practice DOI:10.1145/2408776.2408792 movement from multiuser computing Article development led by queue.acm.org toward single-user devices with com- plex application models. The transition was facilitated by extensible access-con- Open source security foundations trol frameworks, which allow operating- for mobile and embedded devices. system kernels to be more easily adapt- ed to new security requirements. BY ROBErt N.M. WAtsON One such extensible kernel refer- ence-monitor framework is the Trust- edBSD MAC (Mandatory Access Con- trol) Framework, developed beginning in 2000 and shipped in the open source A Decade of OS FreeBSD operating system in 2003. This article first describes the context and challenges for access-control ex- tensibility and high-level framework Access-Control design, then turns to practical expe- rience deploying security policies in several framework-based products, in- cluding FreeBSD, nCircle appliances, Juniper’s Junos, and Apple’s OS X and Extensibility iOS. While extensibility was key to each of these projects, they motivated con- siderable changes to the framework it- self, so the article also explores how the framework did (and did not) meet each product’s requirements, and finally re- flects on the continuing evolution of operating-system security. A Quiet Revolution in OS Design Embedded and mobile operating sys- TO DISCUSS OPERATING-SYSTEM security is to marvel tems have changed greatly in the past 20 years: devices have gained the CPU at the diversity of deployed access-control models: power to run general-purpose operat- Unix and Windows NT multiuser security, Type ing systems; they have been placed in Enforcement in SELinux, anti-malware products, app ubiquitous networking environments; they have needed to support mature sandboxing in Apple OS X, Apple iOS, and Google software stacks including third-party Android, and application-facing systems such as applications; and they have found Capsicum in FreeBSD. This diversity is the result of a themselves exposed to malicious ac- tivity motivated by strong financial stunning transition from the narrow 1990s Unix and incentives. Vendors built on exist- NT status quo to security localization—the adaptation ing operating systems—often open source—to avoid creating them from of operating-system security models to site-local or scratch. This provided mature applica- product-specific requirements. tion frameworks and complex network This transition was motivated by three changes: stacks, both areas of weakness for then-contemporary “embedded oper- the advent of ubiquitous Internet connectivity; a ating systems.” One early example is migration from dedicated embedded operating Juniper’s Junos, a version of FreeBSD adapted for router control planes in systems to general-purpose ones in search of more 1998. This trend had come to fruition sophisticated software stacks; and widespread by 2007 when Google’s Android, based 52 COMMUNICATIONS OF THE ACM | FEBRUARY 2013 | VOL. 56 | NO. 2 on Linux, and Apple’s iOS, based in that were designed for another place capsulation, appearing in Abrams et part on Mach and FreeBSD, became and time. al.’s Generalized Framework for Ac- available, transforming the smart- Access-Control Frameworks. Oper- cess Control (GFAC),1 and by the late phone market. ating-system developers must satisfy 1990s in Ott’s Rule Set-based Access Common to all of these environ- device vendors, who require everything Control (RSBAC)14 and Spencer et al.’s ments is a focus on security and reli- from router and firewall hardening Flask security architecture.17 Main- ability: as third-party applications are to mobile-phone app sandboxing. stream operating-system vendors did deployed in systems from Junos, via its Operating-system vendors had accu- not adopt these approaches until the SDK, and to iOS/Android app stores, rately observed a difficult adoption early 2000s with the MAC Framework sandboxing becomes critical, first to path for historic trusted operating sys- on FreeBSD22 and shortly after, Linux prevent bricking (reducing a device to tems, whose mandatory access-control Security Modules (LSM).23 In both cas- a mere brick as a result of malfunction schemes suffered from poor usability, es, a key concern was supporting third- or abuse) and later to constrain mal- performance, maintainability, and— party security models without com- ware. This trend is reinforced by mo- perhaps most critically—end-user de- mitting to fixed policies as had earlier bile-phone access to online purchas- mand. Likewise, they saw many prom- trusted systems. ing, and most recently, banking and ising new security models in research, payment systems. As a result, the role each with unknown viability, suggest- The MAC Framework SSOCIATES A of operating-system security has shift- ing that no single access-control mod- The MAC Framework was proposed ORYS ORYS B ed from protecting multiple users from el would meet all needs. This practical in 1999, with the first whitepaper on each other toward protecting a single reality of security localization directly its design published in June 2000.20 It NDRIJ A / operator or user from untrustworthy motivates extensible access control. appeared in FreeBSD 5.0 in 2003 as an applications. In 2013, embedded de- Research over the preceding 20 experimental feature—compiled out REENBERG G vices, mobile phones, and tablets are years had made clear the need for a ref- by default but available to early adopt- RIAN points of confluence: the interests of erence monitor—a self-contained, non- ers. FreeBSD 8.0 in 2009 included the B many different parties—consumers, bypassable, and compact (hence verifi- framework as a production feature, phone vendors, application authors, able) centralization of access control.2 compiled into the default kernel. (A and online services—must be medi- By the early 1990s, this concept had timeline of key events in its develop- LLUSTRATION BY BY LLUSTRATION I ated with the help of operating systems been combined with the notion of en- ment appears in Figure 1.) FEBRUARY 2013 | VOL. 56 | NO. 2 | COMMUNICATIONS OF THE ACM 53 practice The MAC Framework offers a logi- compiled into the kernel or loadable range of object types, from files to net- cal solution to the problem of kernel modules and implement well-defined work interfaces, and integrate with the access-control augmentation: exten- kernel programming interfaces (KPIs). kernel’s concurrency model. sion infrastructure able to represent Policies can augment access-control Mandatory Policies. MAC describes many different policies, offering im- decisions and make use of common a class of security models in which proved maintainability and supported infrastructure such as object labeling policies constrain the interactions by the operating-system vendor. Simi- to avoid direct kernel modification of all system users. Whereas discre- lar to device drivers and virtual file and code duplication. They are able to tionary access control (DAC) schemes system (VFS) modules,10 policies are enforce access control across a broad such as file-system access-control lists Figure 1. MAC Framework research and development with key corporate contributions. June 2000: extensible access control October 2007, August 2008: MAC framework for FreeBSD proposed at Framework improvements merged Network Associates Laboratories to FreeBSD from Apple OS X 2001–2004 DARPA CBOSS project 2004–2007 US Navy SEFOS project at 2009: MAC Framework DTrace on access control extensibility at McAfee Research improves the MAC instrumentation added by University of McAfee Reasearch Framework; SEBSD; Apple OS X port Cambridge during dynamic analysis study 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 July 2002: MAC Framework merged to November 2006: nCircle contributes OS 2008: Seccuris contributes MAC FreeBSD 5.0 development tree privilege extensions to MAC Framework Framework IPC enhancements while developing Biba-based network intrusion detection appliance 2007: Secure Computing Corporation (later McAfee) contributes MAC Framework patches from FreeBSD transition; Sidewinder is evaluated to EAL 4+ Figure 2. Policy models are encapsulated in kernel modules that augment kernel access control. Process Process Process Process Label management APIs System call interface support security-aware but Kernel subsystems policy-agnostic applications consult framework to check access control decisions and notify the framework MAC label of object lifecycle events Process Socket VFS system DTrace to support labeling signals IPC calls DTrace probes allow monitoring and tracing of framework entry point MAC Framework invocation and results Operating Policy modules can be com- system Biba MLS piled into the kernel, loaded kernel at boot, or (where supported ugidfw by policy semantics) loaded and uploaded at runtime. 54 COMMUNICATIONS OF THE ACM | FEBRUARY 2013 | VOL. 56 | NO. 2 practice (ACLs) allow object owners to protect code conflicts with security exten- (or share) objects at their own discre- sions. Assurance is also affected, as tion, MAC enforces systemwide se- the burden of arguing for correctness curity invariants regardless of user is left entirely in the hands of the ex- preference. The research literature de- tension writer. scribes a plethora of mandatory poli- The MAC ˲ System call interposition is widely cies grounded in information flow and Framework used in antivirus systems and, in the rule-based models. past, security extension products and Early mandatory policies focused