Page 86 - DCAP516_COMPUTER_SECURITY
P. 86
Computer Security
Notes 7.5.3 When is an Operating System said to be Trusted?
An operating system is trusted if we have confidence it provides:
1. Memory protection,
2. File protection,
3. General object access control,
4. User authentication in a consistent and effective way.
7.6 Trusted Operating System Design
Here we face the immediate problem of software quality. It is almost impossible to create a
complete and consistent set of requirements for any large software system, and even more
difficult to insure that the software system adheres to that set of requirements and no other.
Now we are asked to make an operating system adhere to a set of requirements specifying
security – perhaps both the Bell-La Padula model and the Biba integrity model. This is quite a
chore. The difficulty of the chore does not excuse us from trying it.
The main difficulty in insuring the security of an operating system is the fact that the operating
system is interrupt-driven. Imagine an ordinary user program, perhaps one written for a class
project. One can think of this as a deterministic system (although it might not be) in that the
program does only what the instructions say to do. Admittedly what the instructions say to do
may be different from what the author of the program thinks they say to do, but that is always
a problem.
The main job of an operating system is to initialize the execution environment of the computer
and then enter an idle state, just waiting for interrupts. Its job is to respond to each of the
interrupts according to a fixed priority policy and to execute the program associated with the
interrupt. The association of programs with interrupts is established when the execution
environment is set up; for further study consult a book on computer architecture.
When an interrupt causes the operating system to suspend the execution of one program and
initiate the execution of another program, the operating system performs a context switch,
basically loading the new program and establishing its execution environment. It is this context
switch that introduces some indeterminacy into the operating system. Another concern is that
the time and resources taken by the context switch itself are part of the overhead of the operating
system – cost to the executing program that does not directly benefit the executing program.
Thus, there is pressure to make each context switch as efficient as possible. Introducing security
code into the context switch slows it down.
There are three main services of operating systems that interact with security.
User Interface authenticates a user, allows him access to the system, and handles all
interaction with the user.
Service Management this allows a user access to many of the low-level services of the operating
system.
Resource Allocation this allocates resources, such as memory, I/O devices, time on the CPU,
etc.
In a trusted operating system, designed from the beginning with security in mind, each of these
main services is written as a distinct object with its own security controls, especially user
authentication, least privilege (don’t let a user do more than is necessary), and complete mediation
80 LOVELY PROFESSIONAL UNIVERSITY
