Table of Contents
Fetching ...

OAMAC: Origin-Aware Mandatory Access Control for Practical Post-Compromise Attack Surface Reduction

Omer Abdelmajeed Idris Mohammed, Ilhami M. Orak

TL;DR

OAMAC addresses a gap in operating system security by introducing origin-aware mandatory access control, which treats execution origin (physical presence, remote access, or service execution) as a first-class attribute. Implemented entirely with upstream Linux eBPF LSM hooks, it classifies origin at process creation, propagates it through forks, and enforces origin-aware policies on sensitive kernel interfaces and the BPF control plane, all without kernel patches. The prototype demonstrates effective restriction of remote-origin actions after compromise while preserving normal local administration and boot stability, with live policy reconfiguration and minimal overhead. This provenance-based approach offers a practical path to reducing post-compromise attack surface and complements traditional identity-based MAC frameworks rather than replacing them, potentially generalizing to other OSes and deployment environments.

Abstract

Modern operating systems provide powerful mandatory access control mechanisms, yet they largely reason about who executes code rather than how execution originates. As a result, processes launched remotely, locally, or by background services are often treated equivalently once privileges are obtained, complicating security reasoning and enabling post-compromise abuse of sensitive system interfaces. We introduce origin-aware mandatory access control (OAMAC), a kernel-level enforcement model that treats execution origin -- such as physical user presence, remote access, or service execution -- as a first-class security attribute. OAMAC mediates access to security-critical subsystems based on execution provenance rather than identity alone, enabling centralized governance over multiple attack surfaces while significantly reducing policy complexity. We present a deployable prototype implemented entirely using the Linux eBPF LSM framework, requiring no kernel modifications. OAMAC classifies execution origin using kernel-visible metadata, propagates origin across process creation, and enforces origin-aware policies on both sensitive filesystem interfaces and the kernel BPF control plane. Policies are maintained in kernel-resident eBPF maps and can be reconfigured at runtime via a minimal userspace tool. Our evaluation demonstrates that OAMAC effectively restricts common post-compromise actions available to remote attackers while preserving normal local administration and system stability. We argue that execution origin represents a missing abstraction in contemporary operating system security models, and that elevating it to a first-class concept enables practical attack surface reduction without requiring subsystem-specific expertise or heavyweight security frameworks.

OAMAC: Origin-Aware Mandatory Access Control for Practical Post-Compromise Attack Surface Reduction

TL;DR

OAMAC addresses a gap in operating system security by introducing origin-aware mandatory access control, which treats execution origin (physical presence, remote access, or service execution) as a first-class attribute. Implemented entirely with upstream Linux eBPF LSM hooks, it classifies origin at process creation, propagates it through forks, and enforces origin-aware policies on sensitive kernel interfaces and the BPF control plane, all without kernel patches. The prototype demonstrates effective restriction of remote-origin actions after compromise while preserving normal local administration and boot stability, with live policy reconfiguration and minimal overhead. This provenance-based approach offers a practical path to reducing post-compromise attack surface and complements traditional identity-based MAC frameworks rather than replacing them, potentially generalizing to other OSes and deployment environments.

Abstract

Modern operating systems provide powerful mandatory access control mechanisms, yet they largely reason about who executes code rather than how execution originates. As a result, processes launched remotely, locally, or by background services are often treated equivalently once privileges are obtained, complicating security reasoning and enabling post-compromise abuse of sensitive system interfaces. We introduce origin-aware mandatory access control (OAMAC), a kernel-level enforcement model that treats execution origin -- such as physical user presence, remote access, or service execution -- as a first-class security attribute. OAMAC mediates access to security-critical subsystems based on execution provenance rather than identity alone, enabling centralized governance over multiple attack surfaces while significantly reducing policy complexity. We present a deployable prototype implemented entirely using the Linux eBPF LSM framework, requiring no kernel modifications. OAMAC classifies execution origin using kernel-visible metadata, propagates origin across process creation, and enforces origin-aware policies on both sensitive filesystem interfaces and the kernel BPF control plane. Policies are maintained in kernel-resident eBPF maps and can be reconfigured at runtime via a minimal userspace tool. Our evaluation demonstrates that OAMAC effectively restricts common post-compromise actions available to remote attackers while preserving normal local administration and system stability. We argue that execution origin represents a missing abstraction in contemporary operating system security models, and that elevating it to a first-class concept enables practical attack surface reduction without requiring subsystem-specific expertise or heavyweight security frameworks.
Paper Structure (44 sections, 6 figures)

This paper contains 44 sections, 6 figures.

Figures (6)

  • Figure 1: Threat model: remote versus physical root.
  • Figure 2: Conceptual gap in Linux MAC models.
  • Figure 3: Origin-aware MAC architecture.
  • Figure 4: Origin classification and propagation.
  • Figure 5: Centralized origin-aware enforcement.
  • ...and 1 more figures