CHAPTER 4

Designing Trusted Operating

Systems
 Designing Trusted Operating Systems
An operating system is trusted if we have confidence that it provides these four
services consistently and effectively.
 Policy - every system can be described by its requirements: statements of what
the system should do and how it should do.
 Model - designers must be confident that the proposed system will meet its
requirements while protecting appropriate objects and relationships.
 Design - designers choose a means to implement it.
 Trust - trust in the system is rooted in two aspects:
o FEATURES - the operating system has all the necessary functionality needed to
enforce the expected security policy.
o ASSURANCE - the operating system has been implemented in such a way that we
have confidence it will enforce the security policy correctly and effectively.
 What Is a Trusted System?
 Software is trusted software if we know that the code has been
rigorously developed and analysed, giving us reason to trust that
the code does what it is expected to do and nothing more.
Certain key characteristics:
o Functional correctness
o Enforcement of integrity
o Limited privilege
o Appropriate confidence level
 Cont.…
Security professionals prefer to speak of trusted instead
of secure operating systems.
 Secure reflects a dichotomy: Something is either secure
or not secure.
 Trust is not a dichotomy; degrees of trust
Cont.….
 Trusted System Design Elements
 Security considerations pervade the design and
structure of operating systems implies two things.
1. An operating system controls the interaction between subjects
and objects, so security must be considered in every aspect of
its design.
2. Because security appears in every part of an operating system,
its design and implementation cannot be left fuzzy or vague
until the rest of the system is working and being tested.
 Cont.….
Several important design principles are quite particular to security and
essential for building a solid, trusted operating system.
 Least privilege: Each user and each program should operate by
using the fewest privileges possible.
 Economy of mechanism: The design of the protection system
should be small, simple, and straightforward. Such a protection
system can be carefully analyzed, exhaustively tested, perhaps
verified, and relied on.
 Open design: An open design is available for extensive public
scrutiny, thereby providing independent confirmation of the design
security.
 Cont.….
 Complete mediation: Every access attempt must be
checked. Both direct access attempts (requests) and
attempts to circumvent the access checking mechanism
should be considered, and the mechanism should be
positioned so that it cannot be circumvented.
 Permission based: The default condition should be denial
of access. A conservative designer identifies the items
that should be accessible, rather than those that should
not.
Cont.…
Separation of privilege: Ideally, access to objects should
depend on more than one condition, such as user
authentication plus a cryptographic key. In this way, someone
who defeats one protection system will not have complete
access.
Least common mechanism: Shared objects provide potential
channels for information flow. Systems employing physical or
logical separation reduce the risk from sharing.
Ease of use: If a protection mechanism is easy to use, it is
unlikely to be avoided.
Security Features of Ordinary Operating Systems
Security Features of Ordinary Operating Systems
 User authentication.
 Memory protection.
 File and I/O device access control.
 Allocation and access control to general objects.
 Enforced sharing.
 Guaranteed fair service.
 Inter-process communication and synchronization.
 Protected operating system protection data.
 Security Features of Trusted Operating Systems
Security Features of Trusted Operating Systems
 Identification and Authentication
o Trusted operating systems require secure identification of individuals,

and each individual must be uniquely identified.

 Mandatory and Discretionary Access Control
o Mandatory access control (MAC) means that access control policy

decisions are made beyond the control of the individual owner of an

object.
o Discretionary access control (DAC) leaves a certain amount of access

control to the discretion of the object's owner or to anyone else who is

authorized to control the object's access
 Cont.…
 Object Reuse Protection
o To prevent object reuse leakage, operating systems clear
(that is, overwrite) all space to be reassigned before
allowing the next user to have access to it.
 Complete Mediation
o All accesses must be controlled.
 Trusted Path
o Want an unmistakable communication, called a trusted
path, to ensure that they are supplying protected
information only to a legitimate receiver.
Cont.…
 Accountability and Audit
o Accountability usually entails maintaining a log of security-
relevant events that have occurred, listing each event and
the person responsible for the addition, deletion, or change.
This audit log must obviously be protected from outsiders,
and every security-relevant event must be recorded.
 Intrusion Detection
o Intrusion detection software builds patterns of normal
system usage, triggering an alarm any time the usage seems
abnormal.
 Kernelized Design
 A security kernel is responsible for enforcing the
security mechanisms of the entire operating system.
 The security kernel provides the security interfaces
among the hardware, operating system, and other
parts of the computing system.
 Typically, the operating system is designed so that the
security kernel is contained within the operating
system kernel.
 Cont.…
Several good design reasons why security functions may be isolated
in a security kernel.
 Coverage. Every access to a protected object must pass through
the security kernel.
 Separation. Isolating security mechanisms both from the rest of
the operating system and from the user space makes it easier to
protect those mechanisms from penetration by the operating
system or the users.
 Unity. All security functions are performed by a single set of
code, so it is easier to trace the cause of any problems that arise
with these functions.
 Cont.…
 Modifiability. Changes to the security mechanisms are
easier to make and easier to test.
 Compactness. Because it performs only security
functions, the security kernel is likely to be relatively
small.
 Verifiability. Being relatively small, the security kernel
can be analyzed rigorously. For example, formal methods
can be used to ensure that all security situations (such as states
and state changes) have been covered by the design.
 Assurance in Trusted Operating Systems
Typical Operating System Flaws
o Known Vulnerabilities
 User interaction is the largest single source of operating system
vulnerabilities
 An ambiguity in access policy.
 Incomplete mediation
 Generality is a fourth protection weakness, especially among
commercial operating systems for large computing systems.
Cont.…
Assurance Methods
 Testing
 Testing is the most widely accepted assurance technique.
 However, conclusions based on testing are necessarily
limited, for the following reasons:
o Testing can demonstrate the existence of a problem, but
passing tests does not demonstrate the absence of
problems.
o Testing adequately within reasonable time or effort is
difficult because the combinatorial explosion of inputs and
internal states makes testing very complex.
Cont.…
o Testing based only on observable effects, not on the
internal structure of a product, does not ensure any
degree of completeness.
o Testing based on the internal structure of a product
involves modifying the product by adding code to
extract and display internal states. That extra
functionality affects the product's behavior and can
itself be a source of vulnerabilities or mask other
vulnerabilities.
 Cont.…
 Penetration Testing
o A testing strategy often used in computer security is called
penetration testing, tiger team analysis, or ethical hacking.
o A team of experts in the use and design of operating systems
tries to crack the system being tested.
 Formal Verification
o The most rigorous method of analyzing security is through
formal verification
o Two principal difficulties with formal verification methods:
Cont.…
 Time. The methods of formal verification are time consuming
to perform.
o Stating the assertions at each step and verifying the
logical flow of the assertions are both slow processes.
 Complexity. Formal verification is a complex process.
o For some systems with large numbers of states and
transitions, it is hopeless to try to state and verify the
assertions.
o This situation is especially true for systems that have not
been designed with formal verification in mind.
Cont.…
 Validation
o Validation is the counterpart to verification, assuring that the
system developers have implemented all requirements.
o Validation makes sure that the developer is building the right
product (according to the specification)
o Verification checks the quality of the implementation
o Several different ways to validate an operating system
 Requirements checking.
 Design and code reviews.
 System testing.
Summary of Security in Operating Systems
 Developing secure operating systems involves four activities.
o The environment to be protected must be well understood.
o Policy statements and models
o The essential components of systems are identified
o The interactions among components can be studied.
 A system to implement it must be designed to provide the
desired protection.
 Assurance that the design and its implementation are correct