Glenn Faden's Blog

  • March 9, 2007

Better Late Than Never

Guest Author

This week I got a letter from the US Patent Office announcing that one of my patent applications had been isssued. Naturally, I was pleased, since I had applied for several patents last year related to Trusted Extensions. However, when I looked up the case on the web I was shocked to find that it was the Policy Abstraction Mechanism that was first implemented in Trusted Solaris 2.5. This application was filed on June 24, 1996, so it only took 11 years to be issued.

Obviously there have been many changes in OS security over the past decade, but the mechanisms described in this invention are still in use today. Originally we used the same hooks and table-driven policy implementation in both the Trusted Solaris kernel and in the Trusted X11 server. Over time, the kernel implementation evolved into the current set of policy hooks now used in policy.c in Solaris 10 and OpenSolaris.

However, the original implementation is still being used today in the X11 server. You can download the code from the OpenSolaris X Window System website. It contains the table of protectect resources and methods described in the patent
application. The web page provided by the US patent office is poorly
formatted so that the orignal table has been run together  without rows
and columns. If you want to see how it is supposed to look, you can
find it in this file:


which contains:

 \* X POLICY FUNCTION TABLE. One row per resource.
static int (\*XTSOL_policy_table[TSOL_MAX_XRES_TYPES][TSOL_MAX_XMETHODS])() = {


The table is accessed using the function: 

xtsol_policy(xresource_t res, xmethod_t   method,void \*resource, void \*subject, xpolicy_t policy_flags, void \*misc);

In the original implementation,  xtsol_policy()was the single hook  we used in the various X protocol functions to enforce the policy. However, we are now using the more generic SecurityHook mechanism which is part of the X-ACE framework. This abstraction allows Trusted Extension to use the same hooks that are used by the SELinux community. The details are described in Alan Coopersmiths' blog. The SecurityHook structure contains an abstraction of about ten functions, which are called throughout various X11 device independent functions. In Trusted Extensions, these functions are simply wrappers around the original xtsol_policy function.

During the eleven years that this patent application languished, the open source community has changed the playing field. The Linux community has now standardized on the Linux Security Modules mechanism which provides equivalent functionality.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.