|
⇤ ← Revision 1 as of 2010-02-02 18:19:32
Size: 84
Comment:
|
Size: 2114
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
= Designing Trusted (Secure) Operating Systems = Gernal operating systems provide: * memory protection * file protection * object access control * user authentication We say that an operating system is '''trusted''' if we have confidence that it provides these four services consistently and effectively. == 5.1 What is a Trusted System == We say that software is trusted software if we know that the code has been rigorously develped and analyzed, giving us reason to '''trust''' that the code ''does what it is expected to do and nothing more.'' Trust is based on four characteristics: * Functional Correctness * Enforcement of Integrity. * Limited privilege - privilege is limited to this program and it is not leaked or passed on to other programs. * Appropriate confidence level. That is, the examination of the program is commencerate with the degree of trust that is required to use the program. == 5.2 Security Policies == A '''security policy''' is a statement of the security we expect the system to enforce. See military example p 246. What is the Chinese Wall Security Policy? (p 251). Note: All of the policies given as examples in this section provide a '''statement''' delineating the expectation of the system. These rules are often and should be declaritive in nature and specify what the results should be, not how to achieve those results. == 5.3 Security Models == Everyone uses Model in some way to describe, study or analyze entities, relationships or situations. In security we model for several specific purposes: * Test a particular security policy for completeness and consistency * Document the policy * Conceptualize and design an implementation * Check that an implementation meets its requirements. === Lattice Model of Access Security === The military security model is representative of a more general scheme, called a [[Lattice]] (You should understand the [[Lattice]] structure). The relation <<latex($\le$$)>> |
Back to Cptr427Winter2010
Designing Trusted (Secure) Operating Systems
Gernal operating systems provide:
- memory protection
- file protection
- object access control
- user authentication
We say that an operating system is trusted if we have confidence that it provides these four services consistently and effectively.
5.1 What is a Trusted System
We say that software is trusted software if we know that the code has been rigorously develped and analyzed, giving us reason to trust that the code does what it is expected to do and nothing more.
Trust is based on four characteristics:
- Functional Correctness
- Enforcement of Integrity.
- Limited privilege - privilege is limited to this program and it is not leaked or passed on to other programs.
- Appropriate confidence level. That is, the examination of the program is commencerate with the degree of trust that is required to use the program.
5.2 Security Policies
A security policy is a statement of the security we expect the system to enforce.
See military example p 246.
What is the Chinese Wall Security Policy? (p 251).
Note: All of the policies given as examples in this section provide a statement delineating the expectation of the system. These rules are often and should be declaritive in nature and specify what the results should be, not how to achieve those results.
5.3 Security Models
Everyone uses Model in some way to describe, study or analyze entities, relationships or situations. In security we model for several specific purposes:
- Test a particular security policy for completeness and consistency
- Document the policy
- Conceptualize and design an implementation
- Check that an implementation meets its requirements.
Lattice Model of Access Security
The military security model is representative of a more general scheme, called a Lattice (You should understand the Lattice structure).
The relation <<latex($\le$$)>>