Download BUILDING INTO A MULTILEVEL FILE TRUST

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Trusted Computing wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Computer security wikipedia , lookup

Multilevel security wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
BUILDING TRUST INTO A MULTILEVEL FILE SYSTEM
Cynthia E. Irvine, Todd B. Acheson, and Michael F. Thompson
Gemini Computers, Inc.
2511 Garden Road
Monterey, California 93940
Abstract
File systems are an intrinsic part of any operating system providing support for a general
application environment. To help provide general operating system functionality, a
multilevel file system is being built to run on the GEMSOS TCB. The process of
designing a file system for a multilevel environment, although similar in many respects to
that for its untrusted counterpart, should include consideration of factors which will render
its structure consistent with the trusted environment upon which it is built. The file
system should take advantage of the security mechanisms available from the TCB.
In this paper, two techniques are described which contribute to building trust into a file
system design. The first is the use of mandatory access controls as a constraining design
guide, and the second is the use of the intended discretionary access control policy as a
driver for design choices.
1. Introduction
At Gemini, significant effort is being focused on the development of general purpose operating system
support to execute as an untrusted application on a Trusted Computing Base (TCB) having the highest
level of assurance. The underlying TCB is the Gemini Multiprocessing Secure Operating System
(GEMSOS) [I], which is targeted for evaluation for a Class A1 rating according to the Trusted Computer
System Evaluation Criteria (TCSEC) [2]. A requirement for an A1 TCB is the exclusion of non-security
relevant functionality from the TCB. Thus it is the operating system executing on the TCB which will
provide the usual range of capabilities: memory management services, process management, UO device
management, and file system services. The purpose of this paper is to examine how one of these
services, a multilevel file system, can be designed to utilize the trust that has been achieved in the
security mechanisms of the underlying high assurance TCB. First, environments of the highest assurance
and those of lower assurance are contrasted and the overall impact of high assurance constraints on file
system design is described. Then, approaches to file system design consistent with requirements for the
highest levels of assurance are considered from the perspective of both Mandatory Access Controls
(MAC) and Discretionary Access Controls (DAC). Design techniques for the overlying multilevel
environment are described and, for developers of low assurance systems, methods are discussed which
may be employed to avoid intrinsic security flaws. The effect of security policy on file system design is
reviewed.
2. File System Design for the Highest Levels of Assurance
The requirements of the TCSEC for assurance undergo a major transition between Class B2 and Class
B3. It has been argued [3] that only systems of Classes B3 and A1 can be categorized as high assurance
because only systems in these evaluation classes are able to conclusively demonstrate that they contain a
security kernel. Systems of Classes B2 and lower cannot make this claim. To better address the issues
Reprinted from: Proceedings, 13th National Computer Security Conference, Natl. Inst. Std. & Tech. and Natl. Comp. Sec. Ctr.,
1990, pp. 450-459.
Related documents
Calhoun: The NPS Institutional Archive
Calhoun: The NPS Institutional Archive
Chapter 1
Chapter 1
Orange
Orange
Orange Book Summary - UMBC Center for Information Security and
Orange Book Summary - UMBC Center for Information Security and
Security-040510-building-assurance - Rose
Security-040510-building-assurance - Rose
Document
Document
Regional Plan for Regulatory System For Blood, Blood
Regional Plan for Regulatory System For Blood, Blood
How can you spot a marketing orientated business?
How can you spot a marketing orientated business?
Alison Mount
Alison Mount
Quality Management Slides
Quality Management Slides
Operating Systems Security
Operating Systems Security
CSC 405 Introduction to Computer Security
CSC 405 Introduction to Computer Security
PHYTOCHEMICAL, BIOLOGICAL AND TOXICOLOGICAL STUDIES
PHYTOCHEMICAL, BIOLOGICAL AND TOXICOLOGICAL STUDIES