Back to Cptr427Winter2010

Designing Trusted (Secure) Operating Systems

Gernal operating systems provide:

• memory protection
• file protection
• object access control
• user authentication

We say that an operating system is trusted if we have confidence that it provides these four services consistently and effectively.

5.1 What is a Trusted System

We say that software is trusted software if we know that the code has been rigorously develped and analyzed, giving us reason to trust that the code does what it is expected to do and nothing more.

Trust is based on four characteristics:

• Functional Correctness
• Enforcement of Integrity.
• Limited privilege - privilege is limited to this program and it is not leaked or passed on to other programs.
• Appropriate confidence level. That is, the examination of the program is commencerate with the degree of trust that is required to use the program.

5.2 Security Policies

A security policy is a statement of the security we expect the system to enforce.

See military example p 246.

What is the Chinese Wall Security Policy? (p 251).

Note: All of the policies given as examples in this section provide a statement delineating the expectation of the system. These rules are often and should be declaritive in nature and specify what the results should be, not how to achieve those results.

5.3 Security Models

Everyone uses Model in some way to describe, study or analyze entities, relationships or situations. In security we model for several specific purposes:

• Test a particular security policy for completeness and consistency
• Document the policy
• Conceptualize and design an implementation
• Check that an implementation meets its requirements.

Lattice Model of Access Security

The military security model is representative of a more general scheme, called a Lattice (You should understand the Lattice structure).

The relation <<latex($\le$)>>