• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

LOMAC: MAC You Can Live With

LOMAC is a dynamically-loadable security module for Free UNIX kernels that uses Low Water-Mark Mandatory Access Control (MAC) to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised network server daemons. LOMAC is designed for compatibility and ease of use - to be a form of MAC typical users can live with.

LOMAC is an attempt to produce a form of MAC integrity protection that typical users can live with. LOMAC implements a simple form of MAC integrity protection based on Biba's Low Water-Mark model in a Loadable Kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan horses, malicious remote users, and compromised network servers without any modifications to the kernel, applications, or their existing configurations. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers, or other software present on the system. LOMAC may be used to harden currently-deployed systems simply by loading the LKM into the kernel shortly after boot time.

Once loaded, LOMAC divides the system into two conceptual levels of integrity: high and low. The high-integrity side contains all process and files that should be protected from malicious code and remote users: the kernel servers (kflushd and friends), the system binaries (bin,lib), the system configuration files (etc), and any mission-critical data (your web pages). The low-integrity side contains the processes that must interact with remote users or system (remote login sessions, web clients and servers, mail delivery agents) and the files they download from the net (web content, mail, attachments).

Low-integrity processes and files represent potential threats to the overall integrity of the system: Low-integrity files may contain viruses or Trojan Horses. Low-integrity processes take input from remote users that may cause buffer overflows. During run-time, LOMAC protects high-integrity files and processes by preventing low-integrity processes from modifying or signalling them. Thanks to is generic default configuration, LOMAC handles the division of the system into high and low parts automatically, without administrative direction.

LOMAC does not override the existing kernel protection mechanisms. Instead, its permission checks are done in addition to the existing ones - the kernel permits an operation only if both the existing mechanisms and LOMAC decide it should permit it. Unlike the existing kernel protection mechanisms, LOMAC makes decisions based solely on integrity level, not on user identity. With LOMAC, a low-level root process is just as powerless as a low-level non-root process. Since LOMAC automatically places all network servers in the low part of the system, this fact prevents compromised root-privileged network servers from harming the high-integrity part of the system.

Further information on LOMAC can be found here.

LOMAC is no longer under active development. There are several versions of LOMAC:

LOMAC/Linux

A version of LOMAC for Linux 2.2 kernels.

Status:

sufficiently stable for everyday use, although some fixes and features remain to be implemented.

License:

version 2 of the GNU General Public License.

Download:

See below.

LOMAC/FreeBSD

Two versions of LOMAC have been developed for the FreeBSD 5.x release series: one based on system call wrappers, in the style of the Linux implementation, and one based on the TrustedBSD MAC Framework. The MAC Framework implementation has been selected as the production release; the system call wrapper implementation is available in the FreeBSD CVS repository history for those interested. New installs of FreeBSD 5.0 and later include a mac_lomac module, implementing the floating-label integrity policy. This work was sponsored by DARPA as part of the CBOSS research project.

Status:

stable for everyday use use

License:

this 2-clause BSD-style license.

Download:

LOMAC/FreeBSD is available in the -CURRENT branch of the FreeBSD project's source tree, under src/security/mac_lomac.

LOMAC for Linux 2.4 kernels

Begun, June 2001.

LOMAC/LSM

A version of LOMAC for Linux kernels patched to support Linux Security Modules, begun June 2001.

LOMAC/RSBAC

A version of LOMAC for Linux kernels patched to support RSBAC, begun June 2001.

Both the latest release and all historical releases of LOMAC/Linux are available for download here. The source for LOMAC/FreeBSD is a part of the -CURRENT branch of the FreeBSD Project's source tree, under src/sys/security/lomac.

latest release:

• lomac-v1.1.2.tar.gz

old releases:

• lomac-v1.1.1.tar.gz
• lomac-v1.1.0.tar.gz
• lomac-v1.0.5.tar.gz
• lomac-v1.0.4.tar.gz
• lomac-v1.0.3.tar.gz
• lomac-v1.0.2.tar.gz
• lomac-v1.0.1.tar.gz
• lomac-v1.0.tar.gz
• lomac-v0.3.tar.gz
• lomac-v0.2.tar.gz

Documentation

The following LOMAC documentation is available:

User Documentation for LOMAC/Linux

• The LOMAC Manual [txt.gz, txt].
• The changelog.
• The most recent BUGS file.

Peer-reviewed Publications

Timothy Fraser, "LOMAC: MAC You Can Live With," in the Proceedings of the FREENIX Track, 2001 USENIX Technical Conference, Boston, Massachusetts, USA, 2001.

This paper discusses implementation issues, including how LOMAC uses interposition on the system call interface to gain control of kernel operations, and how LOMAC uses implicit attribute mapping to map persistent attributes onto filesystem objects [ PDF ].

Timothy Fraser, "LOMAC: Low Water-Mark Integrity Protection for COTS Environments," in the Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, California, USA, 2000.

This paper discusses theoretical issues, including LOMAC's compatibility goals and why the Low Water-Mark MAC model is especially suited to meeting them [ PDF ].

To contact the developers of this project, please E-mail ISSO-Research@SPARTA.com.