Trusted Operating Systems

 Primary security provider

 Providing other services
 Targeted for attacks
 Services
◦ Memory protection
◦ File protection
◦ General object access control
◦ User authentication
 Consistent
 Effective
 Functional correctness
 Enforcement of integrity
 Limited privilege
 Appropriate confidence level
 Statement of the security which provided by
the system
 A plan
◦ What is to be secured
◦ Why
◦ How
 Each piece of information is ranked

Hierarchy of Sensitivities.
 Need-to-know rule
◦ Limit access
◦ Based on performing job
◦ classified information are associated with
compartments
 Good design principles
◦ Least privilege
 User , Program
◦ Economy of mechanism
 Design of the protection should be small, simple
◦ Open design
 Potential attackers
◦ Complete mediation
 Permission based. (default condition for denial of access)
◦ Separation of privilege
 More than one condition
 Authentication plus a cryptographic key
 Good design principles
◦ Least common mechanism
 physical or logical separation reduce the risk from
sharing
◦ Ease of use
 Memory is separated by user
 User, and data and program libraries have
controlled
 User authentication
◦ Identify each user
◦ password comparison.
 Memory protection.
◦ User's program run in portion of protected memory
 File and I/O device access control
◦ Protect user and system files
 Allocation access control to general objects
 Enforced sharing
 Guaranteed fair service
 Interposes communication and synchronization
 Protected operating system protection data
 Identification and Authentication

 Mandatory and Discretionary Access Control

◦ Policy decisions are made beyond the control
◦ Central authority determines
◦ User cannot change access rights
 Discretionary access control (DAC)
◦ Objects owner or any authorized user control the
access to object
 Object Reuse Protection
◦ Reusing objects is efficient
◦ Control object reuse by another user
◦ OS clear or overwrite objects reassigned space
before second user

 Trusted Path
 Setting a password
 Changing access permissions
 Trusted communication
 Accountability and Audit
◦ maintaining a log of security-relevant events
 Audit Log Reduction
 Intrusion Detection
◦ Analyze audit log
◦ Identify patterns
◦ Warning
 Kernel/nucleus or core
◦ Interprocess communication
◦ Message passing
◦ Interrupt handling
 Security kernel
◦ Security mechanisms of the entire operating system
◦ Control user access
◦ Control interposes communication
 Coverage
◦ Every access to a protected object must pass the security
kernel
 Separation
◦ Isolating security mechanisms both from the rest of the
operating system and from the user space
◦ protect security mechanisms
 Unity
◦ All security functions are performed by a single set of code
◦ Easier to trace the cause of any problems
 Modifiability
◦ Changes to the security mechanisms are easier to make and
easier to test
 Compactness
◦ Performs only security functions, Small component
 Verifiability
◦ Relatively small
◦ Analyzable
 Adds yet another layer of interface
 Degrade system performance
 Reference monitor
◦ Controls accesses to objects
◦ Tamperproof - impossible to disable
◦ Unbypassable
◦ Analyzable - small enough to analysis and testing
 Everything in the trusted operating system
necessary to enforce the security policy
◦ HW,SW
 Modular operating systems
◦ Security activities
◦ Other functions
◦ Gathering all security function to TCB destroy
modularity
 Security-related activities are performed in
different places
 OS simulate collection of computer resources
 Virtual machine
◦ Collection of simulated hardware facilities
◦ Processor, memory, I/O (printer, logical drives)
◦ Deferent resources
 Multiple Virtual Memory Spaces
◦ Hardware
◦ Kernel
◦ Operating system
◦ User
◦ Single logical function with several different
modules in deferent layers