Professional Documents
Culture Documents
Hierarchy of Sensitivities.
Need-to-know rule
◦ Limit access
◦ Based on performing job
◦ classified information are associated with
compartments
Good design principles
◦ Least privilege
User , Program
◦ Economy of mechanism
Design of the protection should be small, simple
◦ Open design
Potential attackers
◦ Complete mediation
Permission based. (default condition for denial of access)
◦ Separation of privilege
More than one condition
Authentication plus a cryptographic key
Good design principles
◦ Least common mechanism
physical or logical separation reduce the risk from
sharing
◦ Ease of use
Memory is separated by user
User, and data and program libraries have
controlled
User authentication
◦ Identify each user
◦ password comparison.
Memory protection.
◦ User's program run in portion of protected memory
File and I/O device access control
◦ Protect user and system files
Allocation access control to general objects
Enforced sharing
Guaranteed fair service
Interposes communication and synchronization
Protected operating system protection data
Identification and Authentication
Trusted Path
Setting a password
Changing access permissions
Trusted communication
Accountability and Audit
◦ maintaining a log of security-relevant events
Audit Log Reduction
Intrusion Detection
◦ Analyze audit log
◦ Identify patterns
◦ Warning
Kernel/nucleus or core
◦ Interprocess communication
◦ Message passing
◦ Interrupt handling
Security kernel
◦ Security mechanisms of the entire operating system
◦ Control user access
◦ Control interposes communication
Coverage
◦ Every access to a protected object must pass the security
kernel
Separation
◦ Isolating security mechanisms both from the rest of the
operating system and from the user space
◦ protect security mechanisms
Unity
◦ All security functions are performed by a single set of code
◦ Easier to trace the cause of any problems
Modifiability
◦ Changes to the security mechanisms are easier to make and
easier to test
Compactness
◦ Performs only security functions, Small component
Verifiability
◦ Relatively small
◦ Analyzable
Adds yet another layer of interface
Degrade system performance
Reference monitor
◦ Controls accesses to objects
◦ Tamperproof - impossible to disable
◦ Unbypassable
◦ Analyzable - small enough to analysis and testing
Everything in the trusted operating system
necessary to enforce the security policy
◦ HW,SW
Modular operating systems
◦ Security activities
◦ Other functions
◦ Gathering all security function to TCB destroy
modularity
Security-related activities are performed in
different places
OS simulate collection of computer resources
Virtual machine
◦ Collection of simulated hardware facilities
◦ Processor, memory, I/O (printer, logical drives)
◦ Deferent resources
Multiple Virtual Memory Spaces
◦ Hardware
◦ Kernel
◦ Operating system
◦ User
◦ Single logical function with several different
modules in deferent layers