SCOMP KERNEL INTERFACE PACKAGE
6.3 GEMINI SECURE OPERATING SYSTEM
Another security kernel system that emerged in the 1980s was Gemini Corporation’s Standard Operating Systems GEMSOS 3 [ 290 ]. The Gemini company was founded in 1981 with the aim of developing a family of high-assurance systems for multilevel secure environments. Gemini aimed to build its security kernel GEMSOS from scratch, but unlike Honeywell’s Scomp system, implement it to run on the available commercial hardware, the Intel x86 architecture.The GEMSOS kernel and some systems based on the kernel were assured at TCSEC A1 level [ 109 , 306 ], as Scomp was. Importantly, GEMSOS is still an active product, supported by the Aesec Corporation [ 5 ]. As the GEMSOS architecture has significant similarities to Scomp, we provide a higher-level description of its design, highlighting the similarities and key differences. Architecture The GEMSOS system architecture is shown in Figure 6.3. Like Scomp, GEMSOS consists of a security kernel and trusted software, but GEMSOS provides 8 protection rings, as does Multics. Since the x86 hardware only supports 4 rings, the security kernel runs in ring 0 and the trusted software in ring 1. The overall approach to security is derived from Multics as well, so secrecy protection is based on multilevel security labels and integrity is implemented by ring brackets. GEMSOS does not define a kernel interface package, as Scomp does, but it does provide a library to make invoking the kernel gates easier, like the SKIP library. GEMSOS user-level processes i.e., nonkernel code access the security kernel using a Kernel Gate Library KGL. This code runs outside the kernel, but because it may be used in user-level software that is part of trusted computing base, the KGL also is trusted code. This differs from the SKIP library which is not used in trusted software. Security Kernel The GEMSOS security kernel design consists of a layered set of kernel functionality, shown in Figure 6.4.This design was influenced by a number of ideas, including the layering approach of Reed [ 253 ] and the information hiding approach of Parnas [ 241 ]. The result is that each layer is dependent only on the layers below them, and the state of each layer is only accessible via well-defined interfaces. The GEMSOS security kernel is constructed from a base of generic functions to provide typical kernel services including memory, IO, and process management, in addition to reference monitoring. The lowest four layers provide generic functions for accessing the hardware, switching execution contexts, and interrupt handling among others. The Kernel Device Layer then provides 3 GEMSOS may alternatively be called GSOS by some.6.3. GEMINI SECURE OPERATING SYSTEM 87
Ring 7 Hardware e.g., Intel x86 Ring 2 Ring 1 Ring 0 GEMSOS Security Kernel Kernel Gate Library System-Specific Trusted Code Applications GEMSOS Ring Processor Ring Ring 0 Ring 1 Ring 3 Figure 6.3: GEMSOS consists of a security kernel, gate library, and a layer of trusted software that is dependent on the deployed system. GEMSOS uses a software-based ring mechanism to simulate 8 protection rings. other kernel layers with access to kernel-internal drivers. The Non-discretionary Access Control Layer implements the system reference monitor which enforces policies written in the Multics mul- tilevel security model, see Chapter 3. The Secondary Storage Manager Layer provides the physical file system for GEMSOS user processes. Next comes the Internal Device Manager which provides the interface to device drivers. The Memory Manager Layer builds memory segments for kernel and user processes. The Upper Traffic Controller Layer provides support for multiprocessing using the concept of virtual processors. The top four layers, the Segment Manager Layer, the Upper Device Manager Layer, the Process Manager, and the Gate Layer all manage per-process resources: memory, IO concurrency, processes, and system invocation, respectively. The GEMSOS kernel architecture provides many of the services of ordinary kernels. But, the use of commercial hardware presented challenges to the designers. Because the x86 processor lacks the memory and device mediation of Scomp’s Security Protection Module SPM, deviceParts
» SECURE OPERATING SYSTEMS 3 Operating Systerm Security
» SECURE OPERATING SYSTEMS Operating Systerm Security
» SECURITY GOALS Operating Systerm Security
» SECURITY GOALS 5 Operating Systerm Security
» TRUST MODEL Operating Systerm Security
» THREAT MODEL 7 Operating Systerm Security
» THREAT MODEL Operating Systerm Security
» SUMMARY Operating Systerm Security
» MANDATORY PROTECTION SYSTEMS PROTECTION SYSTEM 11
» PROTECTION SYSTEM 13 Operating Systerm Security
» REFERENCE MONITOR Operating Systerm Security
» REFERENCE MONITOR 15 Operating Systerm Security
» SECURE OPERATING SYSTEM DEFINITION
» SECURE OPERATING SYSTEM DEFINITION 17
» ASSESSMENT CRITERIA 19 ASSESSMENT CRITERIA
» SUMMARY 21 Operating Systerm Security
» MULTICS HISTORY THE MULTICS SYSTEM
» MULTICS FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS SECURITY FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS PROTECTION SYSTEM MODELS
» MULTICS PROTECTION SYSTEM THE MULTICS SYSTEM 29
» MULTICS REFERENCE MONITOR THE MULTICS SYSTEM 31
» MULTICS SECURITY 33 Operating Systerm Security
» MULTICS SECURITY Operating Systerm Security
» MULTICS SECURITY 35 Operating Systerm Security
» MULTICS VULNERABILITY ANALYSIS Operating Systerm Security
» SUMMARY 37 Operating Systerm Security
» UNIX HISTORY SYSTEM HISTORIES
» WINDOWS HISTORY SYSTEM HISTORIES
» UNIX SECURITY 41 Operating Systerm Security
» UNIX PROTECTION SYSTEM UNIX SECURITY
» UNIX AUTHORIZATION UNIX SECURITY 43
» Complete Mediation: How does the reference monitor interface ensure that all security-
» Complete Mediation: Does the reference monitor interface mediate security-sensitive oper-
» Complete Mediation: How do we verify that the reference monitor interface provides com-
» Tamperproof: How does the system protect the reference monitor, including its protection
» Tamperproof: Does the system’s protection system protect the trusted computing base pro-
» UNIX VULNERABILITIES UNIX SECURITY 47
» WINDOWS SECURITY 49 Operating Systerm Security
» WINDOWS PROTECTION SYSTEM WINDOWS SECURITY
» WINDOWS AUTHORIZATION WINDOWS SECURITY 51
» Verifiable: What is basis for the correctness of the system’s trusted computing base?
» WINDOWS VULNERABILITIES WINDOWS SECURITY 55
» INFORMATION FLOW Operating Systerm Security
» INFORMATION FLOW SECRECY MODELS 59
» INFORMATION FLOW SECRECY MODELS
» BELL-LAPADULA MODEL INFORMATION FLOW SECRECY MODELS 61
» INFORMATION FLOW SECRECY MODELS 63
» INFORMATION FLOW INTEGRITY MODELS
» BIBA INTEGRITY MODEL INFORMATION FLOW INTEGRITY MODELS 65
» LOW-WATER MARK INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» CLARK-WILSON INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» THE CHALLENGE OF TRUSTED PROCESSES
» COVERT CHANNELS Operating Systerm Security
» CHANNEL TYPES COVERT CHANNELS 71
» SUMMARY 73 Operating Systerm Security
» THE SECURITY KERNEL Operating Systerm Security
» SECURE COMMUNICATIONS PROCESSOR 77 Operating Systerm Security
» SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
» SCOMP HARDWARE SECURE COMMUNICATIONS PROCESSOR 79
» SCOMP TRUSTED OPERATING PROGRAM
» SCOMP KERNEL INTERFACE PACKAGE
» SECURE COMMUNICATIONS PROCESSOR 85 Operating Systerm Security
» GEMINI SECURE OPERATING SYSTEM
» GEMINI SECURE OPERATING SYSTEM 87
» SUMMARY 89 Operating Systerm Security
» RETROFITTING SECURITY INTO A COMMERCIAL OS
» HISTORY OF RETROFITTING COMMERCIAL OS’S 93
» HISTORY OF RETROFITTING COMMERCIAL OS’S COMMERCIAL ERA
» MICROKERNEL ERA 95 Operating Systerm Security
» MICROKERNEL ERA Operating Systerm Security
» UNIX ERA 97 Operating Systerm Security
» RECENT UNIX SYSTEMS UNIX ERA 99
» SUMMARY 101 Operating Systerm Security
» TRUSTED EXTENSIONS ACCESS CONTROL
» SOLARIS COMPATIBILITY 105 Operating Systerm Security
» SOLARIS COMPATIBILITY Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION 107 Operating Systerm Security
» PROCESS RIGHTS MANAGEMENT PRIVILEGES
» PRIVILEGE BRACKETING AND RELINQUISHING
» CONTROLLING PRIVILEGE ESCALATION PROCESS RIGHTS MANAGEMENT PRIVILEGES 111
» ASSIGNED PRIVILEGES AND SAFEGUARDS
» RBAC AUTHORIZATIONS ROLE-BASED ACCESS CONTROL RBAC
» CONVERTING THE SUPERUSER TO A ROLE
» TRUSTED EXTENSIONS NETWORKING 115 Operating Systerm Security
» TRUSTED EXTENSIONS NETWORKING Operating Systerm Security
» TRUSTED EXTENSIONS MULTILEVEL SERVICES TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
» TRUSTED EXTENSIONS ADMINISTRATION Operating Systerm Security
» SUMMARY 119 Operating Systerm Security
» LSM HISTORY LINUX SECURITY MODULES
» LSM IMPLEMENTATION LINUX SECURITY MODULES 123
» LINUX SECURITY MODULES 125 Operating Systerm Security
» SELINUX REFERENCE MONITOR SECURITY-ENHANCED LINUX
» SECURITY-ENHANCED LINUX 127 Operating Systerm Security
» SELINUX PROTECTION STATE SECURITY-ENHANCED LINUX 129
» SELINUX LABELING STATE SECURITY-ENHANCED LINUX 131
» SELINUX TRANSITION STATE SECURITY-ENHANCED LINUX 133
» SELINUX TRUSTED PROGRAMS SECURITY-ENHANCED LINUX 135
» SUMMARY 139 Operating Systerm Security
» CAPABILITY SYSTEM FUNDAMENTALS Operating Systerm Security
» CAPABILITY SECURITY Operating Systerm Security
» CHALLENGES IN SECURE CAPABILITY SYSTEMS 143
» CAPABILITIES AND THE ⋆-PROPERTY
» CAPABILITIES AND CONFINEMENT CHALLENGES IN SECURE CAPABILITY SYSTEMS
» CAPABILITIES AND POLICY CHANGES
» ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
» ENFORCING CONFINEMENT BUILDING SECURE CAPABILITY SYSTEMS 147
» REVOKING CAPABILITIES BUILDING SECURE CAPABILITY SYSTEMS 149
» SUMMARY 151 SUMMARY Operating Systerm Security
» SEPARATION KERNELS 155 SEPARATION KERNELS
» VAX VMM DESIGN VAX VMM SECURITY KERNEL
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 163
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 165
» SUMMARY 167 Operating Systerm Security
» ORANGE BOOK Operating Systerm Security
» ORANGE BOOK 171 Operating Systerm Security
» COMMON CRITERIA CONCEPTS COMMON CRITERIA
Show more