will b sfl to dd DTE wrnss to som ntwork pplictions sch s rcp nd rdist, w bliv tht DTE systms mst rst b sfl in ntworks of non-dte systms. Or gnrl schm is to dd DTE ttribts in th IP option spc ths ttribts r toknizd nd crrntly consm 12 byts of th 40-byt IP option spc. DTE ntworking spport t othr lyrs is crrid in ths ttribts t th IP lyr. D to th s of pips nd sockts in UNIX, UNIX procss my cs nmros IP dtgrms to b gnrtd nd my not b wr of th ntwork consqncs of its ctions. For th DTE prototyp, ch mssg is gnrtd in th contxt of procss's domin nd crris th domin's idntity s th mssg's \sorc domin." Additionlly, ch mssg crris typ ttribt typiclly, ch DTE domin hs dflt otpt typ tht lbls mssgs gnrtd from norml UNIX systm clls sch s writ() nd snd(). For ch stndrd UNIX systm cll tht cn gnrt mssg, th DTE krnl rtrivs th clling procss's domin nd dflt otpt typ from th DTE policy dtbs gnrtd sing DTEL. Trditionlly, UNIX systms mploy dt strctr, clld n mbf, tht llows brs of dt to b chind togthr in mnnr tht fcilitts th prpnding nd stripping of protocol hdrs in dirnt lyrs of UNIX krnl's protocol stcks. Th DTE prototyp ss slightly xtndd form of th typicl mbf strctr tht provids hdr spc for storing sorc domin nd typ idntirs. Stndrd UNIX systm clls tht snd mssgs sv ths ttribts in xtndd mbf chins t th bottom of th protocol stck, ths ttribts r xtrctd from th chins nd ncodd s IP options on pr-dtgrm bsis. For rcivd mssgs, th mchnism works in rvrs, xtrcting rcivd IP options nd ncoding thm in mbf chins for rtrivl by rciving procsss. In ddition to spport for ordinry UNIX systm clls, th DTE prototyp provids nmbr of nlogos DTE-spcic systm clls tht llow procsss to spcify th typ of dt tht thy wish to snd DTE ccss control prvnts procsss from gnrting dt typs nlss thy hv pproprit thoriztions s spcid in th DTEL spciction. In gnrl, th DTE prototyp trts vry IP dtgrm s homognosly typd this simplis ccss control ovr dtgrms sinc procss sing th rw IPintrfc, for xmpl, cn b llowd or dnid ccss to dtgrm bsd on its domin's ccss to th dtgrm's typ. This strtgy, lthogh simpl, dos llowsvrl mbigos sittions: for xmpl, if protocol sch s TCP piggy-bcks control informtion in pckts tht lso crry sr dt, shold thos pckts hv protocol-spcic typ or sr typ? Crrntly, or pproch is to lbl pckts with sr typs whn thy contin ny sr dt nd with protocol-spcic typs whn thy contin only protocol dt. In th ftr, ntrl xtnsion to th strtgy my incld scondry \sbsystm" lbl for s by protocol sbsystms tht r trstd to ccrtly crry sr dt. To minimiz scrity mchnism, howvr, w r dfrring scondry pckt lbls ntil dnit nd hs bn dmonstrtd. In ithr cs, th s of homognosly typd dtgrms simplis th implmnttion of TCP sbstrms sinc TCP sbstrms r lwys md p of complt IP pckts. UNIX systm clls tht writ dt onto TCP connction nq onto singl chin of mbfs ssocitd with TCP sockt th TCP sliding window procssing brks th dt strm into sprt IP dtgrms bsd on vrity of critr to

optimiz prformnc nd grnt tht rcipt of ll th dt is cknowldgd bfor it is forgottn on th snding sid. On th snding sid, th DTE prototyp implmnts TCP sbstrms by brking th singl mbf chin into mltipl chins whr ll th dt of ch chin hs th sm typ ttribt. Th TCP sliding window procssing hs bn modid slightly to gnrt nw dtgrm t chin bondris. On th rciving sid, this mchnism works in rvrs to rtrn sbstrm typ informtion tht is thn sd both to mdit rciv oprtions by procsss nd to dlivr typ informtion for s by DTE-wr procsss. A signicnt xtnsion to th DTE prototyp ws rqird to implmnt DTE/NFS srvrs. Essntilly, NFS l hndls spcify inod nmbrs tht hv no dirct rltion to th mp nods tht implmnt implicit ttribts for th prototyp. A mns ws thrfor rqird for mpping from inod nmbrs to mp nods. For dirctoris ccssd vi NFS, th soltion is simpl sinc vry dirctory contins \.." ntry: sing th \.." ntris, it is possibl to rconstrct th portion of pthnm rqird to stblish ttribt vls. Th prototyp crrntly crris ot this rconstrction t vry NFS l hndl rcption howvr, tmporrily rising th rfrnc conts of hvily sd vnods probbly wold incrs prformnc nd prvnt DTEovrhd from bing n NFS srvr bottlnck. For ls, th on-disk rprsnttions do not imply prnts withot n xhstiv srch of l systm inods. To void this, th DTE prototyp stors (l-inod-nmbr, prnt-dirctory-inodnmbr) pirs dring NFS lookp oprtions in cch. Ths ntris provid mchnism to rch th rst dirctory tht thn llows pthnms to b rconstrctd s ncssry. To prvnt nypossi- bility ofintrodcing dditionl stl l hndls t clint pplictions, th cch mst b mintind on scondry storg. For intntionl DTE/NFS srvr shtdowns, th cch cn b writtn ot only bfor shtdown. To void stl l hndls ftr DTE/NFS srvr crshs, th cch mst b mintind dring oprtion. In this cs lso, th cch contnts cn b btch writtn t timd intrvls, rslting in miniml impct on prformnc. 6 Rltd Work Th work most rltd to DTE nd its UNIX implmnttion flls into two gnrl clsss: ccss control systms nd UNIX scrity mchnisms. DTE is most closly rltd to mndtory ccss control tchniqs [4, 9, 6, 18, 8] nd typnforcing systms [9, 21, 25, 24, 27]. In gnrl, DTE policis r propr sprst of th DoD lttic modl [4] nd its intgrity vrition [6]: DTE cn b congrd to provid lttic bt cn lso nforc nonhirrchicl scrity policis sch ss- srd piplins [9] tht driv informtion throgh policy-spcid pthwys of rbitrry connctivity nd complxity. DTE cn lso b congrd to provid intgrity ctgoris s in [18] nd to spport th trnsformtion procdrs nd constrind dt itms of th Clrk/Wilson modl [8]. Typ nforcmnt ws rst proposd in [9] for th Scr Ad Trgt, systm ltr rnmd LOCK [25]. LOCK providstrstd Compting Bs (TCB) on top of which UNIX mltion lyr provids UNIX srvics. As consqnc, th typ nforcmnt mchnism controls UNIX mltions instd of individl UNIX pplictions nd dos not distingish mong mltipl pplictions rnning on singl UNIX mltion. This limittion lso xists for Mch-bsd LOCK drivtiv [14], which dds typ nforcmnt toth Mch port, tsk, nd virtl mmory bstrctions bt provids no typ nforcmnt within th UNIX mltion lyr. In [24], typ nforcmnt ws ddd to Trstd XENIX s TCB sbst. This systm provids typ nforcmnt t th UNIX systm-cll intrfc nd cn individlly control UNIX pplictions. Th TCB sbst rchitctr prohibitd chng to lowlvl disk formts nd mndtd s of sprt rntim dtbs to mniplt sch ttribts. This strtgy is prcrsor of th DTE rntim implicit typ concpt. Typ nforcmnt hs lso bn intgrtd into t lst on Intrnt rwll prodct, th SCC Sidwindr 5 systm [23], bt th thors r not wr of ny pblishd tchnicl dtils. A nmbr of UNIX scrity controls nd tools hv bn dvlopd. Accss Control Lists (ACLs)[13] provid grtr xibility in UNIX discrtionry ccss controls, nd sr-mod cpbilitis[16] lso llow nr-grind control ovr propgtion of ccss rights, bt both mchnisms r discrtionry in ntr nd provid littl protction ginst rror-pron root progrms. A vrity of trstd UNIX systms hv bn implmntd nd vltd ginst th Trstd Comptr Systm Evltion Critri [20]. Ths systms typiclly provid MLS scrity bt lck th xibilityof DTE. Additionlly, tools sch s COPS [12] chck 5 Sidwindr is trdmrk of Scr Compting Corportion, Inc.

for systm miscogrtions bt do not improvon th bs UNIX scrity mchnisms thmslvs. Th Trstd Systms Introprbility Grop (TSIG) hs dvlopd Intrnt drft stndrds for NFS nd othr protocols tht spport Mlti-Lvl Scr (MLS) ntworking. Ths stndrds commnict signicnt monts of informtion to rprsnt scrity lbls on sbjcts nd objcts tht my \ot" p dynmiclly nd to rprsnt procss privilgs tht my b commnictd cross ntworks. For DTE, ll of th rqird scrity informtion is contind in th rltivly spccint typ nd domin idntirs crrid in th IP-lyr trc, voiding most chngs to highrlyr protocols. 7 Ftr Dirctions W r ctivly xploring svrl dirctions for DTE. Th most immdit nd importnt on is th intgrtion of DTE into Intrnt rwlls. Ovr th nxt two yrs, w will intgrt DTE into rwlls in thr phss: DTE Firwlls An intgrtion of DTE into n Intrnt rwll nd slctd hosts. This intgrtion will dd dfns-in-dpth to th rwll scrity primtr. Th DTE rwll will dirct trc from spcid xtrnl hosts or of spcid protocols only to ow tointrnl DTE hosts tht cn contin ny mlicios ffcts. Or primry gol hr is to llow mor ntwork srvics to b sfly importd into LANthnisnow prdnt. Distribtd DTE Firwlls An intgrtion of IP-lyr ncryption with th DTE rwll. This phs will connct mltipl DTE nclvs cross th Intrnt. Domin nd Typ Athority Srvic A DNS-lik ntwork srvic tht will distribt portions of DTEL policis. Commnicting DTE hosts will thntict to this srvic nd s its DTE policy informtion s bsis for stblishing pproprit intr-host trst rltions nd lso for grmnt onhow dt of spcic typs shold b protctd by commnicting hosts. In ordr to ccomplish ths gols, w will soon bgin invstigting how mltipl hosts cn xchng DTE informtion to ngotit ntwork DTE policis, how DTE mchnisms cn most ctivly s ncryption to protct DTE ntwork ttribts, how DTEL cn b modlrizd to rdc policy complxity, nd how DTE policis cn b dynmiclly nd sfly xtndd or modid t rntim. 8 Conclsions A cntrl qstion in prcticl UNIX scrity is whthr signicnt nhncmnts cn b ddd in wy tht is ndrstndbl, ctiv, nd nobtrsiv. This is diclt qstion bcs pplictions nd systms hv volvd ovr tim nd now intrct in sbtl wys: prcticl scrity nhncmnts mst llow xisting progrms to fnction proprly whil prvnting nsf intrctions. DTE is n ccss control mchnism tht ss spciction lngg to dd simplicity nd ss implicit typing to mintin comptibility nd introprbility. This ppr rports on rcnt xtnsions to DTE to provid grtr scrity for IP-bsd ntworking nd NFS srvics, nd on dsign considrtions of DTE UNIX prototyp. Or primry rslts r positiv nd, lthogh th DTE prototyp is rsrch tool, w hv sditintrnlly to provid gst srs with sfly rstrictd ccss to or corport dt. In sm, DTE hs providd sfl rsrch pltform for bilding hrdnd, comprtmntlizd UNIX systm. In ddition, DTE mchnisms ppr sitbl for introprting nd nforcing policis within ntworks of xisting systms hving no DTE controls. This cpbility is criticl bcs ny nhncd protction systm mst introprt with xisting systms throgh n xtndd trnsition phs s ccss controls r grdlly doptd. Rfrncs [1] L. Bdgr, D. F. Strn, D. L. Shrmn, K. M. Wlkr, S. A. Hghight, \Prcticl Domin nd Typ Enforcmnt for UNIX," 1995 IEEE Symposim on Scrity nd Privcy, Oklnd CA, My 1995. [2] L. Bdgr, \A Modl for Spcifying Mlti- Grnlrity Intgrity Policis," 1989 IEEE Symposim on Scrity nd Privcy, p. 269, Oklnd, CA, My 1989. [3] R.W. Bldwin, \Nming nd Groping Privilgs to Simplify Scrity Mngmnt in Lrg Dtbss," Procdings of th 1990 IEEE Symposim on Scrity nd Privcy, p. 116, Oklnd, CA, My 1990. [4] D.E. Bll nd L. Lpdl, \Scr Comptr Systm: Unid Exposition nd Mltics Intrprttion," (Tchnicl Rport No. ESD-TR-

75-306, Elctronics Systms Division, AFSC, Hnscom AF Bs, Bdford MA, 1976). [5] K.P. Birmn, T. Josph, K. Kn, F. Schmck, \Th ISIS Progrmming Mnl nd Usr's Gid," Dprtmnt of Comptr Scinc, Cornll Univrsity, Jn 1988. [6] K.J. Bib, \Intgrity Considrtions for Scr Comptr Systms," USAF Elctronic Systms Division, Bdford, MA, ESD-TR-76-372, 1977. [7] M. Brnstd, H. Tjlli, F. Myr, D. Dlv, \Accss Mdition in Mssg Pssing Krnl," 1989 IEEE Symposim on Scrity nd Privcy, p. 66, Oklnd, CA, My 1989. [8] D.D. Clrk nd D.R. Wilson, \A Comprison of Commrcil nd Militry Comptr Scrity Policis," Procdings of th 1987 IEEE Symposim on Scrity nd Privcy, Oklnd, CA, p. 184, 1987. [9] W.E. Bobrt nd R.Y. Kin, \A Prcticl Altrntiv to Hirrchicl Intgrity Policis," Procdings of th 8th Ntionl Comptr Scrity Confrnc, Githrsbrg, MD, p. 18, 1985. [10] J. Ionnidis, M. Blz, \Th Architctr nd Implmnttion of Ntwork-Lyr Scrity Undr Unix," Prsntd t th USENIX Smmr 1994 Tchnicl Confrnc, Boston MA. [11] NBS, \Dt Encryption Stndrd," Jn. 1977. Fdrl Informtion Procssing Stndrds Pbliction 46. [12] D. Frmr, \Th COPS Scrity Chckr Systm," Procdings of th Smmr 1990 USENIX Confrnc, Anhim, CA, p. 165. [13] G. Frnndz, L. Alln, \Extnding th UNIX Protction Modl with Accss Control Lists," Procdings of th Smmr 1988 USENIX Confrnc, Sn Frncisco, CA, 1988, p. 119. [14] T. Fin nd S. E. Minr, \Assring Distribtd Trstd Mch," 1993 IEEE Comptr Socity Symposim on Rsrch in Scrity nd Privcy, Oklnd, CA, p. 206, 1993. [15] J. Kohl nd C. Nmn, \Th Krbros Ntwork Athntiction Srvic (V5)," RFC 1510, Sptmbr 1993. [16] D. Klin, \A Cpbility Bsd Protction Mchnism Undr Unix," Procdings of th 1985 Wintr USENIX Confrnc, Dlls, Txs, p. 152. [17] C.E. Lndwhr, C.L. Hitmyr, nd J. McLn, \A Scrity Modl for Militry Mssg Systms," ACM Trnsctions on Comptr Systms, Vol. 2, No. 3, Agst 1984, pp. 198-222. [18] S.B. Lipnr, \Non-Discrtionry Controls for Commrcil Applictions," Procdings of th 1982 IEEE Symposim on Scrity nd Privcy, Oklnd, CA, p. 2, 1982. [19] M. K. McKsick, \Th Virtl Filsystm Intrfc in 4.4BSD," USENIX Compting Systms, Vol 8, Wintr 1995, p. 3. [20] Ntionl Comptr Scrity Cntr, \Dprtmnt of Dfns Trstd Comptr Systm Evltion Critri," DoD 5200.28-STD, Dc. 1985. [21] R. O'Brin nd C. Rogrs. Dvloping Applictions on LOCK. In Proc. 14th Ntionl Comptr Scrity Confrnc, pgs 147{156, Wshington, DC, Octobr 1991. [22] L.L. Ptrson, N.C. Bchholz, R.D. Schlichting, \Prsrving nd Using Contxt Informtion in Intrprocss Commniction," ACM Trnsctions on Comptr Systms, 7(3):217-246, Ag. 1989. [23] Scr Compting Corportion, Sidwindr Prss Rls, Octobr 10, 1994. [24] D. Strn, \A TCB Sbst for Intgrity nd Rol-Bsd Accss Control," Proc. 15th Ntionl Comptr Scrity Confrnc, pgs 680{696, Bltimor, MD, 1992. [25] O.S. Sydjri, J.M. Bckmn, nd J.R. Lmn, \LOCK Trk: Nvigting Unchrtd Spc," Procdings of th 1989 IEEE Symposim on Scrity nd Privcy, Oklnd, CA, p. 167, 1989. [26] D. J. Thomsn, \Rol-bsd Appliction Dsign nd Enforcmnt," In Proc. of th Forth IFIP Workshop on Dtbs Scrity, Hlifx, Englnd, Sptmbr 1990. [27] S. Wismn, \A Scr Cpbility Comptr Systm," Procdings of th 1986 IEEE Symposim on Scrity nd Privcy, Oklnd, CA, p. 86, 1986.