CS 426 class
Feb 09, 2012
Trusted Operating System security - Read Chapter 5
When we discussed ordinary OS, our point of view was the user
and security services: protect memory, files, and other objects
and perform user authentication.
An OS is *trusted* if we are confident that it provides these
4 services consistently and effectively.
Now we discuss trusted OS from the point of view of the designer
The four major underpinnings of a trusted OS are:
1. Policy - a set of well-defined, consistent, clear,
implementable rules for security
Examples: military, Clark-Wilson, Chinese wall
2. Model of the environment to be secured and a way
to do it.
The model represents the policy.
Examples: lattices, Bell-La Padua, Biba, Graham-Denning, HRU, TG
3. Design - a means to implement the policy - topics like
object reuse, audit, logs, intrusion detection
Examples: least privilege, open design, access control,
4. Trust - why should users trust the OS?
Examples: examine policy, model, design; penetration testing;
formal verification and validation; evaluation
We call it a "trusted OS" rather than a "secure OS" because
security is either/or = yes/no; trust is graded
security is a property of the presenter; trust of the receiver
security is asserted; trust is judged
security is a goal for a system; trust is a characteristic of a system
A user judges how much to trust an OS based on:
1. Functional correctness - Does the OS work correctly?
2. Integrity enforcement - Does the OS maintain correct data