Abstract: Systems and methods for enforcing mandatory access control in a message-based operating system are provided. Calls to operating system logic may be passed as messages over communication channels in a message-based operating system. A first process configured to receive a message via a communication channel in a message-based operation system may be identified. In addition, the communication channel may be identified. Further, an access rule may be identified. The access rule may be a rule to govern access to the communication channel. The access to the communication channel by the second process may be controlled based on the access rule. The access may be controlled in a kernel of a message-based operating system. The second process may be configured to execute invocation logic. The invocation logic may be executable to send the message via the communication channel.

Abstract: Systems and methods for enforcing label-based mandatory access control are provided. A first label may be assigned to a resource. An event associated with a resource may be detected. The resource may be relabeled, in response to detection of the event, from a first label to a second label in accordance with a transition rule. The transition rule may be included in a security policy. The transition rule may indicate that the resource is to be relabeled to the second label if the event is detected. Access to the resource may be controlled according to an access rule in the security policy. The access rule may be applicable to the resource based on the access rule identifying the second label assigned to the resource.

Abstract: Systems and methods for enforcing label-based mandatory access control are provided. A first label may be assigned to a resource. An event associated with a resource may be detected. The resource may be relabeled, in response to detection of the event, from a first label to a second label in accordance with a transition rule. The transition rule may be included in a security policy. The transition rule may indicate that the resource is to be relabeled to the second label if the event is detected. Access to the resource may be controlled according to an access rule in the security policy. The access rule may be applicable to the resource based on the access rule identifying the second label assigned to the resource.

Abstract: Systems and methods for enforcing mandatory access control in a message-based operating system are provided. Calls to operating system logic may be passed as messages over communication channels in a message-based operating system. A first process configured to receive a message via a communication channel in a message-based operation system may be identified. In addition, the communication channel may be identified. Further, an access rule may be identified. The access rule may be a rule to govern access to the communication channel. The access to the communication channel by the second process may be controlled based on the access rule. The access may be controlled in a kernel of a message-based operating system. The second process may be configured to execute invocation logic. The invocation logic may be executable to send the message via the communication channel.