Transcript CPSC 6126 Computer Security

Chapter 5 – Designing Trusted
Operating Systems



What makes an operating system
“secure”? Or “trustworthy?
How are trusted systems designed, and
which of those design principles carry over
naturally to other program development
tasks?
How do we develop “assurance” of the
correctness of a trusted operating
systems?
Designing Trusted Operating
Systems

Primitive security services
• Memory protection
• File protection
• General object access control
• User authentication

OS is trusted if we have confidence
that it provides these four services in
a consistent and effective way.
What is a trusted system?
Secure
Trusted
Either-or: something
either is or is not secure
Graded: There are
degrees of
“trustworthiness
Property of presenter
Property of receiver
Asserted based on
product characteristics
Judged based on
evidence and analysis
Absolute: not qualified as Relative: viewed in
to how, where, when, or context of use
by whom used
A goal
A characteristic
What is a trusted system?





Trusted process – process that can affect system
security
Trusted product – evaluated and approved
product
Trusted software- software portion of system that
can be relied upon to enforce security policy
Trusted computing base – set of all protection
mechanisms within a computing system that
enforce a nified security policy
Trusted system – system that employs sufficient
hardware and software integrity measures to
allow its use for processing sensitive information
Security Policies
security policy – statement of
security we expect the system to
enforce
 Military Security Policy

• based on protecting classified
information
• Information access is limited by needto-know rule
• Each piece of classified info is
associated with a compartment
Military Security Policy



Class (classification) - <rank; compartment>
Clearance - indication that person is trusted to
access info up to a certain level of sensitivity
Dominance –




s <= O iff ranks <= ranko
and compartmentss <= compartmentso
Clearance level of subject is at least as high as
that of the information
Subject has a need to know about all
compartments for which the information is
classified.
Commercial Security Policies
Data items at any level may have
different degrees of sensitivity
(public, proprietary, internal)
 No formalized notion of clearances
 No dominance function for most
commercial information access

Clark-Wilson Commercial Security Policy

Well-formed transactions –
perform
steps in order, exactly as listed & authenticating
the individuals who perform the steps
Goal – maintain consistency
between internal data and external
expectations of the data
 Process constrained data items by
transformation procedures

• <userID, TPi, {CDIj, CDIk, …}>
Commercial Security Policy
Separation of duty – division of
responsibilities (manual system)
 Chinese Wall Security Policy –

• Confidentiality Policy
• Objects (e.g. files)
• Company Groups (all objects
concerning a particular company)
• Conflict classes (cluster competing
companies)