Page 87 - DCAP516_COMPUTER_SECURITY
P. 87
Unit 7: Designing Trusted Operating System
(verifying that the input is of the expected form and adheres to the “edit” rules). Here the UNIX Notes
operating system shows its major flaw – users are either not trusted or, being super-users, given
access to every resource.
Some of the features of a security-oriented operating system are obvious, while other features
require a bit of explanation. We discuss those features that are not obvious.
Mandatory access control (MAC) refers to the granting of access by a central authority, not by
individual users. If I have SECRET data to show you and you do not have a SECRET clearance,
I cannot of my own volition grant you a SECRET clearance (although I have actually seen it done
– I wonder what the Defense Department would think of that). MAC should exist along with
discretionary access control (DAC) in that objects not managed by the central authority can be
managed by the individual user owning them.
Object reuse protection refers to the complete removal of an object before it is returned to the
object pool for reuse. The simplest example of this is protection of files. What happens when a
file is deleted. In many operating systems, the file allocation table is modified to no longer
reference the object and to place its data sectors on the free list as available for reuse. Note that
the data sectors are not overwritten, so that the original data remains.
Object reuse protection also has a place in large object-oriented systems. In these systems, the
creation of some objects is often very computationally intense. This leads to the practice of
pooling the discarded objects rather than actually destroying the object and releasing the memory
when the object is no longer in use. A program attempting to create a new object of the type in
the pool will get an object already created if one exists in the pool. This leads to more efficient
operation, but also introduces a security hole.
Audit log management refers to the practice of logging all events with potential security impact,
protecting that log from unauthorized access and modification, and creation of procedures and
software to examine the log periodically and analyze it for irregularities. A security log is of no
use if nobody looks at it.
Intrusion detection refers to the creation and use of system software that scans all activity
looking for unusual events. Such software is hard to write, but one should try. For example, this
author has a 128 MB flash drive that he occasionally attaches to his computer at work via the USB
port. The intrusion detection software always reports that the number of hard drives on the
system has changed and says to call the administrator if this was not an intentional act.
Kernelized Design
A kernel is the part of an operating system that performs low-level functions. This is distinct
from the high-level services part of the operating system that does things such as handle shared
printers, provides for e-mail and Internet access, etc. The kernel of an operating system is often
called the nucleus, and rarely the core. In an operating system designed with security in mind
there are two kernels: the security kernel and the operating system kernel, which includes the
security kernel.
The security kernel is responsible for enforcing the security mechanisms of the operating system,
including the handling of most of the functions normally allocated to the operating system
kernel itself, as most of these low-level facilities have impact on security.
The reference monitor is one of the most important parts of the security kernel. This is the
process that controls access to all objects, including devices, files, memory, interprocess
communication, and other objects. Naturally, the reference monitor must monitor access to
itself and include protection against its being modified in an unauthorized way.
LOVELY PROFESSIONAL UNIVERSITY 81
