Chapter 5 – Designing Trusted Operating Systems
In this section
 What is a trusted system?
 Security Policy
 Military
 Commercial
 Clark-Wilson
 Separation of Duty
 Chinese Wall
 Models
 Lattice Model
 Bell-La Padula
 Biba
 Graham-Denning
 Take-Grant
Designing Trusted OS
 Primary security in computing systems
 Primary Security
 Memory
 File
 Objects/Access Control
 User Authentication
 Trusted – We are confident that services are provided
consistently and effectively
Making of a trusted OS
 Policy – requirements statement of what is should do
 Model – model of the environment to be secured;
represents the policy to be enforced
 Design – the means of implementation; functionality
and construction
 Trust – assurance of meeting expectation through the
features offered
What is a trusted system?
 What makes something secure?
 For how long?
 Trusted Software – rigorously developed and analyzed
 Key Characteristics of Trusted Software:
 Functional Correctness
 Enforcement of Integrity
 Limited Privilege
 Appropriate Confidence Level
 We speak in terms of trusted and not secure
 Many types of Trust:
 Trusted Process
 Trusted Product
 Trusted Software
 Trusted Computing Base
 Trusted System
 Through:
 Enforcement of Security Policy
 Sufficiency of Measures and Mechanism
 Evaluation
Security Policy
 Security Policy – statement of the security we expect
the system to enforce
 A trusted system can be trusted only in relation to its
security policy…. To the security needs the system
expected to satisfy
Military Security Policy
 Basis of many OS security policies
 Based on protecting classified information
 Top Secret (most sensitive), Secret, Confidential,
Restricted, Unclassified (least sensitive)
 Limited by the Need-to-Know rule: Access is allowed
only to subjects who need to know data to perform job.
 Compartments- classification information may be
associated with one or more projects describing the
subject matter of the information
 Classification - <rank; compartments>
 This enforces need-to-know both by security level and by
topic
 Clearance – person is trusted to access information up to a
given level of sensitivity with need-to-know
 Dominance, on a set of Objects (0) and Subjects (s)
 s ≤ o if and only if
rank(s) ≤ rank (0) and
compartments (s) ⊆ compartments(0)
 We say 0 dominates s (or s is dominated by o)
 Dominance is used to limit the sensitivity and content of
information a subject can access
 As subject can read an object only if:
 clearance level of the subject is at least as high as the
information
 Subject has a need-to-know about all compartments for
which the information is classified
Commercial Security Policies
 Worried about espionage
 Degrees of sensitivity:
 Public
 Proprietary
 Internal
 No dominance function for most commercial policies
since no formal clearance is needed
 Integrity and availability are just, not if more,
important than confidentiality
Clark-Wilson Commercial Security
Policy




This is based on Integrity
Policy on well-formed transactions
Sequence of activities
Performing steps in order, performing exactly the steps
listed, and authentication of individuals in the steps
(well-formed transactions)
 Goal: maintain consistency between internal data and
external (users’) expectation of data
 Constrained data items which are processed by
transformation procedures
Separation of Duty
 The required division of responsibilities is called
separation of duty
 Accomplished manually by means of dual signatures
Chinese Wall Security Policy
 Used in legal, medical, investment and accounting
firms
 Addresses the conflict of interest
 Security Policy Builds on:
 Objects – low level
 Company Groups – mid level
 Conflict Classes – high level, groups of objects of
competing companies are clusterd
Models of Security
 Security Models are used to:
 Test a particular policy for completeness and consistency
 Document policy
 Help conceptualize and design an implementation
 Check whether an implementation meets its
requirements
 Policy is established outside any model
 Model is only a mechanism that enforces the policy
Multilevel Security
 Build a model to represent a range of sensitivities and
to reflect the need to separate subjects rigorously from
objects to which they should not have access
 The generalized model is called the Lattice Model of
Security
Bell-La Padula Confidentiality
Model
 Formal description of allowable paths of flow in a
secure system
 Formalization of the military security policy
 Two properties:
 Simple Security Property – A subject s may have read
access to object o only if C(o) ≤ C(s)
 *-Property – A subject s who has read access to an object
o may have write access to an object p only if C(o) ≤ C(p)
 C(s) – clearance; c(0) classification
 Write-down – high level subjects transfers high level
data to a low level object (prevented by star property)
Figure 5-7 Secure Flow of Information.
Biba Integrity Model
 Bell-La Padula model applies only to secrecy
 Biba is about Integrity and defines integrity levels
 Properties:
 Simple Integrity Property – Subject s can modify (have
write access to) object o only if I(s) ≥ I(o)
 *-Property – if subject s has read access to object o with
integrity level I(0), s can have write access to object p
only if I(o) ≥ I(p) [write-down]
 Totally ignores secrecy
Graham-Denning Model
 Formal System of Protection Rules
 Access Control Mechanism (matrix) of a protection system
 Eight Privative Protection Rights
 Create object, Create subject, Delete object and Delete
subject
 Read Access
 Grant Access
 Delete Access Right
 Transfer Access Right
 Matrix: A[s,o]
Take-Grant Systems
 Four primitives: create, revoke, take and grant