Abstract

We hypothesize that a form of kernel-resident access control based integrity protection can gain widespread acceptance in commercial off-the-shelf (COTS) environments, provided that it couples some useful protection with a high degree of compatibility with existing software, configurations, and practices. To test this hypothesis, we have developed a highly compatible free open-source prototype called LOMAC, and released it on the Internet. LOMAC is a dynamically loadable extension for COTS Linux kernels that provides integrity protection based on Low Water-Mark access control. We present a classification of existing access control models with regard to compatibility, concluding that models similar to Low Water-Mark are especially well suited to high-compatibility solutions. We also describe our practical strategies for dealing with the pathological cases in the Low Water-Mark model's behavior which include a small extension of the model, and an unusual application of its concepts.