To be trusted is a greater compliment than being loved.— George MacDonald, The Marquis of Lossie (1877)Trusted Systems
❖“Secure” tends to be an absolute❖“Trusted” means that it meets the necessary security requirements•May not be completely secure!•Needs to justify the user’s confidence!❖Trust comes in degrees•Trust best friends with deep, dark secrets•Trust acquaintances with my plans for this weekend•Trust strangers to give me directions (usually…)What isa trusted system?2
Trusted systems vs. secure systems3Secure systemTrusted systemBinary: it’s secure, or it’s notDegrees of trustworthinessIntrinsic to the systemBased solely on the systemUser decides on trustworthinessUser makes a judgment based on systemAbsolute: security doesn’t depend on how or by whom the system is usedRelative: trustworthiness depends on the details of system useGoal: absolute securityCharacteristic: system can be viewed as trustworthy at any particular time
❖Operating systems have to implement policies•Mechanisms are used to enforce policies—more on that in a bit❖Different types of security policies•Military•Commercial❖General goal of security policies: restrict flow of informationSecurity policies4
❖Information ranked by sensitivity level•Lowest: Unclassified•Highest: Top Secret❖Information access limited by “need-to-know”•Divided into compartments•Each piece of information in zero or more compartments•Compartments may span levels❖Access to information requires•Clearance at the right level•Access to the compartmentMilitary security5UnclassifiedRestrictedConfidentialSecretTop SecretCompartment“goodwill”Compartment“enemyofthestate”Compartment“sneakers”
❖Information classified by <rank,compartments>❖Sdominates Oif and only if•Rank(S) ≤Rank(O) and•Shas all of the compartments Ohas❖Scan read Oonly if SdominatesO•Sneeds allcompartments, not just “at least one”•Smust have a sufficiently high rank as well❖Two types of sensitivity requirements•Hierarchical: rank•Nonhierarchical: need-to-know•Even a Top Secret clearance isn’t enough to get all information…More on military security policies6
❖Similar to military in many ways•Hierarchical ranking•Non-hierarchical “compartments”: based on project•Not all employees need to know about new products!❖Less formal than military•No security clearances (usually)•No dominance function (usually)❖Still need to restrict information flowCommercial security policies7
❖So far, mostly about who can read what•Ensures confidentiality, but not integrity❖Who can write something?