• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

TrustedBSD:

Trusted operating system extensions for FreeBSD

The TrustedBSD Project provides trusted operating system extensions to the FreeBSD operating system, including support for:

• Flexible mandatory access control framework (TrustedBSD MAC Framework) permitting compile-time and run-time augmentation of the kernel access control policy.
• A series of pluggable system access control policies, including fixed-label Biba integrity, floating label LOMAC, compartmented multi-level security (MLS), and a variety of other policy extensions.
• Port of the FLASK/TE implementation from NSA's SELinux project as a pluggable MAC Framework security module, providing access to a mature fine-grained policy engine and sample policy.
• File system extended attributes on UFS1, a next generation UFS file system (UFS2) with native extended attribute support. Extended attributes facilitate adding new security meta-data to system objects.
• Extended discretionary access control (access control lists) for file system objects.
• Reduced privilege for system management features, lowering the risks associated with system monitoring tools.
• OpenPAM, a Berkeley-licensed PAM implementation, as well as adaptation of FreeBSD system components to integrate tightly with PAM.
• Name Service Switch (NSS) implementation permitting pluggable and extensible directory services.

Work performed at SPARTA ISSO on TrustedBSD occurs as part of the CBOSS Project, which is sponsored by DARPA. Additional information on the TrustedBSD Project may be found on the TrustedBSD web site, including information on other sponsors and on-going projects.

A variety of TrustedBSD components have (and are) being developed at SPARTA ISSO, or in collaboration with SPARTA ISSO sub-contractors. This includes UFS2, OpenPAM, GEOM, GBDE, NSS, FreeBSD syn cookies and syn cache, TCP state reduction, documentation, and the TrustedBSD MAC Framework.

Many TrustedBSD features are present in the FreeBSD 5.x development branch, including support for extended attributes, ACLs, improved system privileges, and mandatory access control. There is additional on-going work to improve the maturity of these features, as well as port the SELinux FLASK and TE implementations to FreeBSD as SEBSD. This implementation will be provided as a pluggable module via the TrustedBSD MAC Framework, and will include adaptations of the SELinux policies to run on FreeBSD.

All TrustedBSD-related work performed by SPARTA ISSO is available under a two-clause Berkeley-style license. This license permits broad research and commercial reuse.

Access to the TrustedBSD implementation is provided via the TrustedBSD web site and FreeBSD. Instructions for access source code and distributions may be found on these web pages; in addition, a number of vendors have produced CDROM and DVD distributions of FreeBSD 5.0 and 5.1, which include support for many of the TrustedBSD features. Commercial support for these features may be available via these vendors.

A variety of documentation is available as part of the TrustedBSD work. Papers and related material are available via the TrustedBSD web site. Additional documentation is available on the FreeBSD web site, including developer and user documentation.

Several TrustedBSD mailing lists exist, including an announcement mailing list, general discussion mailing list, audit mailing list, and CVS/Perforce commit mailing list. Mailing list information is available on the TrustedBSD web site.

To contact researchers and developers working on TrustedBSD, please e-mail ISSO-cboss@sparta.com.