pith. sign in

arxiv: 2606.08060 · v1 · pith:C746VXRYnew · submitted 2026-06-06 · 💻 cs.OS · cs.CR

TOMOYO Linux: A Mandatory Access Control Method Based on Application Execution State

Toshiharu Harada , Tetsuo Handa , Masaki Hashimoto , Hidehiko Tanaka This is my paper

Pith reviewed 2026-06-27 19:07 UTC · model grok-4.3

classification 💻 cs.OS cs.CR
keywords mandatory access controlTOMOYO Linuxapplication execution stateLinux securityaccess control policyexecution historyintent-based access
0
0 comments X

The pith

TOMOYO Linux implements mandatory access control by tracking application execution history and state to account for intents.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Traditional access control methods decide requests based only on which application is acting on which file. This paper proposes a method that also uses an application's execution history and current state to infer its intent behind the request. If the approach holds, administrators can write rules that block accesses unlikely to be legitimate, cutting risks from malware or operator mistakes. The authors describe the concept, the design choices for their Linux implementation called TOMOYO Linux, and a short evaluation of its behavior.

Core claim

The paper claims that basing access control decisions on application execution history and state, rather than solely on subject-object combinations, makes it possible to consider the intent of the requesting application and thereby lets system administrators reduce the risks caused by malicious access attempts and wrong operations. The concept and implementation design of TOMOYO Linux are presented as a concrete realization of this method.

What carries the argument

Application execution history and state used as the basis for deciding whether an access request matches the application's intended behavior.

If this is right

  • Administrators can define policies that reflect the sequence of steps an application normally takes.
  • Access requests outside expected execution paths can be denied to limit damage from compromised programs.
  • The method supplies a mandatory control layer that is aware of how an application arrived at its current state.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same state-tracking idea could be applied to other operating systems or combined with existing mandatory controls.
  • Execution-state monitoring might also serve as a basis for runtime anomaly detection beyond static policy enforcement.

Load-bearing premise

Application execution history and state provide sufficient information to reliably distinguish intended from unintended or malicious access requests.

What would settle it

A concrete counter-example in which an application reaches a malicious access while its recorded execution history and state remain indistinguishable from a legitimate path would show the method cannot reliably separate intents.

Figures

Figures reproduced from arXiv: 2606.08060 by Hidehiko Tanaka, Masaki Hashimoto, Tetsuo Handa, Toshiharu Harada.

Figure 1
Figure 1. Figure 1: Defining Program Execution History [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Domain Transition Example (Fedora 15). 4.3 Implementation of MAC To perform access control that applies without omission and cannot be bypassed, it suffices to implement a reference monitor [18][19]. Specifically, the invocation of a system call is intercepted (hooked), and a decision is made about whether to permit the request. If permitted, the original processing is carried out; otherwise, the request i… view at source ↗
Figure 3
Figure 3. Figure 3: Policy of /bin/bash Domain. 1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd 2 3 file read /etc/passwd 4 file read /etc/shadow 5 file write /etc/.pwd.lock 6 file read /dev/urandom 7 file create /etc/nshadow 0666 8 file write /etc/nshadow 9 file chown/chgrp /etc/nshadow 0 10 file chmod /etc/nshadow 00 11 file rename /etc/nshadow /etc/shadow [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Policy of /usr/bin/passwd Domain. Line 1 of [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Performance delay due to domain number increase. the processing time to search for the corresponding domain per access request increases. Also, as application process￾ing becomes more complex, the number of access permissions per domain increases, and the processing time to search for the corresponding access permission increases. Therefore, the impact on performance caused by an increase in policy scale c… view at source ↗
Figure 6
Figure 6. Figure 6: Performance delay due to ACL number increase. 6 Discussion This chapter, as a discussion of the proposed method, compares it with other closely related methods and confirms its effect against typical unauthorized-access techniques. It also describes cases that the proposed method cannot solve and, as countermeasures, the issues in enhancing its functions. 6.1 Comparison with Other Methods 6.1.1 Comparison … view at source ↗
read the original abstract

Existing access control methods grant access requests based on the combinations of applications as subject and files as objects. Therefore intents of applications and the possible effects caused by granting the access requests have not been taken into consideration. In this paper, we propose a new access control method based on application history and intents. With our access control method, system administrators can reduce the risks caused by malicious access attempts and wrong operations. In this paper, the concept and implementation design will be explained as well as the brief evaluation report of TOMOYO Linux, our implementation of the new access control method to Linux.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes TOMOYO Linux, a mandatory access control method for Linux that grants access based on application execution history and state (to capture intents) rather than solely on subject-object combinations. It claims this reduces risks from malicious access attempts and wrong operations, and describes the concept, implementation design, and a brief evaluation report.

Significance. If the execution-state approach can be shown to reliably distinguish intended from unintended accesses in practice, it would offer a practical advance in MAC design by incorporating behavioral context, which could complement existing Linux security mechanisms. The Linux implementation and any reproducible evaluation would be of interest to the OS security community.

major comments (2)
  1. [Abstract] Abstract, paragraph 2: the central claim that execution history and state suffice to identify malicious or erroneous requests is load-bearing, yet the manuscript supplies no formal model of distinguishable intent, no policy examples, and no data or error analysis from the evaluation report.
  2. [Design description] Design description (concept section): the claim that history-based decisions reduce risks is undermined by the absence of any analysis of mimicry attacks, in which an attacker substitutes code that follows an identical domain-transition path up to a disallowed access point.
minor comments (1)
  1. [Evaluation] The evaluation report is described as 'brief' but lacks any tables, figures, or quantitative metrics; adding at least one concrete policy example with before/after behavior would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. The manuscript presents TOMOYO Linux as a conceptual and implementation-focused introduction to history-based MAC rather than a comprehensive formal or empirical study. We address each major comment below and will make revisions to strengthen the presentation.

read point-by-point responses

  1. Referee: [Abstract] Abstract, paragraph 2: the central claim that execution history and state suffice to identify malicious or erroneous requests is load-bearing, yet the manuscript supplies no formal model of distinguishable intent, no policy examples, and no data or error analysis from the evaluation report.

    Authors: The abstract summarizes the motivation that history and state can help reduce risks from malicious attempts and wrong operations, without asserting that they formally suffice to identify all such requests. The manuscript is structured as a description of the concept and Linux implementation with only a brief evaluation report. We agree that the absence of a formal model, policy examples, and expanded evaluation data leaves the claims under-supported. We will revise the abstract for precision and add policy examples plus evaluation details in the updated manuscript. revision: yes

  2. Referee: [Design description] Design description (concept section): the claim that history-based decisions reduce risks is undermined by the absence of any analysis of mimicry attacks, in which an attacker substitutes code that follows an identical domain-transition path up to a disallowed access point.

    Authors: The design relies on execution history to capture behavioral context for access decisions. The manuscript does not analyze mimicry attacks or other adversarial scenarios. We acknowledge this as a substantive gap that weakens the risk-reduction claim. We will incorporate a discussion of mimicry attacks and related limitations in the revised concept section. revision: yes

Circularity Check

0 steps flagged

Design proposal with no circular derivation chain

full rationale

The paper presents a conceptual design for TOMOYO Linux as a new mandatory access control method based on application execution history and state. No equations, fitted parameters, predictions, or first-principles derivations appear in the provided text. The central claim is a design proposal rather than a quantity derived from inputs, with no self-citation chains, uniqueness theorems, or ansatzes that reduce the result to its own definitions. The method is described at a high level without any load-bearing steps that equate outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The proposal rests on the domain assumption that execution history can be used to infer application intent for access decisions. No free parameters or invented entities are visible in the abstract.

axioms (1)
  • domain assumption Access control decisions can be improved by incorporating application execution history and inferred intents rather than relying solely on subject-object identity pairs.
    Stated in the second sentence of the abstract as the motivation for the new method.

pith-pipeline@v0.9.1-grok · 5630 in / 1132 out tokens · 14684 ms · 2026-06-27T19:07:25.527614+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references

  1. [1]

    Peterson, Matt Bishop, and Raju Pandey

    David S. Peterson, Matt Bishop, and Raju Pandey. A flexible containment mechanism for executing untrusted code. In Proceedings of the 11th USENIX Security Symposium , pages 207–225, 2002

    2002

  2. [2]

    Sandbox technologies for native code

    Y oshihiro Oyama. Sandbox technologies for native code. Computer Software (JSSST) , 20(4):55–72, 2003. in Japanese

    2003

  3. [3]

    Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th USENIX Security Symposium , 1996

    1996

  4. [4]

    The security architecture of the Chromium browser

    Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team. The security architecture of the Chromium browser. Technical report, Stanford University, 2008

    2008

  5. [5]

    Loscocco, Stephen D

    Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, and John F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference , pages 303–314, 1998

    1998

  6. [6]

    Computer Security: Art and Science

    Matt Bishop. Computer Security: Art and Science . Addison-Wesley, 2003

    2003

  7. [7]

    Department of Defense

    U.S. Department of Defense. Trusted computer system evaluation criteria (TCSEC). Technical Report CSC- STD-001-83, U.S. Department of Defense, Computer Security Center, 1983

    1983

  8. [8]

    Integrating flexible support for security policies into the Linux operating system

    Peter Loscocco and Stephen Smalley. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 29–42, 2001

    2001

  9. [9]

    Loscocco and Stephen D

    Peter A. Loscocco and Stephen D. Smalley. Meeting critical security objectives with security-enhanced Linux. In Proceedings of the Ottawa Linux Symposium , 2001

    2001

  10. [10]

    Configuring the SELinux policy

    Stephen Smalley. Configuring the SELinux policy. Technical Report Report #02-007, NAI Labs, 2005

    2005

  11. [11]

    Smack in embedded computing

    Casey Schaufler. Smack in embedded computing. In Proceedings of the Linux Symposium, pages 179–186, 2008

    2008

  12. [12]

    SubDomain: Parsimonious server security

    Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor. SubDomain: Parsimonious server security. In Proceedings of the 14th USENIX Conference on System Administration (LISA) , pages 355–368, 2000

    2000

  13. [13]

    Trusted computing building blocks for embedded Linux-based ARM TrustZone platforms

    Johannes Winter. Trusted computing building blocks for embedded Linux-based ARM TrustZone platforms. In Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing (STC) , pages 21–30, 2008

    2008

  14. [14]

    Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium , pages 29–45, 2010. 19 TOMOYO Linux: MAC Based on Application Execution State A P REPRINT

    2010

  15. [15]

    Buffer overflow attacks and their countermeasures

    Ken Wakita. Buffer overflow attacks and their countermeasures. Computer Software (JSSST), 19(1):49–63, 2002. in Japanese

    2002

  16. [16]

    Design and implementation of TOMOYO Linux

    Toshiharu Harada, Tetsuo Handa, and Y ukio Itakura. Design and implementation of TOMOYO Linux. In Proceedings of the 21st Computer System Symposium (ComSys 2009) , 2009. in Japanese

    2009

  17. [17]

    Security features of Linux (4): The limits of label-based security and its complement — the design philosophy and attempt of TOMOYO Linux

    Toshiharu Harada and Tetsuo Handa. Security features of Linux (4): The limits of label-based security and its complement — the design philosophy and attempt of TOMOYO Linux. IPSJ Magazine, 51(10):1276–1283,

  18. [18]

    Sandhu and Pierangela Samarati

    Ravi S. Sandhu and Pierangela Samarati. Access control: Principle and practice. IEEE Communications Maga- zine, 32(9):40–48, 1994

    1994

  19. [19]

    Design and implementation of SysGuard: A wrapper/reference monitor for system calls

    Kotaro Eiraku, Y asushi Shinjo, and Kozo Itano. Design and implementation of SysGuard: A wrapper/reference monitor for system calls. IPSJ Journal, 43(6):1690–1701, 2002. in Japanese

    2002

  20. [20]

    Linux security mod- ules: General security support for the Linux kernel

    Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. Linux security mod- ules: General security support for the Linux kernel. In Proceedings of the 11th USENIX Security Symposium , pages 17–31, 2002

    2002

  21. [21]

    Sandhu, Edward J

    Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Y ouman. Role-based access control models. IEEE Computer, 29(2):38–47, 1996

    1996

  22. [22]

    A method to enhance login authentication using a security-enhanced os

    Toshiharu Harada and Takaaki Matsumoto. A method to enhance login authentication using a security-enhanced os. Journal of Informatics, Shizuoka University , 11:93–102, 2005. in Japanese

    2005

  23. [23]

    Guideline: Configuration and operation of secure internet servers

    Information-technology Promotion Agency (IPA), Security Center. Guideline: Configuration and operation of secure internet servers. Technical report, Information-technology Promotion Agency, Japan, 2003. URL http://www.ipa.go.jp/security/fy14/contents/trusted-os/guide.html. in Japanese

    2003

  24. [24]

    lmbench: Portable tools for performance analysis

    Larry McV oy and Carl Staelin. lmbench: Portable tools for performance analysis. In Proceedings of the USENIX 1996 Annual Technical Conference, pages 279–294, 1996

    1996

  25. [25]

    Implementation and evaluation of a perfor- mance measurement facility for secure operating systems using LSM

    Naoto Matsuda, Kazuya Sato, Toshihiro Tabata, and Seiji Munetoh. Implementation and evaluation of a perfor- mance measurement facility for secure operating systems using LSM. IEICE Transactions on Information and Systems (Japanese Edition), Part D, J92-D(7):963–974, 2009. in Japanese

    2009

  26. [26]

    A survey on context-aware systems

    Matthias Baldauf, Schahram Dustdar, and Florian Rosenberg. A survey on context-aware systems. International Journal of Ad Hoc and Ubiquitous Computing , 2(4):263–277, 2007

    2007

  27. [27]

    A survey on context-aware web service systems

    Hong Linh Truong and Schahram Dustdar. A survey on context-aware web service systems. International Journal of Web Information Systems, 5(1):5–31, 2009

    2009

  28. [28]

    Adaptive data protection based on context at data-access time in the privacy-aware os Salvia

    Kazuhisa Suzuki, Y oshimi Ichiyanagi, Koichi Mouri, and Eiji Okubo. Adaptive data protection based on context at data-access time in the privacy-aware os Salvia. IPSJ Transactions on Advanced Computing Systems (ACS) , 47(SIG 3 (ACS 13)):1–15, 2006. in Japanese

    2006

  29. [29]

    Techniques for preventing unauthorized access by operating systems

    Takahiro Shinagawa. Techniques for preventing unauthorized access by operating systems. Computer Software (JSSST), 21(6):482–493, 2004. in Japanese. Author Biographies Toshiharu Harada Graduated from the Department of Applied Physics, Faculty of Engineering, Hokkaido University in 1985. Joined Nippon Telegraph and Telephone Corporation (NTT) in the same y...

    2004