Applying a usage control model in an operating system kernel

Operating systems traditionally use access control mechanisms to manage access to system resources like files, network connections, and memory areas. However, classic access control models are not suitable for regulating access to the diversity of ways data is available and used today. Modern usage control models go beyond traditional access control, addressing its limitations related to attribute mutability and continuous usage permission validation. The recently proposed UCONABC model establishes a predicate-based framework to satisfy the new access/usage control needs in computing systems. This paper defines a usage control model based on UCONABC and describes a framework to implement it in an operating system kernel, on top of the existing DAC mechanism. A language for representing usage control entities and rules is also proposed, and some typical access/usage control scenarios are represented using it, to show its usefulness. Finally, a prototype of the proposed framework was built in an operating system kernel, to control the usage of local files. The prototype evaluation shows that the proposed model is feasible, straightforward, and may serve as a basis for more complex usage control frameworks.