GEMINI SECURE OPERATING SYSTEM
6.4. SUMMARY 89
Trusted Software GEMSOS also provides a set of trusted software running outside the security kernel. The functions of the GEMSOS trusted software are similar to those provided by Scomp trusted software. For example, there are trusted software services for system administration. Applications GEMSOS differs from Scomp in the number and variety of applications in which it was deployed. GEMSOS was commonly applied as a platform for securely connecting networked high security systems and isolating them from low security systems in the same network [ 242 ]. Also, GEMSOS was applied as a guard for an office software suite. The most significant applications of GEMSOS were for network control. First, GEMSOS was the basis for the multilevel secure system called BLACKER [ 330 ]. BLACKER provided an A1-assured component for key distribution and secure communication to protect high secrecy data in transit between high secrecy networks. BLACKER consists of a set of encryption devices that enable the isolation of a high secrecy network from the rest of the Internet. Originally, different processors were used to handle the ciphertext the black side and the plaintext the red side. Of course, it is important that ciphertext not leak the contents of plaintext, but if the ciphertext is created on a system with a Trojan horse, this cannot be guaranteed. Second, GEMSOS was later applied to the general notion of a Trusted Network Processor TNP [ 306 ]. A TNP hosts one or more applications that require multilevel security enforcement. The applications themselves run on virtual processors in a multiprocessor system potentially, but they are ignorant of multilevel security. The labeling of virtual processors and data and the enforce- ment of multilevel security are performed by the TNP component that mediates all communication on the multiprocessor bus. A POSIX interface was developed for the GEMSOS system as well, although historically GEMSOS was applied to dedicated or embedded applications.6.4 SUMMARY
The secure operating systems that followed the Multics system focused on the key limitations of Multics: performance and verifiability. The idea of a security kernel, a small kernel with minimal code in its trusted computing base, addressed both of these problems. First, the design of security kernel was customized to address performance bottlenecks, even by adding security function in hardware, such as Scomp’s Security Protection Module. Second, the small size of the security kernels also motivated the development of system assurance methodologies to verify that these systems correctly implemented a secure operating system see Definition 2.5. Multics was too large and complex to be verified, but both Scomp and GEMSOS were of manageable complexity such that the verification tools of the day, plus some manual effort, were sufficient to justify the correctness of these implementations. Such efforts led to the development of the assurance methodologies that we use today, see Chapter 12. 90 CHAPTER 6. SECURITY KERNELS Security kernels are general purpose systems. The design of Scomp provides similar system function to UNIX systems of the day, and GEMSOS is a full kernel. Nonetheless, security kernels became niche systems. The performance, flexibility, and applications in UNIX systems and, later, Windows systems limited the market of security kernels to specialized, high security applications, such as guards. Further, the need to balance assurance and function became difficult for these security kernels. Maintaining the assurance of the kernel given the vast number of drivers that are developed, including some which are quite buggy, is very difficult. Scomp did not depend on drivers in the kernel, but it did depend on hardware features that were not available on common processors. The need identified by security kernels has continued to exist. Scomp was succeeded by the XTS-300 and XTS-400 systems, now distributed by BAE [ 22 ]. GEMSOS is still available today from Aesec [ 5 ]. There have been other security kernel systems, including Boeing’s secure LAN [ 298 ], Secure Computing Corp.’s LOCK system [ 293 ], and KSOS [ 198 ]. Also, the separation kernel systems see Chapter 11 aim for a minimal, assured trusted computing base for deploying applications, and this architecture is also used frequently. As a result, it appears that the development of a minimal platform necessary to deploy the desired software is still the preferred option for security practitioners, although as we will see in next chapters, secure system alternatives that already support the desired applications becoming more popular and more secure.Parts
» SECURE OPERATING SYSTEMS 3 Operating Systerm Security
» SECURE OPERATING SYSTEMS Operating Systerm Security
» SECURITY GOALS Operating Systerm Security
» SECURITY GOALS 5 Operating Systerm Security
» TRUST MODEL Operating Systerm Security
» THREAT MODEL 7 Operating Systerm Security
» THREAT MODEL Operating Systerm Security
» SUMMARY Operating Systerm Security
» MANDATORY PROTECTION SYSTEMS PROTECTION SYSTEM 11
» PROTECTION SYSTEM 13 Operating Systerm Security
» REFERENCE MONITOR Operating Systerm Security
» REFERENCE MONITOR 15 Operating Systerm Security
» SECURE OPERATING SYSTEM DEFINITION
» SECURE OPERATING SYSTEM DEFINITION 17
» ASSESSMENT CRITERIA 19 ASSESSMENT CRITERIA
» SUMMARY 21 Operating Systerm Security
» MULTICS HISTORY THE MULTICS SYSTEM
» MULTICS FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS SECURITY FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS PROTECTION SYSTEM MODELS
» MULTICS PROTECTION SYSTEM THE MULTICS SYSTEM 29
» MULTICS REFERENCE MONITOR THE MULTICS SYSTEM 31
» MULTICS SECURITY 33 Operating Systerm Security
» MULTICS SECURITY Operating Systerm Security
» MULTICS SECURITY 35 Operating Systerm Security
» MULTICS VULNERABILITY ANALYSIS Operating Systerm Security
» SUMMARY 37 Operating Systerm Security
» UNIX HISTORY SYSTEM HISTORIES
» WINDOWS HISTORY SYSTEM HISTORIES
» UNIX SECURITY 41 Operating Systerm Security
» UNIX PROTECTION SYSTEM UNIX SECURITY
» UNIX AUTHORIZATION UNIX SECURITY 43
» Complete Mediation: How does the reference monitor interface ensure that all security-
» Complete Mediation: Does the reference monitor interface mediate security-sensitive oper-
» Complete Mediation: How do we verify that the reference monitor interface provides com-
» Tamperproof: How does the system protect the reference monitor, including its protection
» Tamperproof: Does the system’s protection system protect the trusted computing base pro-
» UNIX VULNERABILITIES UNIX SECURITY 47
» WINDOWS SECURITY 49 Operating Systerm Security
» WINDOWS PROTECTION SYSTEM WINDOWS SECURITY
» WINDOWS AUTHORIZATION WINDOWS SECURITY 51
» Verifiable: What is basis for the correctness of the system’s trusted computing base?
» WINDOWS VULNERABILITIES WINDOWS SECURITY 55
» INFORMATION FLOW Operating Systerm Security
» INFORMATION FLOW SECRECY MODELS 59
» INFORMATION FLOW SECRECY MODELS
» BELL-LAPADULA MODEL INFORMATION FLOW SECRECY MODELS 61
» INFORMATION FLOW SECRECY MODELS 63
» INFORMATION FLOW INTEGRITY MODELS
» BIBA INTEGRITY MODEL INFORMATION FLOW INTEGRITY MODELS 65
» LOW-WATER MARK INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» CLARK-WILSON INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» THE CHALLENGE OF TRUSTED PROCESSES
» COVERT CHANNELS Operating Systerm Security
» CHANNEL TYPES COVERT CHANNELS 71
» SUMMARY 73 Operating Systerm Security
» THE SECURITY KERNEL Operating Systerm Security
» SECURE COMMUNICATIONS PROCESSOR 77 Operating Systerm Security
» SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
» SCOMP HARDWARE SECURE COMMUNICATIONS PROCESSOR 79
» SCOMP TRUSTED OPERATING PROGRAM
» SCOMP KERNEL INTERFACE PACKAGE
» SECURE COMMUNICATIONS PROCESSOR 85 Operating Systerm Security
» GEMINI SECURE OPERATING SYSTEM
» GEMINI SECURE OPERATING SYSTEM 87
» SUMMARY 89 Operating Systerm Security
» RETROFITTING SECURITY INTO A COMMERCIAL OS
» HISTORY OF RETROFITTING COMMERCIAL OS’S 93
» HISTORY OF RETROFITTING COMMERCIAL OS’S COMMERCIAL ERA
» MICROKERNEL ERA 95 Operating Systerm Security
» MICROKERNEL ERA Operating Systerm Security
» UNIX ERA 97 Operating Systerm Security
» RECENT UNIX SYSTEMS UNIX ERA 99
» SUMMARY 101 Operating Systerm Security
» TRUSTED EXTENSIONS ACCESS CONTROL
» SOLARIS COMPATIBILITY 105 Operating Systerm Security
» SOLARIS COMPATIBILITY Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION 107 Operating Systerm Security
» PROCESS RIGHTS MANAGEMENT PRIVILEGES
» PRIVILEGE BRACKETING AND RELINQUISHING
» CONTROLLING PRIVILEGE ESCALATION PROCESS RIGHTS MANAGEMENT PRIVILEGES 111
» ASSIGNED PRIVILEGES AND SAFEGUARDS
» RBAC AUTHORIZATIONS ROLE-BASED ACCESS CONTROL RBAC
» CONVERTING THE SUPERUSER TO A ROLE
» TRUSTED EXTENSIONS NETWORKING 115 Operating Systerm Security
» TRUSTED EXTENSIONS NETWORKING Operating Systerm Security
» TRUSTED EXTENSIONS MULTILEVEL SERVICES TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
» TRUSTED EXTENSIONS ADMINISTRATION Operating Systerm Security
» SUMMARY 119 Operating Systerm Security
» LSM HISTORY LINUX SECURITY MODULES
» LSM IMPLEMENTATION LINUX SECURITY MODULES 123
» LINUX SECURITY MODULES 125 Operating Systerm Security
» SELINUX REFERENCE MONITOR SECURITY-ENHANCED LINUX
» SECURITY-ENHANCED LINUX 127 Operating Systerm Security
» SELINUX PROTECTION STATE SECURITY-ENHANCED LINUX 129
» SELINUX LABELING STATE SECURITY-ENHANCED LINUX 131
» SELINUX TRANSITION STATE SECURITY-ENHANCED LINUX 133
» SELINUX TRUSTED PROGRAMS SECURITY-ENHANCED LINUX 135
» SUMMARY 139 Operating Systerm Security
» CAPABILITY SYSTEM FUNDAMENTALS Operating Systerm Security
» CAPABILITY SECURITY Operating Systerm Security
» CHALLENGES IN SECURE CAPABILITY SYSTEMS 143
» CAPABILITIES AND THE ⋆-PROPERTY
» CAPABILITIES AND CONFINEMENT CHALLENGES IN SECURE CAPABILITY SYSTEMS
» CAPABILITIES AND POLICY CHANGES
» ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
» ENFORCING CONFINEMENT BUILDING SECURE CAPABILITY SYSTEMS 147
» REVOKING CAPABILITIES BUILDING SECURE CAPABILITY SYSTEMS 149
» SUMMARY 151 SUMMARY Operating Systerm Security
» SEPARATION KERNELS 155 SEPARATION KERNELS
» VAX VMM DESIGN VAX VMM SECURITY KERNEL
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 163
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 165
» SUMMARY 167 Operating Systerm Security
» ORANGE BOOK Operating Systerm Security
» ORANGE BOOK 171 Operating Systerm Security
» COMMON CRITERIA CONCEPTS COMMON CRITERIA
Show more