www.TrustedBSD.org
Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin
Trusty

Documentation

This page contains both user documentation and implementation papers that may be of use when using or working on TrustedBSD.

Title FreeBSD Handbook: Security Event Auditing
Author Tom Rhodes , FreeBSD Project
Robert Watson , TrustedBSD Project
Location http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html (HTML)
Abstract
Brief introduction to configuring and using TrustedBSD audit on FreeBSD 7.x.

Title FreeBSD Handbook: File System Access Control Lists
Author Tom Rhodes , FreeBSD Project
Location http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html (HTML)
Abstract
Brief introduction to configuring and using TrustedBSD access control lists on FreeBSD 5.X.

Title FreeBSD Handbook: Mandatory Access Control (MAC)
Author Tom Rhodes , FreeBSD Project
Location http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html (HTML)
Abstract
Introduction to configuring and using the TrustedBSD Mandatory Access Control (MAC) Framework, as well as a list of currently shipped MAC policy modules and implementation examples.

Title FreeBSD Developer's Handbook: The TrustedBSD MAC Framework
Author Robert Watson , Network Associates Laboratories / FreeBSD Project
Chris Costello , Safeport Network Services / FreeBSD Project
Location http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/mac.html (HTML)
Abstract
Work in progress. Developer's introduction to the TrustedBSD MAC Framework, targetted at writers of new MAC policy modules.

Implementation Papers

Design white papers provide easy access to the overall design and architecture of the TrustedBSD operating system. While they do not provide in-depth implementation coverage, they can be of interest to those who are new to FreeBSD, TrustedBSD, or trusted operating systems, as well as developers.

Implementation papers are intended to provide detailed technical documentation of work in progress, including design and evaluation information.

Title New approaches to operating system security extensibility
Author Robert N. M. Watson , University of Cambridge
Download Tech report page, PDF
Abstract
This dissertation proposes new approaches to commodity computer operating system (OS) access control extensibility that address historic problems with concurrency and technology transfer. Access control extensibility addresses a lack of consensus on operating system policy model at a time when security requirements are in flux: OS vendors, anti-virus companies, firewall manufacturers, smart phone developers, and application writers require new tools to express policies tailored to their needs. By proposing principled approaches to access control extensibility, this work allows OS security to be "designed in" yet remain flexible in the face of diverse and changing requirements. I begin by analysing system call interposition, a popular extension technology used in security research and products, and reveal fundamental and readily exploited concurrency vulnerabilities. Motivated by these failures, I propose two security extension models: the TrustedBSD Mandatory Access Control (MAC) Framework, a flexible kernel access control extension framework for the FreeBSD kernel, and Capsicum, practical capabilities for UNIX. The MAC Framework, a research project I began before starting my PhD, allows policy modules to dynamically extend the kernel access control policy. The framework allows policies to integrate tightly with kernel synchronisation, avoiding race conditions inherent to system call interposition, as well as offering reduced development and technology transfer costs for new security policies. Over two chapters, I explore the framework itself, and its transfer to and use in several products: the open source FreeBSD operating system, nCircle's enforcement appliances, and Apple's Mac OS X and iOS operating systems. Capsicum is a new application-centric capability security model extending POSIX. Capsicum targets application writers rather than system designers, reflecting a trend towards security-aware applications such as Google's Chromium web browser, that map distributed security policies into often inadequate local primitives. I compare Capsicum with other sandboxing techniques, demonstrating improved performance, programmability, and security. This dissertation makes original contributions to challenging research problems in security and operating system design. Portions of this research have already had a significant impact on industry practice.

Title Capsicum: practical capabilities for UNIX
Author Robert N. M. Watson , University of Cambridge
Jonathan Anderson , University of Cambridge
Ben Laurie , Google UK Ltd.
Kris Kennaway , Google UK Ltd.
Download PDF
Abstract
Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX applications into logical applications, an increasingly common goal supported poorly by discretionary and mandatory access control. We demonstrate our approach by adapting core FreeBSD utilities and Google's Chromium web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques.

Title The FreeBSD Audit System
Author Robert N. M. Watson , University of Cambridge, TrustedBSD Project
Wayne Salamon , TrustedBSD Project
Venue UKUUG LISA Conference, Durham, UK, March, 2006
Download PDF
Abstract
This paper describes the Common Criteria security event auditing implementation added to the FreeBSD operating system by the TrustedBSD Project. Audit is a critical element in operating system security evaluation and operation, but both the standards-based and operational requirements are complex. This paper describes the requirements, FreeBSD kernel implementation, extensible file format adopted from OpenSolaris BSM, mechanisms used for processing and maintaining the audit trail, and the OpenBSM audit library and tool set. Of importance is not just the content of audit records, but also the reliability guarantees associated with the queuing and delivery mechanisms.

Title Security-Enhanced BSD
Author Chris Vance , Network Associates Laboratories
Robert Watson , Network Associates Laboratories
Venue Network Associates Laboratories Technical Report, Rockville, MD, July 9, 2003
Download PDF
Abstract
Network Associates Laboratories has completed an initial port of the Flask security architecture and other components of Security Enhanced Linux (SELinux) to the FreeBSD operating system. This project, called Security Enhanced BSD (SEBSD), started with the TrustedBSD MAC Framework and integrated the Flask access vector cache and security server to make policy decisions. Then, support was added to the kernel to manage security fields and enforce permissions on files and processes. To demonstrate the resulting kernel functionality, a policy compiler and file system label management tools were ported. Also, modifications to login, ls, and the ps program were integrated into the corresponding FreeBSD programs. This paper discusses the TrustedBSD MAC Framework, label management, access control checks, and differences between SEBSD and SELinux.

Title The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0
Author Robert Watson , Network Associates Laboratories / FreeBSD Project
Wayne Morrison , Network Associates Laboratories
Chris Vance , Network Associates Laboratories
Brian Feldman , FreeBSD Project
Venue USENIX Annual Technical Conference, San Antonio, TX, June, 2003
Download PDF
Abstract
We explore the requirements, design, and implementation of the TrustedBSD MAC Framework. The TrustedBSD MAC Framework, integrated into FreeBSD 5.0, provides a flexible framework for kernel access control extension, permitting extensions to be introduced more easily, and avoiding the need for direct modification of distributed kernel sources. We also consider the performance impact of the Framework on the FreeBSD 5.0 kernel in several test environments.

Title Design and Implementation of the TrustedBSD MAC Framework
Author Robert Watson , Network Associates Laboratories / FreeBSD Project
Brian Feldman , Network Associates Laboratories / FreeBSD Project
Adam Migus , Network Associates Laboratories
Chris Vance , Network Associates Laboratories
Venue Third DARPA Information Survivability Conference and Exhibition (DISCEX3); proceedings published by IEEE., Washington, DC, April, 2003
Download PDF
Abstract
Developing access control extensions for operating systems is an expensive and time-consuming task. Mechanisms available for access control extension lag behind industry standard extension solutions for file systems, process schedulers, and device drivers, and suffer from a number of serious flaws in modern multi-processor, multi-threaded kernels. In this paper, we explore the limitations of current technologies for security extension. We describe the TrustedBSD MAC Framework, a flexible and modular environment for operating system access control extensions on the open source FreeBSD platform. The TrustedBSD MAC Framework permits extensions to be introduced at compile-time, boot-time, or at run-time, and provides a number of services to support dynamically introduced policies, including policy-agnostic object labeling services and application interfaces. We discuss the design and implementation of the framework, as well as the an implementation of a fixed-label Biba integrity policy based on the framework.

Title TrustedBSD: Adding Trusted Operating System Features to FreeBSD
Author Robert Watson , Network Associates Laboratories / FreeBSD Project
Venue USENIX Technical Conference, Boston, MA, June 28, 2001
Download PDF
Abstract
Trusted operating systems provide a ``next level'' of system security, offering both new security features and higher assurance that they are properly implemented. TrustedBSD is an on-going project to integrate a number of trusted OS features into the open source FreeBSD operating system, and involves both architectural and development process improvements. This paper describes how the open source development practices of the FreeBSD Project impacted the design and implementation choices for these features, and describes lessons learned that will influence future work. Several key TrustedBSD features are discussed as examples of how new security services may be introduced in such an environment.

Title Introducing Supporting Infrastructure for Trusted Operating System Support in FreeBSD
Author Robert Watson , FreeBSD Project
Venue BSDCon 2000, Monterey, CA, September 8, 2000
Download PDF
Abstract
Trusted operating systems provide a number of features beyond the standard discretionary access control policies of commercial, off-the-shelf operating systems. These include features such as fine-grained event auditing, least-privilege design, mandatory access control policies, and extensive design documentation. The TrustedBSD project is adding trusted operating system features to FreeBSD, an open source UNIX-like operating system under a liberal license. However, TrustedBSD requires extensive changes to the access control mechanisms in FreeBSD. At this point in the project, we have implemented file system extended attributes for storing security labels on files, revamped internal handling of privilege in the operating systems, and are working on an improved generalized access control system.


    Copyright 2000-2012 Robert N. M. Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh T. Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/docs.bib#7 $