The LOMAC project

LOMAC was a pet Free software project of mine at NAI Labs back in 1999-2002. Although it was initially a security enhancement for Linux kernels, I later collaborated with Brian Feldman to port LOMAC to FreeBSD. LOMAC is still part of FreeBSD as of late 2006.

LOMAC implemented the Low Water-Mark mandatory access control policy originally described by K. J. Biba in his 1977 report "Integrity Considerations for Secure Computer Systems". Once installed on a system LOMAC protected critical system files and processes from tampering, addressing both direct threats from sources such as compromised network daemons and indirect threats from malware such as Trojan horses. One astute member of the University of Maryland at College Park Linux User Group succinctly described LOMAC as something like Perl's taint-mode applied to processes.

Compatibility and simplicity were key goals. LOMAC was designed to work with unmodified GNU/Linux distributions and to require no configuration. It was largely invisible to the user during run-time, taking action only to prevent operations that might threaten system integrity.

LOMAC was only one of many interesting kernel security enhancement projects going on at the time. There were projects from all over the world: LIDS, Medusa DS9, RSBAC, SubDomain, VXE, and several flavors of DTE, to name a few. Because the Linux 2.0 and 2.2 kernels available at that time did not yet have a security modules framework, each project had to find its own way to integrate with the kernel. LOMAC used system call interposition, much like some modern rootkits do.

I had a lot of fun working on LOMAC. Security enhancements are more challenging to implement than exploits. When you're coding an exploit, you have to consider only one weakness in your target system. When you're coding a security enhancement, you have to consider all possible weaknesses.

By the New Year's Day 2002 the GNU/Linux versions of LOMAC had reached 3900 uniq cumulative downloads. By that time I had managed to get two papers published about LOMAC and had gotten some good feedback here and there: One system administrator at a "Big 10" school told me he liked to deploy LOMAC on machines he was putting throughout his network to act as sensors. One professor told me he used LOMAC as a (presumably positive) example in his classes. There were also some backhanded compliments. For example, Nick Petroni informed me that the author of the Kis rootkit v0.9 decided to include LOMAC in the list of security modules to disable upon taking over a machine:

                if(strcmp(mod->name, "StJude") == 0)
                        unload++;

                if(strcmp(mod->name, "StMichael") == 0)
                        unload++;

                if(strcmp(mod->name, "lomac_mod") == 0)
                        unload++;

                if(strcmp(mod->name, "carbonite") == 0)
                        unload++;

Low Water-Mark is a relatively simple integrity protection scheme. I am aware of two LOMAC-inspired projects undertaken at corporate research labs since 2002. If you make a version of LOMAC for modern systems, let me know!

Links


Tim Fraser's homepage at the WPI alumni site

$Id: index.html,v 1.6 2007/04/16 14:00:00 tim Exp $