A Decade of OS Access-Control Extensibility

Home , Mandatory access control, Monolithic Kernel, Time Machine (macOS), Veriexec

practice

doi:10.1145/2408776.2408792 movement from multiuser computing Article development led by queue.acm.org toward single-user devices with complex application models. The transition was facilitated by extensible access-con- Open source security foundations trol frameworks, which allow operating- for mobile and embedded devices. system kernels to be more easily adapted to new security requirements. By Robert N.M. Watson One such extensible kernel reference-monitor framework is the Trust- edBSD MAC (Mandatory Access Con- trol) Framework, developed beginning in 2000 and shipped in the open source A Decade of OS FreeBSD operating system in 2003. This article first describes the context and challenges for access-control extensibility and high-level framework Access-Control design, then turns to practical experience deploying security policies in several framework-based products, including FreeBSD, nCircle appliances, Juniper’s Junos, and Apple’s OS X and Extensibility iOS. While extensibility was key to each of these projects, they motivated con- siderable changes to the framework itself, so the article also explores how the framework did (and did not) meet each product’s requirements, and finally reflects on the continuing evolution of operating-system security.

A Quiet Revolution in OS Design Embedded and mobile operating sys- To discuss operating-system security is to marvel tems have changed greatly in the past 20 years: devices have gained the CPU at the diversity of deployed access-control models: power to run general-purpose operat- Unix and Windows NT multiuser security, Type ing systems; they have been placed in Enforcement in SELinux, anti-malware products, app ubiquitous networking environments; they have needed to support mature sandboxing in Apple OS X, Apple iOS, and Google software stacks including third-party Android, and application-facing systems such as applications; and they have found Capsicum in FreeBSD. This diversity is the result of a themselves exposed to malicious ac- tivity motivated by strong financial stunning transition from the narrow 1990s Unix and incentives. Vendors built on exist- NT status quo to security localization—the adaptation ing operating systems—often open source—to avoid creating them from of operating-system security models to site-local or scratch. This provided mature applica- product-specific requirements. tion frameworks and complex network This transition was motivated by three changes: stacks, both areas of weakness for then-contemporary “embedded oper- the advent of ubiquitous Internet connectivity; a ating systems.” One early example is migration from dedicated embedded operating Juniper’s Junos, a version of FreeBSD adapted for router control planes in systems to general-purpose ones in search of more 1998. This trend had come to fruition sophisticated software stacks; and widespread by 2007 when Google’s Android, based

52 communications of the acm | february 2013 | vol. 56 | no. 2 on Linux, and Apple’s iOS, based in that were designed for another place capsulation, appearing in Abrams et part on Mach and FreeBSD, became and time. al.’s Generalized Framework for Ac- available, transforming the smart- Access-Control Frameworks. Oper- cess Control (GFAC),1 and by the late phone market. ating-system developers must satisfy 1990s in Ott’s Rule Set-based Access Common to all of these environ- device vendors, who require everything Control (RSBAC)14 and Spencer et al.’s ments is a focus on security and reli- from router and firewall hardening Flask security architecture.17 Main- ability: as third-party applications are to mobile-phone app sandboxing. stream operating-system vendors did deployed in systems from Junos, via its Operating-system vendors had accu- not adopt these approaches until the SDK, and to iOS/Android app stores, rately observed a difficult adoption early 2000s with the MAC Framework sandboxing becomes critical, first to path for historic trusted operating sys- on FreeBSD22 and shortly after, Linux prevent bricking (reducing a device to tems, whose mandatory access-control Security Modules (LSM).23 In both cas- a mere brick as a result of malfunction schemes suffered from poor usability, es, a key concern was supporting third- or abuse) and later to constrain mal- performance, maintainability, and— party security models without com- ware. This trend is reinforced by mo- perhaps most critically—end-user de- mitting to fixed policies as had earlier bile-phone access to online purchas- mand. Likewise, they saw many prom- trusted systems. ing, and most recently, banking and ising new security models in research, payment systems. As a result, the role each with unknown viability, suggest- The MAC Framework ssociates of operating-system security has shift- ing that no single access-control mod- The MAC Framework was proposed ed from protecting multiple users from el would meet all needs. This practical in 1999, with the first whitepaper on each other toward protecting a single reality of security localization directly its design published in June 2000.20 It orys A ndrij B orys / A operator or user from untrustworthy motivates extensible access control. appeared in FreeBSD 5.0 in 2003 as an applications. In 2013, embedded de- Research over the preceding 20 experimental feature—compiled out vices, mobile phones, and tablets are years had made clear the need for a ref- by default but available to early adopt- points of confluence: the interests of erence monitor—a self-contained, non- ers. FreeBSD 8.0 in 2009 included the many different parties—consumers, bypassable, and compact (hence verifi- framework as a production feature, phone vendors, application authors, able) centralization of access control.2 compiled into the default kernel. (A and online services—must be medi- By the early 1990s, this concept had timeline of key events in its develop-

llustration by B rian G reenberg by I llustration ated with the help of operating systems been combined with the notion of en- ment appears in Figure 1.)

february 2013 | vol. 56 | no. 2 | communications of the acm 53 practice

The MAC Framework offers a logi- compiled into the kernel or loadable range of object types, from files to net- cal solution to the problem of kernel modules and implement well-defined work interfaces, and integrate with the access-control augmentation: exten- kernel programming interfaces (KPIs). kernel’s concurrency model. sion infrastructure able to represent Policies can augment access-control Mandatory Policies. MAC describes many different policies, offering im- decisions and make use of common a class of security models in which proved maintainability and supported infrastructure such as object labeling policies constrain the interactions by the operating-system vendor. Simi- to avoid direct kernel modification of all system users. Whereas discre- lar to device drivers and virtual file and code duplication. They are able to tionary access control (DAC) schemes system (VFS) modules,10 policies are enforce access control across a broad such as file-system access-control lists

Figure 1. MAC Framework research and development with key corporate contributions.

June 2000: extensible access control October 2007, August 2008: MAC framework for FreeBSD proposed at Framework improvements merged Network Associates Laboratories to FreeBSD from Apple OS X

2001–2004 DARPA CBOSS project 2004–2007 US Navy SEFOS project at 2009: MAC Framework DTrace on access control extensibility at McAfee Research improves the MAC instrumentation added by University of McAfee Reasearch Framework; SEBSD; Apple OS X port Cambridge during dynamic analysis study

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

July 2002: MAC Framework merged to November 2006: nCircle contributes OS 2008: Seccuris contributes MAC FreeBSD 5.0 development tree privilege extensions to MAC Framework Framework IPC enhancements while developing Biba-based network intrusion detection appliance 2007: Secure Computing Corporation (later McAfee) contributes MAC Framework patches from FreeBSD transition; Sidewinder is evaluated to EAL 4+

Figure 2. Policy models are encapsulated in kernel modules that augment kernel access control.

Process Process Process Process

Label management APIs System call interface support security-aware but Kernel subsystems policy-agnostic applications consult framework to check access control decisions and notify the framework MAC label of object lifecycle events Process Socket VFS system DTrace to support labeling signals IPC calls

DTrace probes allow monitoring and tracing of framework entry point MAC Framework invocation and results

Operating Policy modules can be com- system Biba MLS piled into the kernel, loaded kernel at boot, or (where supported ugidfw by policy semantics) loaded and uploaded at runtime.

54 communications of the acm | february 2013 | vol. 56 | no. 2 practice

(ACLs) allow object owners to protect code conflicts with security exten- (or share) objects at their own discre- sions. Assurance is also affected, as tion, MAC enforces systemwide se- the burden of arguing for correctness curity invariants regardless of user is left entirely in the hands of the ex- preference. The research literature de- tension writer. scribes a plethora of mandatory poli- The MAC ˲˲ System call interposition is widely cies grounded in information flow and Framework used in antivirus systems and, in the rule-based models. past, security extension products and Early mandatory policies focused on offers a logical research systems.9 Kernel concurren- information flow, requiring ubiquitous solution to the cy proves a particular challenge, and enforcement throughout the kernel. we have demonstrated easily exploit- Multilevel security (MLS) protects con- problem of kernel ed race conditions between wrappers fidentiality by labeling user clearance and kernels.19 and data confidentiality, limiting flow.5 access-control Guiding Design Principles. The The Biba integrity policy is the logi- augmentation: dual goals of access-control extensi- cal dual of MLS, protecting integrity.6 bility and encouraging upstream and These models maintain subject and extension downstream vendor engagement mo- object security labels holding confi- infrastructure able tivated several design principles for dentiality or integrity information, and the MAC Framework: controlling operations that might lead to represent many Do not commit to a specific access- to information upgrade or downgrade. different policies, control policy. There is no consensus SRI International’s PSOS (Provably on a single policy or even policy lan- Secure Operating System) design in- offering improved guage; instead, capture policy models cluded strong enforcement of object maintainability and in C code. types, supplementing capability protec- Avoid policy-specific intrusions into tions.13 This evolved into Boebert’s Type supported by the the kernel. Encapsulate internals be- Enforcement (TE)7 and Badger et al.’s hind policy-agnostic interfaces. This Domain and Type Enforcement (DTE),4 operating-system leads naturally to object-centered de- which have proven influential, with TE vendor. sign—access-control checks with re- deployed in SELinux11 and McAfee’s spect to subjects, objects, and methods. Sidewinder firewall. Both models are Provide policy-agnostic infrastructure. flexible and fine-grained, labeling sub- This satisfies common requirements jects and objects with symbolic do- beyond access-control instrumenta- mains and types. Administrator-con- tion, such as labeling and tracing. trolled rules authorize interactions and Support multiple simultaneously transitions between domains. loaded policies. In this way different Finally, a broad class of product- aspects of policy, perhaps from differ- specific hardening policies is also rel- ent vendors, can be independently ex- evant; these take less principled ap- pressed. For example, Trusted IRIX and proaches, offering direct control over Argus Pitbull both employed MLS for services rather than abstract models. user-data confidentiality and Biba for Before Access-Control Extensibil- trusted computing base (TCB) protec- ity. In implementation papers, we cri- tion. Composition must be predictable, tiqued contemporaneous techniques deterministic, and ideally sensible. from experience: Impose structures that facilitate as- ˲˲ Direct kernel modification was used surance arguments. This can be done for most trusted systems, whether by separating policy and mechanism originated by operating-system ven- via a reference monitor and through dors (for example, Trusted Solaris) or well-defined KPI semantics (for exam- third-party extensions (for example, ple, locking). Argus Pitbull). Tracking upstream Design for an increasingly concurrent operating-system development is kernel. Policies must not only behave problematic: extensions are unable correctly, but also scale with the fea- to depend on public, and hence more tures they protect. stable, APIs (application program- Architecture of the MAC Frame- ming interfaces) and KPIs—and less work. The MAC Framework, illustrated obvious at the time, ABIs (application in Figure 2, is a thin layer linking kernel binary interfaces) and KBIs (kernel services, policies, and security-aware binary interfaces). Upstream churn applications. Control passes from ker- frequently triggers design and source- nel consumers to framework to poli-

february 2013 | vol. 56 | no. 2 | communications of the acm 55 practice

cies through roughly 250 entry points ˲˲ Policy entry points connect the Policies need implement only the entry (object types × methods): framework and policies, adding ex- points they require. ˲˲ Kernel-service entry points allow plicit label arguments relative to corre- ˲˲ Applications manage labels (on subsystems (for example, VFS) to en- sponding kernel-service entry points. processes and files, among others) us- gage the reference-monitor framework They are supplemented by policy life- ing the label-management API. in relevant events and access control. cycle events and library functions. ˲˲ DTrace probes allow entry-point tracing, profiling, and instrumentation.8 Figure 3. VFS invokes the MAC Framework to authorize file writes. Collectively, these interfaces allow policies to augment kernel access con-

static int trol in a maintainable manner. vn_write(struct file *fp, struct uio *uio, Entry-Point Invocation. To under- struct ucred *active_cred, int flags, stand how these layers interact, let’s fol- struct thread *td) low a single file-write check through the { ... kernel. Figure 3 illustrates vn_write, vn_lock(vp, lock_flags | LK_RETRY); a VFS function implementing the ... write and writev system calls. The #ifdef MAC mac _ vnode _ check _ write ker- error = mac_vnode_check_write(active_cred, fp->f_cred, vp); if (error == 0) nel service-entry point authorizes a write #endif to a vnode (vp) by two subject creden- error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); tials: fp->f _ cred, which opened the ... VOP_UNLOCK(vp, 0); file, and active _ cred, which initi- ... ated the write operation. Policies can return (error); implement Unix capability semantics } (fp->f _ cred) or revocation semantics (active _ cred). The vnode lock (vp->v _ lock)is held over both check and use, protecting label state and pre- Figure 4. Framework access control on file writes; lock assertions and DTrace probes are venting time-of-check-to-time-of-use central design elements. race conditions. Arguments excluded from entry int mac_vnode_check_write(struct ucred *active_cred, points are as important as those in- struct ucred *file_cred, struct vnode *vp) cluded. For example, vn_write’s { data pointer (uio) is omitted, as this int error; data resides in user memory and can- ASSERT_VOP_LOCKED(vp, “mac_vnode_check_write”); not be accessed race-free with respect MAC_POLICY_CHECK(vnode_check_write, active_cred, to the write. Similar design choices file_cred, vp, vp->v_label); throughout the framework discourage MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred, vp); behavior not safely expressible through return (error); the kernel synchronization model. } Wherever possible, it is best to take the perspective that kernel subsystems implement labeled objects, and that policies may be enforced through Figure 5. Biba authorization of file writes. controls on method invocation. This approach is a natural fit for the ker-

#define LABEL(l) ((struct mac_biba *)mac_label_get((l), biba_slot)) nel, which adopts an object-oriented structure despite an absence of lan- static int guage features in C. Once objects have biba_vnode_check_write(struct ucred *active_cred, been identified, placing entry points struct ucred *file_cred, struct vnode *vp,struct label *vplabel) { requires care: the more granular the struct mac_biba *subj, *obj; KPI, the more expressive policies can be—at the cost of policy complexity. if (!biba_enabled || !revocation_enabled) The fewer the calling sites, the easier return (0); subj = LABEL(active_cred->cr_label); they are to validate; too few, however, obj = LABEL(vplabel); leads to inadequate protection. Entry- if (!biba_dominate_effective(subj, obj)) point design must also balance placing return (EACCES); return (0); checks deep enough to allow insight } into object types while minimizing enforcement points for a particular level of abstraction.

56 communications of the acm | february 2013 | vol. 56 | no. 2 practice

Figure 4 illustrates mac _ vnode _ Kernel-Object Labeling. Many ac- data, where supported by the synchro- check _ write, a thin shim that as- cess-control policies label subjects nization model. serts locks, invokes interested policies, and objects in order to support access- and fires a DTrace probe. Policies are control decisions (for example, integ- From Research to Product not prohibited from directly accessing rity or confidentiality levels). The MAC Having presented the design of the vnode fields; however, passing an ex- Framework provides policy-agnostic MAC Framework, let’s turn our at- plicit label reference avoids encoding label facilities for kernel objects, la- tention to policies found in FreeBSD- vnode structure layout into policies bel-management system calls, and derived commercial or open source in a common case, improving KPI and persistent storage for file labels. Poli- products. Table 1 and Figure 6 illus- KBI resilience. cies control label semantics—not only trate several such policy modules, their Policy entry-point invocation, en- the bytes stored, but also the memory feature footprints, and ship dates. A capsulated in MAC _ POLICY _ CHECK, model: policies might store per-in- number of factors contributed to the is nontrivial: access to the policy list stance, reference-counted, or global success of this transition: must be synchronized to prevent races data. For example, when a process The need for new access control was with module unload, interested poli- creates a new socket, Biba propagates pressing. The classic Unix model failed cies must be called, and results must be the current subject integrity level (for to meet the needs of ISPs, firewalls, composed. The framework employs a example, low) to the socket label. The and smartphones. Simultaneously, the simple composition metapolicy: if any partition policy, concerned with inter- threat of attack became universal with policy returns failure, then access is de- process access control, labels only ubiquitous networking and strong fi- nied. For example, an EACCES returned processes and not sockets, so will not nancial incentives for attackers. by Biba would be selected in preference assign a label value for the socket. Structural arguments for a frame- to 0 (success) returned by MLS. The The framework represents label work were correct. Access-control ex- only exception lies in privilege exten- storage using struct label, which tensibility is the preferred way of sup- sions discussed later. This metapolicy is opaque to both kernel services and porting security localization, catering is simple, deterministic, predictable by policies. Where object types support to diverse requirements. developers, and above all, useful. metadata schemes (for example, mbuf No one policy model has become domi- Figure 5 illustrates Biba invocation: tags that hold per-packet metadata), nant. Therefore, many must be supported. Biba checks its revocation configura- those are used; otherwise, label point- Hardware performance improvement tion, unwraps policy-specific labels, ers are added to core structures (for increased tolerance for security over- and computes a decision using its example, vnode). Policies may borrow head. This was true even in consumer dominance operator. existing object locks to protect label and embedded devices.

Table 1. Comparison of policies and their feature footprints.

Name OSS CP Product Type Lab Priv Proc VFS IPC Net API Sig mac none P - FreeBSD Null policy ------mac_stub P - FreeBSD Template policy P P P P P P P - mac_test P - FreeBSD Framework self-test P - P P P P P - mac_ugidfw P P FreeBSD File system firewall - - - P - - - - mac_biba P P FreeBSD Fixed integrity P P P P P P P - mac_lomac P ? FreeBSD Floating integrity P P P P P P P - mac_mls P ? FreeBSD Confidentiality P - P P P P P - sebsd P P FreeBSD Type Enforcement P P P P P P P - sandbox - P Apple OS X Rule-based P P P P P - P P quarantine - P Apple OS X Taint-based P - - P - - P - tmsafetynet - P Apple OS X Fixed integrity P - - P - - P - amfi - P Apple iOS Fixed integrity - P P - - - - P sandbox - P Apple iOS Rule-based P P P P P - P P mac_runasnonroot - P Apple iOS Hardening - - P - - - - P mac_pcap - P Juniper Junos Grant BPF privs P P - P - P P - mac_veriexec - P Juniper Junos Signed binaries P - - P - - - P sidewinder_te - P McAfee Sidewinder Type Enforcement P P P P P P P - mac_ncircle - P nCircle IP360 Hardening - P - P - - - -

Key: OSS: open source software Priv, Proc, VFS, IPC, Net: implements API: uses MAC Framework application APIs CP: shipped in a commercial product access-control entry points for privileges, Sig: provides or depends on application Lab: uses subject or object label facility processes, file system, interprocess digital signatures communication, or the network stack

february 2013 | vol. 56 | no. 2 | communications of the acm 57 practice

Open source technology transition code, with 15,000 lines in reference versions in the same series (for ex- works. FreeBSD provided not only a fo- policies, it integrates with a multi- ample, a FreeBSD 9.0 network device rum for collaborative research and de- million-line kernel. The transition to driver should work with FreeBSD 9.1). velopment, but also a pipeline to com- production relied on several factors, The goals were to avoid disrupting the mercial products. including increasing confidence in KBIs of consumer subsystems and The framework has evolved con- mediation and response to commu- to offer similar levels of binary com- siderably since 2003 thanks to contri- nity feedback on design, compatibil- patibility for policy modules. Label butions from companies deploying it ity, and performance. The framework, storage opacity for subsystems and in products. as first shipped in FreeBSD 5.0, was policies was the primary area of refine- marked as experimental, with several ment, which avoids encoding kernel FreeBSD implications: data-structure internals into policies FreeBSD is an open source operat- ˲˲ Enabling it required recompiling if they require only label access, as ing system used to build online ser- the kernel. well as providing flexibility to change vices, appliances, and embedded ˲˲ Documentation marked it as po- label implementation. devices. FreeBSD or its components tentially incomplete, unstable, or inse- Performance Optimization. Many can be found in data centers (Inter- cure, and therefore unsupported. FreeBSD deployments are extremely net Systems Consortium, Yahoo!), as ˲˲ Programming and binary interface performance sensitive, requiring a foundation for integrated products (API, KPI, ABI, and KBI) stability was minimal overhead, especially if the (NetApp and EMC Isilon storage ap- disclaimed, allowing change without framework is disabled. As sites se- pliances), and in embedded/mobile formal depreciation. lect policies based on local security- devices (Juniper switches and Apple Merging the framework while still performance trade-offs, it is also de- iPhones). Its origins lie in BSD (the experimental was key to gaining users sirable for policies to incur only the Berkeley Software Distribution), de- who could help validate and improve performance penalties of features veloped in the 1970s and 1980s.12 BSD the approach, while retaining the flex- they actually use—performance pro- originated a number of central Unix ibility to make changes. Two concerns portionality. As shipped in FreeBSD technologies, including FFS (the Fast needed to be addressed before the 5.0, however, regressions were mea- File System) and the Berkeley TCP/IP framework could be considered pro- surable, an obstacle to enabling the stack and sockets API. The BSD license duction worthy: framework by default. and its variations (MIT, CMU, ISC, ˲˲ Binary compatibility impact for Label Allocation Trade-offs. Even Apache) have encouraged technol- the kernel, policies, and other modules when the framework was compiled ogy transition by allowing unrestricted must be better understood. out, bloat from adding a label to ker- commercial use. FreeBSD’s diverse ˲˲ Performance must be analyzed and nel data structures (especially packet consumers both motivate and are the optimized based on community review. mbufs) created significant allocation- perfect target for security localization. KPI and KBI Resilience. FreeBSD time zeroing cost. In FreeBSD 5.1, in- The MAC Framework is a com- policy dictates that certain classes of lined mbuf labels were replaced with plex piece of software; although the kernel modules compiled against a pointers, and for all object types in framework itself is only 8,500 lines of release must work with later minor 5.2; this decreased costs for non-MAC

Figure 6. Timelines of selected MAC Framework-based product ship dates.

July 2007: nCircle ships IP360 6.7 2009: Juniper ships Junos using the MAC with MAC Framework policy Framework for access control

January 2003: FreeBSD 5.0 released January 2007: Secure Computing November 2009: FreeBSD 8.0 released with with MAC Framework marked as an Corporation (later McAfee) MAC Framework in default kernel marked experimental feature ships Sidewinder 7.0 product as a production feature with MAC Framework

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

October 2007: Apple ships OS X April 2010 Apple July 2012: Apple ships Leopard with MAC Framework ships iPad with OS X Mountain Lion with support and sandboxing model app sandboxing mandatory app sandboxing

July 2008: Apple ships iPhone 2010: Apple completes July 2011: Apple ships OS 2.0 with App Store and EAL 3+ evaluation with MAC OS X Lion with preliminary sandboxed third-party applications Framework enforcement app sandboxing

58 communications of the acm | february 2013 | vol. 56 | no. 2 practice kernels at the expense of additional to scan networks for vulnerable soft- allocation and indirection for MAC- ware and Sarbanes-Oxley compliance. enabled kernels. While most of its security require- Label allocation was even more ments could be captured with conven- measurable with the framework en- tional DAC, customers requested the abled—and unnecessary for unla- It is desirable for ability to audit appliance content and beled policies. The effect was most policies to incur only configuration directly. To meet this pronounced with network packets requirement, while limiting potential and led, in FreeBSD 5.1, to a per-poli- the performance damage in case audit access is misused cy flag to request packet labels. In 8.0, penalties of or compromised, nCircle developed a this approach was generalized so that custom policy. labels were allocated only for object features they The policy authorizes an audit user types for which at least one loaded to read all file-system and configura- policy defined an initialization entry actually use— tion data, bypassing permissions, point. This effectively eliminated the performance while also preventing file-system cost of labeling when not required by writes. The MAC Framework could ex- a policy, restoring performance pro- proportionality. press only a subset of this augmenta- portionality and satisfying the general tion: policies could constrain rights case well. However, one commercial but not grant them. nCircle therefore product that used packet labeling, the enhanced the framework to allow con- McAfee Sidewinder Firewall, saw suf- trol over fine-grained system privileges. ficient overhead to bypass the label Privilege Extensions. Operating-sys- abstraction in favor of direct struc- tem privilege confers the right to bypass ture modification. operating-system security policies (for Minimizing Synchronization Over- example, changing system settings or heads. With the framework compiled in, overriding DAC or the process model). lock-protected reference count opera- In classic Unix, system privileges are tions on entry-point invocation were eas- granted to any process running as the ily measurable for frequent operations, root user. To meet nCircle’s goals, a such as per-packet delivery checks. As policy must be able to augment the ker- multicore hardware became more com- nel’s default privilege policy to grant mon, lock (and later cache-line) conten- (and moderate) privileges for other us- tion also became significant. ers. This presented two technical chal- Beginning in FreeBSD 5.2, policies lenges: how to identify and distinguish were divided into static and dynamic different types of privilege; and how to sets to help fixed-configuration em- add extensibility to the existing privilege bedded systems. The former were com- model. These problems resemble, in mi- piled in or loaded at boot and unload- crocosm, the larger concern addressed able thereafter, and hence required no by the MAC Framework—structuring of synchronization. Dynamic policies— a reference monitor for extensibility— those loaded after boot, or potentially and seemed a natural fit despite a depar- unloadable—still required multiple ture from the original design choice to lock operations. only limit, rather than grant, rights. In FreeBSD 8.0, synchronization All existing kernel privilege checks was further optimized so that the MAC were analyzed and replaced with checks Framework could be shipped in the de- for specific named privileges. Privilege fault kernel. This effort benefited from checking was then reworked to include continuing improvements in kernel an explicit composition policy for scalability driven by increasingly com- sources and limitations of privilege, mon eight-core machines. Particularly including two new MAC Framework critical were read-mostly locks, which entry points: mac _ priv _ check fol- do not trigger cache-line migrations lows the standard entry-point conven- during read-only acquisition, at the tions, accepting a credential, named cost of more expensive exclusive ac- privilege arguments, and restrict- quisition—perfect for infrequently ing privileges by returning an error; changed policy lists. mac _ priv _ grant diverges from this model by overriding the base oper- nCircle IP360 Appliance ating-system policy to grant new rights, nCircle Network Security produces a using a new composition operator that FreeBSD-based appliance, the IP360, allows any policy to grant a right, rather

february 2013 | vol. 56 | no. 2 | communications of the acm 59 practice

Table 2. Apple OS X applications may use one of several statically configured profiles, or define their own.

Profile Description kSBXProfileNoInternet TCP/IP networking is prohibited kSBXProfileNoNetwork All sockets-based networking is prohibited kSBXProfileNoWrite File-system writes are prohibited kSBXProfileNoWriteExceptTemporary File-system writes are restricted to temporary folders kSBXProfilePureComputation Only Mach IPC to the host process is permitted

than requiring them all to agree. for upstreaming. Junos ships with four ing the originating website. Existing policies were updated to local security extensions: ˲˲ Time Machine Safety Net. Protects take advantage of the new features, ˲˲ mac _ runasnonroot. Ensures the integrity of Time Machine backups. providing stronger nondiscretionary that third-party applications written With OS X Mountain Lion, applica- control of the root user. For example, against the Junos SDK are not run as tions distributed via Apple’s App Store the Biba policy now limits access to a the root user. have mandatory sandboxing. Apple’s number of privileges that might allow ˲˲ mac _ pcap. Allows Junos SDK iOS 2.0 shipped with two policies: bypass of the process model or system applications to capture packets despite Sandbox and one additional: reconfiguration when operating as the not running as root. ˲˲ Apple Mobile File Integrity (AMFI). root user without Biba privilege. These ˲˲ mac _ veriexec. Implements Works in concert with a code-signing features shipped in FreeBSD 7.0. support for digitally signed binaries. facility, terminating apps whose digi- The nCircle MAC Policy. The nCircle ˲˲ Junos SDK sandboxing. Constrains tal signatures have been invalidated at policy extends (and restricts) rights third-party applications based on mac_ runtime; exempts debugging during available to the audit user: veriexec certificates. app development. ˲˲ It identifies a specific user ID to The mac _ runasnonroot and Collectively the policies support sys- which all remaining policy activities mac _ pcap extensions first shipped tem integrity and provide strong sepa- apply. as framework policies in 2009. Then ration between apps in order to keep ˲˲ Privileges are granted, including mac _ veriexec shipped in 2012, data private. Both OS X and iOS diverge read access to the kernel log and fire- replacing a previous directly patched substantially from our design expecta- wall configuration, and file read/look- implementation. Juniper is preparing tions for the MAC Framework, requir- up protections are overridden. to migrate Junos SDK sandboxing to ing significant adaptation. ˲˲ VFS entry points deny write access the MAC Framework to reduce local XNU Prototype. Apple began beta to all objects and read access to certain patches further, as well as upstream testing OS X in 2000, and the promise files such as the password file. mac _ veriexec. of a commodity desktop operating sys- With these enhancements, the nCir- These policies required minor tem with an open source kernel was cle policy is able to combine controlled changes to the MAC Framework, includ- difficult to ignore. The XNU kernel is privilege escalation with mandatory ing additional entry points; perhaps a sophisticated blend of Carnegie Mel- constraints, meeting product needs most interesting is a new O _ VERIFY lon University’s Mach microkernel, while minimizing local operating-sys- flag to the open system call, which sig- FreeBSD 5.0, cherry-picked newer Free- tem modification. nals to the framework that the user- BSD elements, and numerous features space runtime linker has requested that developed by Apple. With these foun- Juniper Junos a file be validated. dations, it seemed likely that the MAC The Junos router operating system Framework approach, and even code, runs on the control planes of all Juni- Apple OS X and iOS would be reusable. per routers and switches. Juniper main- In quick succession, Apple released Though not a microkernel, XNU tains substantial local modifications to versions of OS X Leopard for the desk- (short for X is not Unix) adopts many FreeBSD and is undergoing a multiyear top/server in 2007, and iPhone OS 2 for elements from Mach, including its process to minimize its patches by re- the iPhone and iPod Touch in 2008, scheduler, interprocess communica- turning improvements to the FreeBSD incorporating the MAC Framework as tion (IPC) model, and VM system. The community and increasing use of oper- a reference-monitor framework. OS FreeBSD process model, IPC, network ating-system extensibility frameworks X Snow Leopard shipped with three stack, and VFS are grafted onto Mach, that allow local features to be cleanly MAC policies: providing a rich POSIX program- grafted onto an unmodified operating ˲˲ Sandbox. Provides policy-driven ming model. Apple-developed kernel system. As part of that project, Juniper sandboxing of risky components that components in the first release of OS has been moving local security exten- process untrustworthy data such as X included the I/O Kit device-driver sions into MAC Framework policies, network services and video codecs. framework, network kernel extensions both to reduce conflicts during FreeBSD ˲˲ Quarantine. Taints downloaded (NKEs), and the HFS+ file system; this updates and to prepare certain policies files, supporting a user dialog display- list has only grown over time.

60 communications of the acm | february 2013 | vol. 56 | no. 2 practice

Interesting questions abounded: A userspace label handle abstraction and third-party applications such as for example, would ideas developed in similar to the kernel label structure Google’s Chrome Web browser. Sand- the DTMach16 and DTOS17 microker- serves this purpose. box allows applications voluntarily to nel projects apply better or worse than Adoption by Apple. Apple is the restrict their access to resources (for ex- the monolithic kernel approach in the world’s largest vendor of desktop Unix ample, the file system, IPC namespac- MAC Framework? Between 2003 and systems and was among the first to de- es, and networking). Process sandbox 2007, the increasingly mature MAC ploy Unix in a smartphone. It has like- profiles are stored in process labels. Framework was ported to OS X.18 wise seen exploding use cases and new Bytecode-compiled policies can be Adapting to OS X. The MAC Frame- security requirements motivated by set via public APIs, or by the sandbox- work required a detailed analysis of ubiquitous networking and malicious exec helper program. Applications the FreeBSD kernel and is tightly in- attackers. Apple’s adoption of the MAC may select from several Apple-defined tegrated with low-level memory man- Framework was not assured, however, policies (Table 2) or define custom poli- agement and synchronization, as well as competing technologies were also cies. Several applications use default as higher-level services such as the file considered, motivated by similar ob- policies such as the iChat video codec, system, IPC, and network stack. While servations, awareness of future prod- which employs the computation-only the adaptation to OS X was able to rely uct directions, performance concerns, profile limited to IPC with the host pro- heavily on Apple’s use of FreeBSD com- and our research. cess. Many other software components, ponents, fundamental changes were Alternatives included system-call such as Spotlight indexing, the BIND needed to reflect differences between interposition-based technology similar name server, Quicklook document pre- FreeBSD and XNU. to that discussed earlier, and Apple’s views, and the System Log Daemon, uti- The first step was integrating the Kauth3 (short for kernel authorization), lize custom profiles to limit the effects MAC Framework with the closely an authorization framework targeted of potential vulnerabilities. aligned BSD process model, file system, at antivirus vendors (modeled in part Figure 7 shows excerpts from the and network stack. High-level architec- on the MAC Framework). Apple found common.sb profile used by Chrome, tural alignment made some of the ad- arguments about the fallibility of sys- illustrating key Sandbox constructs: aptation easy, but nontrivial differenc- tem-call interposition convincing, and coarse controls for sysctl kernel-man- es were also encountered. For example, in the end adopted two technologies: agement interfaces and shared memo- FreeBSD’s Unix file system (UFS) con- Kauth for third-party antivirus vendors; ry, and fine-grained regular expression siders directories to be specialized file and the more expressive and capable matching of file paths. File path-based objects, whereas HFS+ considers the MAC Framework for its own sandbox- control is a highlight of the Sandbox directory and object attribute struc- ing technologies. policy, addressing programmer mod- ture, or disk catalog, to be a first-class The Sandbox Policy. Since Apple’s els much better than file labels in Biba, object. This required changes to both OS X and iOS policy modules are not MLS, and TE. Path-based schemes are the framework and XNU. open source, we are unable to consid- difficult to implement on the Unix VFS Next, coverage was extended to in- er their implementations, but public model, which considers paths to be clude Mach tasks and IPC. Each XNU documentation exists for the Sandbox second-class constructs. Whereas Free- process links a Mach task (schedul- policy used by Mac OS X components BSD permits files to have zero (unlinked ing, VM) with a FreeBSD process (cre- dentials, file descriptors), presenting Figure 7. Chrome OS X sandbox policy excerpts. a philosophical problem: is the MAC

Framework part of Mach or BSD? (deny default) While useful architecturally, the Mach- BSD boundary in XNU proves artificial: ; Allow sending signals to self - http://crbug.com/20370 references frequently span layers, re- (allow signal (target self)) quiring the MAC Framework to serve ; Needed for full-page-zoomed controls - both. Label modifications on BSD pro- ; http://crbug.com/11325 cess labels are mirrored to correspond- (allow sysctl-read) ing Mach task labels. ; Allow following symlinks Mach ports are another case in (allow file-read-metadata) which microkernel origins come into conflict with the monolithic kernel ; Loading System Libraries. (allow file-read-data premise of the MAC Framework. Un- (regex #”^/System/Library/Frameworks($|/)”)) like BSD IPC objects, with kernel- (allow file-read-data managed namespaces, Mach ports rely (regex #”^/System/Library/PrivateFrameworks($|/)”)) on userspace namespaces managed (allow file-read-data (regex #”^/System/Library/CoreServices($|/)”)) by launchd (for example, for desktop IPC). Taking a leaf from DTOS, ; Needed for IPC on 10.6 launchd is responsible for labeling (allow ipc-posix-shm) and enforcement but queries the reference monitor to authorize lookups.

february 2013 | vol. 56 | no. 2 | communications of the acm 61 practice

but open), one, or multiple names a forum for collaborative refinement, (hard links), HFS+ implements a par- access to early adopters, and a path to ent pointer for files and ensures that the numerous products. name cache always contains the infor- Perhaps the most surprising adop- mation required to calculate unambig- tion was at McAfee itself: when the uous paths for in-use files. The MAC Framework framework was open sourced by While Sandbox is used with many OS has become McAfee Research, Secure Computing X services, a number of third-party ap- Corporation (then a competitor) ad- plications incorporate strong assump- the foundation opted it for Sidewinder, which McAfee tions of ambient authority, the ability to for numerous later acquired. More generally, this access any object in the system. With speaks to the success of open source in the iPhone, Apple broke this assump- instances of providing a venue in which competing tion: applications execute in isolation companies can collaborate to develop from system services and each other. security localization, common infrastructure technolo- This model is now appearing in OS X allowing local gies. The industry’s adoption of open and could similarly help protect device source foundations for appliances and integrity against misbehaving apps access-control embedded devices has been well-ca- and, increasingly, end-user data. policies to be tered to by our access-control extensi- Performance Optimizations. OS X bility argument: and iOS were shipped with the MAC composed with ˲˲ Security localization in devices has Framework prior to FreeBSD 8.0’s per- the still-popular become widespread. formance optimizations, requiring ˲˲ The criticality of multiprocessing Apple to make its own optimizations Unix discretionary has only increased. based on product-specific constraints. access control ˲˲ Security label abstractions have As with FreeBSD optimizations, these proven beneficial beyond their MAC were generally concerned with the over- model. roots. head of framework entry and labeling. ˲˲ Non-consensus on access-control By default, labeling is compiled out of policies continues. the kernel for certain object types; for The MAC Framework, however, also others, such as vnodes, policies may required refinement and extension to selectively request label allocation, ca- address several unanticipated concerns: tering to the often-sparse labeling use ˲˲ The desire to revisit the structure in OS X’s policies. of Unix privilege. In FreeBSD, framework instrumen- ˲˲ The importance of digital signa- tation and synchronization optimiza- tures when applying access control to tions rely on all-or-nothing distinc- third-party applications. tions between sites willing to pay for ˲˲ Continued tensions over the desire additional access-control extension. for name-based vs. label-based access In OS X, the assumption is that sand- control. boxing is used on most machines, but New Design Principles. In light of selectively applied to high-risk process- extensive field experience with the es. To this end, each process carries a MAC Framework, we have added sev- mask, set by policies, indicating which eral new design principles: object types require enforcement. As Policy authors determine their own OS X adopts more universal sandbox- performance, functionality, and assur- ing, as is the case in iOS, it may be de- ance trade-offs. Policies may not re- sirable to apply more global optimiza- quire heavyweight infrastructure (for tions as in FreeBSD. example, labels), so offer performance proportionality. Reflections Traceability is a key design concern. Over the past decade, the MAC Frame- Programming and binary interface work has become the foundation for stability is critical. API, ABI, KPI, and numerous instances of security local- KBI sustainability is often overlooked ization, allowing local access-control in research, where prototypes are fre- policies to be composed with the still- quently one-offs without multi-decade popular Unix discretionary access con- support obligations. trol (DAC) model—a timely conver- Manipulating operating-system privi- gence of industry requirements and lege is important to policies that augment research. Deploying via open source rather than supplement DAC. proved a successful strategy, providing It is clear from the work of down-

62 communications of the acm | february 2013 | vol. 56 | no. 2 practice stream consumers, however, that deployment of the MAC Framework 4. badger, L., Sterne, D.F., Sherman, D. ., Walker, K.M. and Haghighat, S.A. Practical domain and type two further principles are now also appears to confirm the more general enforcement for Unix. In Proceedings of the 1995 necessary: argument that access-control extensi- IEEE Symposium on Security and Privacy 66 (1995). IEEE Computer Society. Application authors are first-class bility is a critical aspect of contempo- 5. bell, D.E., and L.J. LaPadula. Secure computer systems: principals. Apple’s App Store and Ju- rary operating-system design. mathematical foundations and model. Technical Report M74-244. Mitre Corp., Bedford, MA, 1973. niper’s SDK both employ application 6. biba, K. Integrity considerations for secure computer signatures and certificates as policy Acknowledgments systems. Technical Report TR-3153. Mitre Corp., Bedford, MA, 1977. inputs. Systems research emphasizes the 7. boebert, W.E. and Kain, R.Y. A practical alternative to Applications themselves require flex- practical application of ideas to real- hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, 1985. ible access control to support application world systems: only by implementing 8. cantrill, B.M., Shapiro, M.W. and Leventhal, A.H. Dynamic instrumentation of production compartmentalization. an idea can you fully understand it; systems. In Proceedings of the Usenix Annual This latter observation led us to this is even more true in the transition Technical Conference (Berkeley, CA, 2004). Usenix Association. develop the application-focused Cap- from research to practice. Acknowl- 9. fraser, T., Badger, L. and Feldman, M. Hardening sicum protection model,21 recently edgments are due to a large cast span- COTS software with generic software wrappers. In Proceedings of the 1999 IEEE Symposium on Security shipped as an experimental feature in ning many institutions; to view full and Privacy. FreeBSD 9.0. It can be viewed as com- list, see queue.acm.org. Helpful feed- 10. Kleiman, S.R. Vnodes: An architecture for multiple file system types in Sun Unix. In Proceedings of the plementary to policy-driven kernel ac- back on this article came from Ross Summer 1986 Usenix Conference. cess control. Anderson, Simon Cooper, Jon Crow- 11. loscocco, P.A. and Smalley, S.D. Integrating flexible support for security policies into the Linux operating Domain-Specific Policy Models. croft, Simon Gerraty, Matthew Grosve- system. In Proceedings of the 2001 Usenix Annual Why no consensus has been reached in nor, Steve Hand, Mark Handley, Steve Technical Conference. Usenix Association, 29–42. 12. mcKusick, M.K., Neville-Neil, G.V. The Design and the expression of operating-system pol- Kiernan, Anil Madhavapeddy, Peter G. Implementation of the FreeBSD Operating System. icies is an interesting question—cer- Neumann, George Neville-Neil, and Pearson Education, 2004. 13. neumann, P.G., Boyer, R.S., Feiertag, R.J., Levitt, K.N. tainly, proponents of successive policy Mike Silbersack. and Robinson, L. A provably secure operating system: models have argued that their models This work was supported by DAR- the system, its applications, and proofs, second edition. Technical Report CSL-116. Computer Science capture the key concerns in system PA/AFRL contract FA8750-10-C-0237 Laboratory, SRI International, 1980. 14. ott, A. Rule-set-based access control (RSBAC) for design. In catering to a variety of mod- (CTSRD), with previous support from Linux (2010); http://www.rsbac.org/. els, our observations are twofold: first, the DARPA CBOSS and SPAWAR SE- 15. saltzer, J.H. and Schroeder, M.D. The protection of information in computer systems. In Proceedings of policy models aim to capture aspects of FOS contracts, spanning the DARPA the IEEE 63, 9 (1975), 1278–1308. the principle of least privilege15 but often CHATS and DARPA CRASH research 16. sebes, E.J. Overview of the architecture of Distributed Trusted Mach. In Proceedings of the in fundamentally different forms (for programs. The views, opinions, and/ Usenix Mach Symposium (1991). Usenix Association, example, information flow vs. system or findings in this article are author’s 20–22. 17. spencer, R., Smalley, S., Loscocco, P., Hibler, M., privileges), making their approaches and should not be interpreted as rep- Andersen, D. and Lepreau, J. 1999. The Flask complementary; second, different resenting the official views or poli- security architecture: system support for diverse security policies. In Proceedings of the 8th Usenix models address different spaces in a cies, either expressed or implied, of Security Symposium (1999). Usenix Association, multidimensional trade-off between DARPA, the U.S. Navy, AFRL, or the 123–139. 18. Vance, C., Miller, T. C., Dekelbaum, R., Reisse, A. 2007. types of expression, assurance, perfor- Department of Defense. Google, Inc. Security-enhanced Darwin: Porting SELinux to Mac mance, administrative complexity, im- also supported this work. OS X. In Proceedings from the Third Annual Security Enhanced Linux Symposium (2007). plementation complexity, compatibil- 19. watson, R.N.M. Exploiting concurrency vulnerabilities ity, and maintainability. This instead in system call wrappers. In Proceedings of the First Related articles Usenix Workshop on Offensive Technologies. Usenix reflects a consensus for domain-specific Association, 2007, 1–8. on queue.acm.org 20. Watson, R.N.M. New approaches to operating system policy models. security extensibility. Technical Report UCAM- Building Systems to Be Shared, Securely The Value of Extensibility. Does the CL-TR-818. University of Cambridge, Computer Poul-Henning Kamp, Robert Watson Laboratory, 2012. need for significant design enhance- ttp://queue.acm.org/detail.cfm?id=1017001 21. watson, R.N.M., Anderson, J., Laurie, B. and ment confirm or reject the hypoth- Kennaway, K. Capsicum: Practical capabilities for Extensible Programming Unix. In Proceedings of the 19th Usenix Security esis of access-control extensibility? for the 21st Century Symposium (2010). Usenix Association. Further comparison to similar frame- Gregory V. Wilson 22. watson, R.N.M. Feldman, B., Migus, A. and Vance, C. Design and implementation of the TrustedBSD works, such as VFS and device drivers, http://queue.acm.org/detail.cfm?id=1039534 MAC Framework. In Proceedings of the Third DARPA seems appropriate: both are regularly Information Survivability Conference and Exhibition ACM CTO Roundtable on (2003). IEEE. extended to adapt to new require- Mobile Devices in the Enterprise 23. wright, C., Cowan, C., Morris, J., Smalley, S. and ments such as changes in distributed Mache Creeger Kroah-Hartman, G. 2002. Linux security modules: http://queue.acm.org/detail.cfm?id=2016038 General security support for the Linux kernel. In file-system technology or improve- Proceedings of the 11th Usenix Security Symposium ment in power management. The (2002). Usenix Association. willingness of industrial consumers References 1. abrams, M.D., Eggers, K.W., LaPadula, L.J. and Olson, Robert N.M. Watson is a senior research associate at to extend the framework and return I.M. A generalized framework for access control: An the University of Cambridge Computer Laboratory, and informal description. In Proceedings of the 13th NIST- a Research Fellow at St John’s College Cambridge. He improvements reflects our fundamen- NCSC National Computer Security Conference (1990), was a senior principal scientist at SPARTA ISSO, and a 135–143. tally economic hypothesis regarding senior research scientist at McAfee Research, where he 2. anderson, J.P. Computer Security Technology led the development of a kernel access control extension extensibility: managing the upstream- Planning Study. Technical report, Electronic Systems framework for the open source FreeBSD operating system, Division, Air Force Systems Command, 1972. downstream relationship for signifi- now used in products such as Junos, Apple OS X, and iOS. 3. apple Inc. Kernel authorization. Technical Note cant source-code bases is a strong mo- TN2127, 2007; http://developer.apple.com/technotes/ tivator. Widespread and continuing tn2005/tn2127.html. © 2013 ACM 0001-0782/13/02

february 2013 | vol. 56 | no. 2 | communications of the acm 63