Trusted System Design Elements
That security considerations
pervade the design and structure of operating systems implies two things.
First, an operating system controls the interaction between subjects and
objects, so security must be considered in every aspect of its design. That is,
the operating system design must include definitions of which objects will be
protected in what way, which subjects will have access and at what levels, and
so on. There must be a clear mapping from the security requirements to the
design, so that all developers can see how the two relate. Moreover, once a
section of the operating system has been designed, it must be checked to see
that the degree of security that it is supposed to enforce or provide has
actually been designed correctly. This checking can be done in many ways, including
formal reviews or simulations. Again, a mapping is necessary, this time from
the requirements to design to tests so that developers can affirm that each
aspect of operating system security has been tested and shown to work
correctly.
Second, because security
appears in every part of an operating system, its design and implementation
cannot be left fuzzy or vague until the rest of the system is working and being
tested. It is extremely hard to retrofit security features to an operating
system designed with inadequate security. Leaving an operating system's
security to the last minute is much like trying to install plumbing or wiring
in a house whose foundation is set, structure defined, and walls already up and
painted; not only must you destroy most of what you have built, but you may
also find that the general structure can no longer accommodate all that is
needed (and so some has to be left out or compromised). Thus, security must be
an essential part of the initial design of a trusted operating system. Indeed,
the security considerations may shape many of the other design decisions,
especially for a system with complex and constraining security requirements.
For the same reasons, the security and other design principles must be carried
throughout implementation, testing, and maintenance.
Good design principles are
always good for security, as we have noted above. But several important design
principles are quite particular to security and essential for building a solid,
trusted operating system. These principles have been articulated well by
Saltzer [SAL74] and Saltzer and
Schroeder [SAL75]:
Least privilege. Each user and each program should operate by
using the fewest privileges possible. In this way, the damage from an inadvertent or malicious attack is
minimized.
Economy of mechanism. The design of the protection system should be
small, simple, and straightforward. Such a protection system can be carefully analyzed, exhaustively tested, perhaps
verified, and relied on.
Open design. The protection mechanism must not depend on the ignorance of
potential attackers; the mechanism should be public, depending on secrecy of relatively few key items, such as a
password table. An open design is also available for extensive public scrutiny,
thereby providing independent confirmation of the design security.
Complete mediation. Every access attempt must be checked. Both
direct access attempts (requests) and attempts to circumvent the access checking mechanism should be
considered, and the mechanism should be positioned so that it cannot be
circumvented.
Permission based. The default condition should be denial of
access. A conservative designer identifies the items that should be accessible, rather than those that
should not.
Separation of privilege. Ideally, access to objects should depend on
more than one condition, such as user authentication plus a cryptographic key. In this way, someone who defeats one protection
system will not have complete access.
Least common mechanism. Shared objects provide potential channels for
information flow. Systems employing physical or logical separation reduce the risk from sharing.
Ease of use. If a protection mechanism is easy to use, it is unlikely to be
avoided.
Although these design
principles were suggested several decades ago, they are as accurate now as they
were when originally written. The principles have been used repeatedly and
successfully in the design and implementation of numerous trusted systems. More
importantly, when security problems have been found in operating systems in the
past, they almost always derive from failure to abide by one or more of these
principles.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.