• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Community-Based Open Source Security (CBOSS)

CBOSS is an international collaboration of Open Source leaders and operating system security experts. The primary goal of CBOSS is to improve the security of Open Source software, with a focus on the FreeBSD operating system. CBOSS takes advantage of existing infrastructure provided by the TrustedBSD Project, and enhances those technologies to improve flexibility, extensibility, performance, and assurance.

Description
Current Status
Documentation
Software Packages
Collaboration
Point of Contact

The CBOSS project seeks to bring together key elements of the Open Source and computer security communities to measurably improve real-world security of critical Open Source systems within a period of 18 months (i.e., by December 2002). The CBOSS team includes:

Robert Watson (NAI Labs)

Mr. Watson is a FreeBSD Core Team Member and founded the TrustedBSD project.

Kirk McKusick

Dr. McKusick wrote the file system code in BSD UNIX, and has been intimately involved in every modern aspect of the BSD UNIX family.

Poul-Henning Kamp

Mr. Kamp is a key FreeBSD Project kernel, network, and systems developer.

Jonathon Lemon

Mr. Lemon is a key FreeBSD Project kernel, network, and systems developer.

Dag-Erling Smørgrav

Mr Smørgrav is a FreeBSD Project systems and security developer.

Wayne Morrison (NAI Labs)

Wayne Morrison is a Network Associates Laboratories developer.

Chris Vance (NAI Labs)

Chris Vance is a Network Associates Laboratories developer.

We aim both to target the "low hanging fruit" in Open Source system security, and also to prepare for longer-term research aimed at fundamental security improvements for Open Source software. We have identified four key community-based initiatives that, in combination, address several central current problems:

Transfer of Existing Security Knowledge.

Our objectives for this initiative is to contribute to an increased awareness of security among Open Source developers, and to help set in motion a "virtuous cycle" of security improvement in Open Source projects. This initiative will develop a practical Security Architecture guide for FreeBSD developers, and will provide enhanced FreeBSD man pages that relate security issues (that often appear to be unrelated "details") to the system's security architecture. This work will focus on providing practical nuts-and-bolts security information to programmers.

Transfer of Existing Security Technology.

This initiative will implement and port a collection of advanced security technologies (Extended File System Attributes, Pluggable Authentication Module improvements, IP Stack Hardening, etc.), and work to ensure that these technologies are incorporated into mainstream systems, such as FreeBSD.

New Technology For Developing Kernel Security Extensions.

This initiative will develop new technology for adding security features to operating system kernels in a coherent, safe manner. Current systems provide no support for policy composition. This research will provide such support, thus facilitating quick kernel-level experimentation and competition among features and implementations.

New Technology For Developing High-Security Applications.

This initiative developed practical privilege management software that supports structuring (or restructuring) UNIX server programs (e.g., WU-FTP, Apache, BIND) so that they are effectively immune from root compromise through buffer overflow attacks, format bugs, etc. This initiative will demonstrate worked examples and will show how the techniques can be used in existing and new Open Source projects.

The CBOSS project started July 2, 2001; the original contact termination date was December 31, 2002. However, the contract has been extended to include an experimental port of the SELinux FLASK/TE implementation to the TrustedBSD MAC Framework. The contract will now end in September, 2003.

Documentation for the TrustedBSD MAC Framework may be found in the FreeBSD Developer's Handbook. Writing MAC Policies.

• LOMAC
• NSA Security-Enhanced Linux
• Privman
• TrustedBSD
• UFS2 is available as part of FreeBSD 5.0
• GEOM is available as part of FreeBSD 5.0
• OpenPAM, also available as part of FreeBSD 5.0

Collaboration is intrinsic to the CBOSS project (see the project Description). As this work progress, we aim to increase the community involvement with CBOSS technologies.

To contact the developers of this project, please e-mail cboss@tislabs.com.

contactisso@SPARTA.com