Projects / Umbrella


Umbrella is a security mechanism that implements a combination of Process-Based Access Control (PBAC) and authentication of binaries through Digital Signed Binaries (DSB). The scheme is designed for Linux-based consumer electronic devices ranging from mobile phones to set-top boxes. Umbrella is implemented on top of the Linux Security Modules (LSM) framework. The PBAC scheme is enforced by a set of restrictions on each process. This policy is distributed with a binary in form of execute restrictions and within the program via a "restricted fork" feature.

Operating Systems

Recent releases

  •  28 Apr 2005 13:37

    Release Notes: Umbrella is now feature complete. The key ring, a new FSR implementation, and many performance optimizations were added.

    •  16 Mar 2005 14:50

      Release Notes: Complete integration with GNU Privacy Guard to authenticate binaries was implemented. Use of hash tables for storing restrictions has been replaced by the FSR data structure, which mimics the "dentry" structs in the kernel. The Umbrella system call was eliminated and completely replaced by a /proc filesystem interface. The Umbrella code is now completely independent of all architectures and kernel subversions.

      •  23 Nov 2004 15:15

        Release Notes: Some memory allocation bugs were found in the 0.5 release. These have been corrected, and an Umbrella patched Linux 2.6.9 kernel has been tested on a working system for more than six days. The script for signing files and a small description of how to use it were added to the distribution.

        •  07 Oct 2004 18:39

          Release Notes: Now it is possible to import restrictions from signed binaries. Several memory allocation bugs have been corrected, resulting in increased stability. The code has been optimized in several places.

          •  01 Apr 2004 15:39

            Release Notes: The power of restrictions on processes has really begun to show itself. The additional restrictions feature provides flexibility, while static restrictions makes sure that performance is good. Umbrella could restrict a mailprogram from forking new processes, from accessing all of the file system, and from accessing the network. In this way, attacks from attachments or malformed email messages could be avoided smoothly.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.