Robert N. M. Watson is a research scientist at Network Associates Laboratories, the Security Research Division of Network Associates, Inc. He is the principal investigator for the DARPA-funded CBOSS Project, which performs research into operating system security technologies and the process of security technology transfer through open source. In the past, he has also been involved in a variety of research projects in the Network Security (NETSEC) and Secure Execution Environment (SEE) research groups, including research into IP infrastructure protection (DNSSEC, denial of service resistance), security in active networks, and other operating system security research. He is also founder of the TrustedBSD Project, an active FreeBSD committer, and a member of the FreeBSD Core Team. His current areas of interest include participation in the FreeBSD security officer and release engineering teams, architect of the TrustedBSD MAC Framework, and a variety of open source security and operating system projects.

FreeBSD 5.0-RELEASE provides the FreeBSD user base with a variety of new technologies, including some not found in other open source and commercial operating systems. One of these features is the TrustedBSD MAC Framework, an extension framework for kernel access control. Sponsored by DARPA, the MAC Framework addresses several problems in the design, implementation, deployment, and maintenance of security extensions to operating systems. Using the framework, developers of security extensions can reduce the cost of their implementation and long term maintenance through the use of security policy modules. The framework permits compile-time, boot-time, and run-time extension of the system, and includes a userland framework to support applications that deal abstractly with several operating system policies. It provides services to support a variety of types of security extensions, including support for object labeling required for common mandatory access control models such as Multi-Level Security (MLS), Biba Integrity, and Type Enforcement. In addition, there is an in progress port of the SELinux FLASK and Type Enforcement implementations to run over FreeBSD using the MAC Framework. This talk will cover the design and implementation of the MAC Framework in kernel and in userland, as well as several security modules of varying complexity and their interaction with the operating complexity and their interaction with the operating system.