Abstract
Existing mandatory access control systems for operat-
ing systems are difficult to use. We identify several prin-
ciples for designing usable access control systems and in-
troduce the Usable Mandatory Integrity Protection (UMIP)
model that adds usable mandatory access control to oper-
ating systems. The UMIP model is designed to preserve
system integrity in the face of network-based attacks. The
usability goals for UMIP are twofold. First, configuring a
UMIP system should not be more difficult than installing
and configuring an operating system. Second, existing ap-
plications and common usage practices can still be used
under UMIP. UMIP has several novel features to achieve
these goals. For example, it introduces several concepts
for expressing partial trust in programs. Furthermore, it
leverages information in the existing discretionary access
control mechanism to derive file labels for mandatory in-
tegrity protection. We also discuss our implementation of
the UMIP model for Linux using the Linux Security Mod-
ules framework, and show that it is simple to configure, has
low overhead, and effectively defends against a number of
network-based attacks.