Security threats drive the evolution of mainstream OS access control models

Advanced security models have started being developed back in the seventies. Only used in very highly sensitive environments (mission critical applications/classified information processing systems). They where not platform independent and where extremely cumbersome to manage. The security models which where developed addressed mainly three security objectives for the underlying systems and its data:

• Confidentiality


• Integrity


• Availability

The market adoption of the typical DAC model and the lack of least privilege principles in software development, by application and system developers was mainly for the shake of simplicity, manageability and cost. Software developed on these bases served the wide research and development in the exploitation of high privilege software components.

Any process must be assigned only the least system privileges required to carry out the process's intended functions. Any process which does not follow the principle of least privilege is a potential attack vector for a malicious user/process. If such a process has high privileges the security implications of the successful exploitation may lead to the full compromise of the computing base and all its software components.

In the last years there has been heavy research on "Trusted Computing". The concept behind building a trusted computing base is based on the following:

• The core initialization component of the platform has a very small image fingerprint which has been developed based on good security principles and formal methods have been used to evaluate this component and the underlying hardware and software base. Software development and evaluation based on formal methods is a very expensive process.



• Ability to measure the integrity of each software component during boot time and to mediate every call from user space to the underlying system calls. Such a system is essential to implement a MAC model.



• Such a system should also be capable of proving that the computing base fingerprint advertised is authentic and has not been tampered with.

When the operating system is initialized and all OS services are available a security enforcement module is responsible for mediating all access from any object to the system resources and control access of objects based on fine grained security policy.

Commercial support of MAC enabled operating systems

In the last ten years all well known OS systems have evolved and are now capable of supporting the MAC or RBAC concept. Some operating systems provide native support for RBAC and others implement user space tools for implementing a less feature rich RBAC/MAC ability.

One of the fundamental problems of fine grained security controls in operating systems is their management and configuration. Imagine having 1000 objects, 10 privileges and 100 resources and you wish to define which object has which privilege on which resource. Add to this that your computing base is comprised of 100 different software packages and your system supports many users and services.

Luckily such operating systems nowadays, come pre-configured with a default set policies, privileges assigned to groups and groups already assigned to roles. Management tools have also been developed to make the task privilege and identity management easier. Based on the service your system will serve you can further restrict the security policy of your OS.