Security Kernel Design and Implementation: An Introduction

Ames,; Gasser,; Schell, Roger R.

doi:10.1109/mc.1983.1654439

Cited by 72 publications

(25 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A security kernel [2] is a fail-controlled subsystem trusted to execute a few functions correctly, albeit immersed in an environment subjected to malicious faults. In the past, security kernels have mainly been used as intrusion prevention devices, by supporting the mediation/protection of all system interactions, and/or all accesses to system resources.…”

Section: Introductionmentioning

confidence: 99%

The Design of a COTS Real-Time Distributed Security Kernel

Correia

Verı́ssimo

Neves

2002

Dependable Computing EDCC-4

View full text Add to dashboard Cite

Abstract. This paper describes the design of a security kernel called TTCB, which has innovative features. Firstly, it is a distributed subsystem with its own secure network. Secondly, the TTCB is real-time, that is, a synchronous subsystem capable of timely behavior. These two characteristics together are uncommon in security kernels. Thirdly, the TTCB can be implemented using only COTS components. We discuss essentially three things in this paper: (1) The TTCB is a simple component providing a small set of basic secure services. It aims at building a new style of protocols to achieve intrusion tolerance, which for the most part execute in insecure, arbitrary failure environments, and resort to the TTCB only in crucial parts of their operation. (2) Besides, the TTCB is a synchronous device supplying functions that may be an enabler of a new generation of timed secure protocols, until now known to be fragile due to attacks on timing assumptions. (3) Finally, we present a design methodology that establishes our hybrid failure assumptions in a well-founded manner. It helps us to achieve a robust design, despite using exclusively COTS components, with the advantage of allowing the security kernel to be easily deployed on widely used platforms.

show abstract

Section: Introductionmentioning

confidence: 99%

The Design of a COTS Real-Time Distributed Security Kernel

Correia

Verı́ssimo

Neves

2002

Dependable Computing EDCC-4

View full text Add to dashboard Cite

show abstract

“…This approach is inherently incapable of enforcing security [31]. Some operating systems over the years deploy mandatory access control (MAC) for controlling, even malicious, programs, but mandatory access control systems that aim to enforce strong integrity guarantees [4,12,23,30,53] have not seen broad use, and the application of MAC enforcement to conventional systems [41,43] has been hampered by complexity and enforcement of informal goals, such as least privilege [51]. Solworth argues for improved testing effectiveness and reduced complexity in operating systems [56], which we agree are insufficient in current MAC systems.…”

Section: System Configurationmentioning

confidence: 99%

Designing for Attack Surfaces: Keep Your Friends Close, but Your Enemies Closer

Jaeger

Muthukumaran

et al. 2015

Security, Privacy, and Applied Cryptography Engineering

View full text Add to dashboard Cite

Abstract.It is no surprise to say that attackers have the upper hand on security practitioners today when it comes to host security. There are several causes for this problem ranging from unsafe programming languages to the complexity of modern systems at large, but fundamentally, all of the parties involved in constructing and deploying systems lack a methodology for reasoning about the security impact of their design decisions. Previous position papers have focused on identifying particular parties as being "enemies" of security (e.g., users and application developers), and proposed removing their ability to make securityrelevant decisions. In this position paper, we take this approach a step further by "keeping the enemies closer," whereby the security ramifications of design and deployment decisions of all parties must be evaluated to determine if they violate security requirements or are inconsistent with other party's assumptions. We propose a methodology whereby application developers, OS distributors, and system administrators propose, evaluate, repair, and test their artifacts to provide a defensible attack surface, the set of entry points available to an attacker. We propose the use of a hierarchical state machine (HSM) model as a foundation for automatically evaluating attack surfaces for programs, OS access control policies, and network policies. We examine how the methodology tasks can be expressed as problems in the HSM model for each artifact, motivating the possibility of a comprehensive, coherent, and mostly-automated methodology for deploying systems to manage accessibility to attackers.

show abstract

“…[2] The label space may support confidentiality and integrity policies as well as non-hierarchical categories, [26] A security kernel usually provides a hardware-supported ring abstraction [43][44] and can host trusted subjects. [39] The rings can separate applications within a process.…”

Section: Security Kernelmentioning

confidence: 99%

Analysis of three multilevel security architectures

Levin

Irvine

Weissman

et al. 2007

Proceedings of the 2007 ACM Workshop on Computer Security Architecture

View full text Add to dashboard Cite

Various system architectures have been proposed for high assurance enforcement of multilevel security. This paper provides an analysis of the relative merits of three architectural types -one based on a security kernel, another based on a traditional separation kernel, and a third based on a least-privilege separation kernel. We introduce the Least Privilege architecture, which incorporates security features from the recent "Separation Kernel Protection Profile," and show how it can provide several unique aspects of security and assurance, although each architecture has advantages.

show abstract

Security Kernel Design and Implementation: An Introduction

Cited by 72 publications

References 8 publications

The Design of a COTS Real-Time Distributed Security Kernel

The Design of a COTS Real-Time Distributed Security Kernel

Designing for Attack Surfaces: Keep Your Friends Close, but Your Enemies Closer

Analysis of three multilevel security architectures

Contact Info

Product

Resources

About