Trusted Operating System Design
Tom Kelliher, CS 325
Nov. 4, 2011
Status reports due Monday.
- Elements of a trusted OS.
- Security features of ordinary OSs.
- Additional security features of trusted OSs.
- Kernelized security component design.
- Other mechanisms and principles.
Assurance in trusted OSs.
- Least privilege -- minimize use of high-privilege accounts.
- Economy of mechanism -- small security kernel.
- Open design -- minimize use of ``security by obscurity;'' maximize
scrutiny by the community.
- Complete mediation -- all access should be checked.
- Permission based -- default access mode should be ``denied.'' (Unlike
- Ease of use -- invite use of security features.
None of this should be too surprising.
- User Authentication.
- Memory protection (something DOS lacked).
- File and I/O access control.
- Allocation of and access control to general objects (semaphores, pipes,
- Control of sharing.
- Fair service.
- Protection of the OS itself.
- More stringent authentication.
- Mandatory access control layered over discretionary access control.
- Object reuse protection.
This is not foolproof for disk drives.
- Complete mediation.
- Trusted path -- prevent, for example, user spoofing during login.
Windows' ``three-fingered'' salute.
- Accountability and audit -- log access and use.
- Audit log reduction. (Ala Splunk.)
- Intrusion detection -- detect differences from normal system behavior.
This goes beyond Tripwire.
- ``Kernel with a kernel.'' Performs security functions for entire OS.
- Small, localized footprint offers numerous advantages.
- Trusted computing base -- everything necessary for enforcing the security
policy. Includes hardware, security-related processes, security-related
files, memory, and IPC.
- TCB is the foundation for the rest of the OS.
- TCB monitors:
- Process activation.
- Execution domain switching (user mode to privileged mode
- Memory protection.
- I/O operation.
- Virtualization: virtual memory spaces; virtual machines.
- Layered design: a hierarchical layering from least trusted components
to most trusted components.
Thomas P. Kelliher