lighted in section 3, which examines how application-space access control and cryptography cannot providemeaningful security without a secure operating system.Section 4 provides concrete examples of how securityefforts rely on these operating system security features.Section 5 discusses the role of operating system securitywith respect to overall system security.
2 The Missing Link
This section identiﬁes some features of secure operating systems which are necessary to protect application-space security mechanisms yet are lacking inmainstream operating systems. They form the “missinglink” of security. Although this section only deals withfeatures, it is important to note that features alone areinadequate. Assurance evidence must be provided todemonstrate that the features meet the desired systemsecurity properties and to demonstrate that the featuresare implemented correctly. Assurance is the ultimatemissing link; although approaches to providing assurance may be controversial, the importance of assuranceis undeniable.The list of features in this section is not intended tobe exhaustive; instead it is merely a small set of criticalfeatures that demonstrate the value of secure operatingsystems. A more complete discussion on secure operating systems, including discussions of assurance, can befound in ,  or . Subsequent sections arguethe necessity of these features by describing how application-space security mechanisms and current securityefforts employing them are vulnerable in their absence.
The TCSEC  provides a narrow deﬁnition of
which is tightly coupled to themulti-level security policy of the Department of Defense. This has become the commonly understooddeﬁnition for mandatory security. However, this deﬁnition is insufﬁcient to meet the needs of either theDepartment of Defense or private industry as it ignorescritical properties such as intransitivity and dynamicseparation of duty . This paper instead uses themore general notion of mandatory security deﬁned in, in which a mandatory security policy is consideredto be any security policy where the deﬁnition of the pol-icy logic and the assignment of security attributes istightly controlled by a system security policy administrator. Mandatory security can implement organization-wide security policies. Others have referred to this sameconcept as
in the context of role-based access control  and type enforcement.
Likewise, as deﬁned in , this paper uses a moregeneral notion of
in which a discretionary security policy is considered to be any security policy where ordinary users may be involved in thedeﬁnition of the policy functions and/or the assignmentof security attributes. Here discretionary security is notsynonymous with identity based access control; IBAC,like any other security policy, may be either mandatoryor discretionary.An operating system’s mandatory security policymay be divided into several kinds of policies, such as anaccess control policy, an authentication usage policy,and a cryptographic usage policy. A mandatory accesscontrol policy speciﬁes how subjects may access objectsunder the control of the operating system. A mandatoryauthentication usage policy speciﬁes what authentication mechanisms must be used to authenticate a principal to the system. A mandatory cryptographic usagepolicy speciﬁes what cryptographic mechanisms mustbe used to protect data. Additionally, various sub-systems of the operating system may have their ownmechanism usage policies. These subsystem-speciﬁcusage policies may be dependent on the cryptographicusage policy. For example, a network usage policy for arouter might specify that sensitive network trafﬁc shouldbe protected using IPSEC ESP  in tunneling modeprior to being sent to an external network. The selectionof a cryptographic algorithm for IPSEC ESP may bedeferred to the cryptographic usage policy.A secure system must provide a framework fordeﬁning the operating system’s mandatory security pol-icy and translating it to a form interpretable by theunderlying mandatory security mechanisms of the operating system. Without such a framework, there can beno real conﬁdence that the mandatory security mechanisms will provide the desired security properties.An operating system which provides mandatorysecurity may nonetheless suffer from the presence of high bandwidth covert channels. This is an issue when-ever the mandatory security policy is concerned withconﬁdentiality. This should not, however, be a reason toignore mandatory security. Even with covert channels,an operating system with basic mandatory controlsimproves security by increasing the required sophistica-
1.Actually, long ago, the term
was used for multi-level security as well .