End systems must be able to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control . As a consequence, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security.
To address this problem, the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to research a strong, flexible mandatory access control architecture based on Type Enforcement , a mechanism first developed for the LOCK system . The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach  and DTOS . The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During the transfer, the architecture was enhanced to provide better support for dynamic security policies . This enhanced architecture was named Flask. The NSA is now integrating the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.
Researchers in the NSA's Information Assurance Research Office have implemented the architecture in the major subsystems of the Linux kernel, including mandatory access controls for operations on processes, files, and sockets. The Secure Execution Environments (SEE) group at NAI Labs is working with the NSA in further developing and configuring this security-enhanced Linux system. SCC and MITRE are assisting the NSA in developing application security policies and enhanced utility programs.
This paper describes work by the NSA and NAI Labs in integrating the security mechanisms of the Flask architecture into the Linux kernel. The paper begins by providing an overview of the Flask architecture and its Linux kernel implementation in Section 2. The design and implementation of two new operating system components, the security server and the access vector cache (AVC), are then described in detail in Section 3 and Section 4. Then, the design and implementation of security enhancements to each of the existing Linux operating system components are described in detail.