Back to Cptr427Winter2010

Designing Trusted (Secure) Operating Systems

Gernal operating systems provide:

We say that an operating system is trusted if we have confidence that it provides these four services consistently and effectively.

5.1 What is a Trusted System

We say that software is trusted software if we know that the code has been rigorously develped and analyzed, giving us reason to trust that the code does what it is expected to do and nothing more.

Trust is based on four characteristics:

5.2 Security Policies

A security policy is a statement of the security we expect the system to enforce.

See military example p 246.

What is the Chinese Wall Security Policy? (p 251).

Note: All of the policies given as examples in this section provide a statement delineating the expectation of the system. These rules are often and should be declaritive in nature and specify what the results should be, not how to achieve those results.

5.3 Security Models

Everyone uses Model in some way to describe, study or analyze entities, relationships or situations. In security we model for several specific purposes:

Lattice Model of Access Security

The military security model is representative of a more general scheme, called a Lattice (You should understand the Lattice structure).

Bell-La Padula Confidentiality Model

The Bell and La Padula model is a forma description of the allowable paths of information flow in a secure system. The model's goal is to identify allowable communication when maintaining secrecy is important.

Consider the following example:

Let $$S$$ be a set of subjects and $$O$$ be a set of objects. Each $$s \in S$$ and $$o \in O$$ has a fixed security class $$C(s)$$ and $$C(o)$$ denoting clearance and classification level. The security classes are ordered by a relation $$\le$$. (Note: The classes may form a lattice, even though the Bell-La Padula model can apply to posets)

Two properties characterize the secure flow of information.

Simple Security Property. A subject $$s$$ may have read access to an object $$o$$ only if $$C(o) \le C(s)$$.

*-Property (called the "star property"). A subject $$s$$ who has read access to an object $$o$$ may have write access to an object $$p$$ only if $$C(o) \le C(p)$$.

Example Applying the first property to the military classification model we could state that the subject (or person) must posses as high or higher a clearance than the object they access. The second property applied to a the military classification model could $$m$$

5.4 Trusted Operating System Design

Security Features of an ordinary OS

Additional features of a Trusted OS

Kernelized Design

The kernel is the part of the operating system that performs the lowest-level functions. A security kernel is responsible for enforcing the security mechanisms of the entire OS.

  1. Reference monitor (Figure 5-12 p. 275) is that portion of the kernel that controls accesses to objects.
    1. tamper proof
    2. cannot bypass
    3. analyzable
  2. Trusted Computing Base (TCB) is the name we give to anything in the trusted system necessary to enforce the security policy. See Figure 5-13/14 p 277-8 and 5-14 p 278.

We are not covering Virtualization.

One may also consider the layered approach. Layering function to build a complex system occurs frequently and some even consider it absolutely necessary. See Figure 5-20 p284 and Table 5-4 p 286.

5.5 Assurance in Trusted Operating Systems

Assurance is the art of convincing someone (for the first time) that your program or OS should be trusted. Mostly what we have today is reassurance. We start with Assurance Methods.

SecureComputingChapter05 (last edited 2020-01-26 22:50:35 by scot)