Operating System Security - Trusted Systems To be trusted is a greater compliment than being loved George MacDonald The Marquis of Lossie(1877 What is a

Operating System Security - Trusted Systems To be trusted...

This preview shows page 1 - 9 out of 36 pages.

To be trusted is a greater compliment than being loved. — George MacDonald, The Marquis of Lossie (1877) Trusted Systems
“Secure” tends to be an absolute “Trusted” means that it meets the necessary security requirements May not be completely secure! Needs to justify the user’s confidence! Trust comes in degrees Trust best friends with deep, dark secrets Trust acquaintances with my plans for this weekend Trust strangers to give me directions (usually…) What is a trusted system? 2
Trusted systems vs. secure systems 3 Secure system Trusted system Binary: it’s secure, or it’s not Degrees of trustworthiness Intrinsic to the system Based solely on the system User decides on trustworthiness User makes a judgment based on system Absolute: security doesn’t depend on how or by whom the system is used Relative: trustworthiness depends on the details of system use Goal: absolute security Characteristic: system can be viewed as trustworthy at any particular time
Operating systems have to implement policies Mechanisms are used to enforce policies—more on that in a bit Different types of security policies Military Commercial General goal of security policies: restrict flow of information Security policies 4
Information ranked by sensitivity level Lowest: Unclassified Highest: Top Secret Information access limited by “need-to-know” Divided into compartments Each piece of information in zero or more compartments Compartments may span levels Access to information requires Clearance at the right level Access to the compartment Military security 5 Unclassified Restricted Confidential Secret Top Secret Compartment “goodwill” Compartment “enemyofthestate” Compartment “sneakers”
Information classified by < rank , compartments > S dominates O if and only if Rank( S ) Rank( O ) and S has all of the compartments O has S can read O only if S dominates O S needs all compartments, not just “at least one” S must have a sufficiently high rank as well Two types of sensitivity requirements Hierarchical: rank Nonhierarchical: need-to-know Even a Top Secret clearance isn’t enough to get all information… More on military security policies 6
Similar to military in many ways Hierarchical ranking Non-hierarchical “compartments”: based on project Not all employees need to know about new products! Less formal than military No security clearances (usually) No dominance function (usually) Still need to restrict information flow Commercial security policies 7
So far, mostly about who can read what Ensures confidentiality, but not integrity Who can write something?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture