Chapter 5
Designing Trusted Operating
Systems
In this chapter
·
What makes an operating system "secure"? Or
"trustworthy"?
·
How are trusted systems designed, and which of those design
principles carry over naturally to other program development tasks?
·
How do we develop "assurance" of the correctness of a
trusted operating system?
Operating systems are the
prime providers of security in computing systems. They support many programming
capabilities, permit multiprogramming and sharing of resources, and enforce
restrictions on program and user behavior. Because they have such power,
operating systems are also targets for attack, because breaking through the
defenses of an operating system gives access to the secrets of computing
systems.
In Chapter 4 we considered operating systems from the perspective
of users, asking what primitive security services general operating systems
provide. We studied these four services:
·
memory protection
·
file protection
·
general object access control
·
user authentication
We say that an operating
system is trusted if we have
confidence that it provides these four services consistently and effectively.
In this chapter, we take the designer's perspective, viewing a trusted
operating system in terms of the design and function of components that provide
security services. The first four sections of this chapter correspond to the
four major underpinnings of a trusted operating system:
Policy. Every system can be
described by its requirements: statements of what the system should do and how
it should do it. An operating system's security requirements are a set of
well-defined, consistent, and implementable rules that have been clearly and
unambiguously expressed. If the operating system is implemented to meet these
requirements, it meets the user's expectations. To ensure that the requirements
are clear, consistent, and effective, the operating system usually follows a stated
security policy: a set of rules that lay out what is to be secured and why. We
begin this chapter by studying several security policies for trusted operating
systems.
Model. To create a trusted
operating system, the designers must be confident that the proposed system will
meet its requirements while protecting appropriate objects and relationships.
They usually begin by constructing a model of the environment to be secured.
The model is actually a representation of the policy the operating system will
enforce. Designers compare the model with the system requirements to make sure
that the overall system functions are not compromised or degraded by the
security needs. Then, they study different ways of enforcing that security. In
the second part of this chapter we consider several different models for
operating system security.
Design. After having selected
a security model, designers choose a means to implement it. Thus, the design
involves both what the trusted operating system is (that is, its intended
functionality) and how it is to be constructed (its implementation). The third
major section of this chapter addresses choices to be made during development
of a trusted operating system.
Trust. Because the operating
system plays a central role in enforcing security, we (as developers and users)
seek some basis (assurance) for believing that it will meet our expectations.
Our trust in the system is rooted in two aspects: features (the operating
system has all the necessary functionality needed to enforce the expected
security policy) and assurance (the operating system has been implemented in
such a way that we have confidence it will enforce the security policy
correctly and effectively). In the fourth part of this chapter we explore what
makes a particular design or implementation worthy of trust.
The chapter ends with some examples of actual
trusted operating systems. Several such systems have been written, and more are
under development. In some cases, the secure systems were originally designed
for security; in others, security features were added to existing operating
systems. Our examples show that both approaches can produce a secure operating
system.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.