Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Distributed firewall wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Trusted Computing wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Multilevel security wikipedia , lookup
Mobile security wikipedia , lookup
Computer security wikipedia , lookup
Calhoun: The NPS Institutional Archive Center for Information Systems Security Studies and Research (CISR) Faculty and Researcher Publications Collection 1990-00-00 Building Trust Into A Multilevel File System Irvine, Cynthia E. Proceedings, 13th National Computer Security Conference Proceedings, 13th National Computer Security Conference, Natl. Inst. Std. and Tech. and Natl. Comp. Sec. Ctr., 1990, pp. 450-459. http://hdl.handle.net/10945/7176 BUILDING TRUST INTO A MULTILEVEL FILE SYSTEM Cynthia E. Irvine, Todd B. Acheson, and Michael F. Thompson Gemini Computers, Inc. 2511 Garden Road Monterey, California 93940 Abstract File systems are an intrinsic part of any operating system providing support for a general application environment. To help provide general operating system functionality, a multilevel file system is being built to run on the GEMSOS TCB. The process of designing a file system for a multilevel environment, although similar in many respects to that for its untrusted counterpart, should include consideration of factors which will render its structure consistent with the trusted environment upon which it is built. The file system should take advantage of the security mechanisms available from the TCB. In this paper, two techniques are described which contribute to building trust into a file system design. The first is the use of mandatory access controls as a constraining design guide, and the second is the use of the intended discretionary access control policy as a driver for design choices. 1. Introduction At Gemini, significant effort is being focused on the development of general purpose operating system support to execute as an untrusted application on a Trusted Computing Base (TCB) having the highest level of assurance. The underlying TCB is the Gemini Multiprocessing Secure Operating System (GEMSOS) [I], which is targeted for evaluation for a Class A1 rating according to the Trusted Computer System Evaluation Criteria (TCSEC) [2]. A requirement for an A1 TCB is the exclusion of non-security relevant functionality from the TCB. Thus it is the operating system executing on the TCB which will provide the usual range of capabilities: memory management services, process management, UO device management, and file system services. The purpose of this paper is to examine how one of these services, a multilevel file system, can be designed to utilize the trust that has been achieved in the security mechanisms of the underlying high assurance TCB. First, environments of the highest assurance and those of lower assurance are contrasted and the overall impact of high assurance constraints on file system design is described. Then, approaches to file system design consistent with requirements for the highest levels of assurance are considered from the perspective of both Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC). Design techniques for the overlying multilevel environment are described and, for developers of low assurance systems, methods are discussed which may be employed to avoid intrinsic security flaws. The effect of security policy on file system design is reviewed. 2. File System Design for the Highest Levels of Assurance The requirements of the TCSEC for assurance undergo a major transition between Class B2 and Class B3. It has been argued [3] that only systems of Classes B3 and A1 can be categorized as high assurance because only systems in these evaluation classes are able to conclusively demonstrate that they contain a security kernel. Systems of Classes B2 and lower cannot make this claim. To better address the issues Reprinted from: Proceedings, 13th National Computer Security Conference, Natl. Inst. Std. & Tech. and Natl. Comp. Sec. Ctr., 1990, pp. 450-459.