Transcript Slide 1
Relationships Among the TCB, the OS,
the Kernel, and the Security Kernel
The
TheOperating
Security
TCB &Kernel
System
OS (SK)
Kernel
And “regular” (file level) audit is
• The security kernel
probably used often enough that it
implements the
might be part of the OS kernel
reference monitor
(depending possibly on the vendor)
• By
it issecurity
a
butdefinition,
is not in the
kernel,
Operating
of the
…subset
and
might
include
although
italso
isTCB
still
within the TCB
mount
other TCB software
that
biometric
• Beyond that, there are
System
might nonetheless
not
be
Software
a lot of “it depends”
to
SK software
consider in analyzing
Security audit
its relationship to other
Kernel … if not, additional software
•
The
software
necessary
to
mount
a disk
software
• Large
portions
the TCB are
usually
short term providing finer
packages
• Whereas
theofshort-term
scheduler
is
scheduler
volume
is
presumably
part
of
any
security
DBMS
provided
an operating
system
?
granularity
access control,
almostbyalways
considered
part
of
the
audit
kernel
–
a
corrupted
mount
could
TheOS
SKkernel,
would itbeisasurely notrecordcapabilities
– e.g., a data base
level
part
the
OS
• Whether
or not access
the entire
TCB
isbut,
aofsubset
compromise
control
–
since
it
access
subset
of the
operating
management system – would be
controlnot even
security
kernel
and perhaps
Kernel
of isn’t
the
operating
system
depends
on
used
very
frequently,
might
not
need
system
ifofreasonable
the
OS
could
providing parts of the SK …
Few
OS’s
come
with
part
the
TCB
at definition
all, ifbiometric
the
TCB
By
any
of theis
whether
or
not
the
security
architecture
to
be
continuously
memory
resident
manage
access
control
identification/authentication
DBMS
(perhaps
too
narrowly?)
as
OS
kernel,
there’s
a large construed
overlap
requires
software
mechanisms
not
over
all
objects
and
(or
other
application)
• between
So
if the
OS
kernel
is
as OS
Supplied by an operating
software
built
fordefined
example;
but
ifcode
only
MDIA
(as
inin,the
old
Orange
Book)
itthe
and
the
security
kernel
provided
by
OS
system (OS)
modes
at“always
the
finest
level
thatamore
is
running”
(which
should
be
security
policy
called
for
biometric
but
precisely
nailing
down
the
But since aneeded
corrupted
short term
of• relationship
granularity
by
better
said as
“always
memory
resident”),
authentication,
the
biometric
is complicated
byof
the
scheduler
could
be
a
denial
service
Optional, depends on the
the
system’s
access
then
the
mount
software
would
be
in of
the
software
would
assuredly
be
part
lack
of
any
standard,
technically
attack,
perhaps
it should be
presence of software not
control
policy,
but
…
security
kernel
but
not
in
the
OS
kernel
the
TCB,
no?
precise
definition
for the
OSTCB)
kernel
supplied as part of the OS
(considered
as part
of the
TCB
MSJ-2
The Point?
• The essences of the four entities – the OS, the TCB, the OS
kernel, and the security kernel – are conceptually distinct, but
the boundaries and relationships can be fuzzy
• The OS kernel is probably the least well defined and seems
to vary from author to author, or, perhaps worse, from OS
vendor to OS vendor
• There’s not really a right or wrong answer here, but it’s
important to establish a well understood, common vocabulary
for any given technical conversation – beware the
undiagnosed Tower of Babel problem!
MSJ-3