Branstad, M., Tajalli, H., Mayer, F., and Dalva, D. 1989. Access mediation in a message passing kernel. In Proc. IEEE Symp. on Security and Privacy (Oakland, CA, 1989), pp. 66--72.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....environment as a basis [Sch75] An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [MBD89] EKO94] over the years that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. In effect, these secure systems were operating in an environment that was established by unsecure software. Over ....

F. Mayer M. Branstad, H. Tajalli and D. Dalva. Access mediation in a messagepassing kernel. In IEEE Conference on Security and Privacy, pages 66--71, 1989.

....system environment as a basis [24] An essentiai presumption of the security argmnents for these designs was that system lay ers underpinning the operating system, whether hardware, fixnware, or both, are trusted. We find it surprising, given the great attention paid to operating system security [16] [9] that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. Without such a secure bootstrap the operating system kernel cannot be trusted since it is invoked by an untrusted process. Designers of ....

F. M. M. Branstad, H. Tajalli and D. Dalva. Access mediation in a message-passing kernel. In IEEE Conference on Security and Privacy, pages 66-71, 1989.

....tools [38] Asynchronous RPC was removed from Amoeba 2. 0 as having been a truly dreadful decision and impossible to program correctly [39] Asynchronous IPC is also highly problematic for attaining the TCSEC B3 level of assurance for multilevel security in OS s (e.g. in Trusted Mach [40]) Invocation parameters are passed into the invoked object s domain on invocation, and when the invocation is complete, return parameters are passed back to the invoking object s domain. All invocation (request and reply) parameters, except capabilities, are passed by value on the current frame ....

Branstad, M.A., H. Tajalli, F. Mayer, and D. Dalva, Access Mediation in a Message-Passing Kernel, Proceedings of the IEEE Symposium on Security and Privacy, May 1989.

....a Mach microkernel, the DTE features are located in relatively high layers of the UNIX server s architecture, require no knowledge of microkernel interfaces, and are therefore reasonably portable to kernelized UNIX systems. We have also recently ported the DTE prototype to run on TMach Version 0. 2 [7], a high assurance trusted computing base designed to satisfy DoD security requirements as specified in the Trusted Computer System Evaluation Criteria [20] Even though TMach employs a TMach specific file system format, the integration required almost no change to the DTE implementation because ....

M. Branstad, H. Tajalli, F. Mayer, D. Dalva, "Access Mediation in a Message Passing Kernel, " 1989 IEEE Symposium on Security and Privacy, p. 66, Oakland, CA, May 1989.

....to guard them from possibly damaging input (e.g. attacks on weak or overly privileged portions of a system s API) thus increasing their overall strength. The wrapper approach, therefore, contrasts but is complementary with, that of Trusted Systems[26] such as Trusted XENIX[27] and Trusted Mach[7], which are built from the ground up with support for enhanced security. In the following sections, we present our central wrappers concepts, several applications for wrappers, design and implementation issues, capabilities and limitations, and performance. Sections 2 and 3 present our wrapper ....

M. Branstad, H. Tajalli, F. Mayer, and D. Dalva. Access Mediation in a Message Passing Kernel. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 66--72, May 1989.

....policy as part of the application code. This solution, however, is dangerous from a security viewpoint since it makes the tasks of verification, modification, and adequate enforcement of the policy difficult. The recent implementations of the microkernel based operating systems (e.g. Trusted Mach [4], Synergy [10] and Distributed Trusted Operating System (DTOS) 6] cleanly separate the policy enforcement from the policy decision. A policy neutral security server which is inside the microkernel is responsible for the enforcement of the policy decision; the policy decision is left to a ....

M. Branstad, H. Tajalli, F. Mayer, and D. Dalva. Access mediation in a message passing kernel. In Proc. IEEE Symp. on Security and Privacy, pages 66--72, Oakland, CA, May 1989.

....produce an MLS UNIX computing service using untrusted hosts sharing a multilevel file server via trusted network interface units. By 1987 at least half a dozen projects were underway [NRL87] and similar ones have continued to the present, for example in the TMach, DTMach, and Synergy efforts [Bran89] Fine93] Sayd94] Developments during the 1980 s underlined the cost of developing software to meet criteria for high assurance. IBM reported, for example, that 80 of the resources used to modify Xenix to meet TCSEC class B2 requirements went toward satisfying the assurance requirements; ....

Branstad, Martha, H. Tajalli, F. Mayer, D. Dalva, "Access Mediation in a Message Passing Kernel," Proc. 1989 IEEE Computer Society Symposium on Security and Privacy, Oakland, California, IEEE CS Press, 66-72.

....Distributed Trusted Mach (DTMach) is an operating system currently being designed by Secure Computing Corporation. The goal of the project is to use the Mach 3.0 kernel as the base for a secure, distributed system. The DTMach design is an outgrowth of three related efforts: Mach [12] TMach [1, 2], and LOCK TM [11] As a first step in developing the DTMach security policy, a categorization of general security concerns was constructed. Concerns that were not adequately addressed by the Mach 3.0 kernel indicated potential security vulnerabilities. This paper describes these general ....

Martha Branstad, Homayoon Tajalli, Frank Mayer, and David Dalva, "Access Mediation in a Message Passing Kernel," IEEE Symposium on Security and Privacy, pages 66-72, May 1989.

....systems the access control policy is hierarchically distributed among agents in several logically or even physically independent layers, and the overall system access control policy is a composition of the policies enforced by each layer. In secure, micro kernel operating systems such as TMach [4], the mandatory access control policy is implemented by a combination of the kernel and system tasks called servers. The discretionary access control policy, furthermore, is completely implemented by servers. Systems like Synergy [10] and the UC Davis Silo [14] take this idea a step further by ....

Martha Branstad, Homayoon Tajalli, Frank Mayer, and David Dalva. Access mediation in a message passing kernel. In Proceedings of the 1989 IEEE Computer Society Symposium on Research in Security and Privacy, pages 66--72, Oakland, California, May 1989.

....system environment as a basis [20] An essential presumption of the security arguments for these designs was that system layers underpinning the operating system, whether hardware, firmware, or both, are trusted. We find it surprising, given the great attention paid to operating system security [13] [8] that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. Without such a secure bootstrap the operating system kernel cannot be trusted since it is invoked by an untrusted process. Designers of ....

M. Branstad, H. Tajalli, F. M., and Dalva, D. Access mediation in a messagepassing kernel. In IEEE Conference on Security and Privacy (1989), pp. 66--71.

....environment as a basis [13] An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [14] [15] that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the ....

F. Mayer M. Branstad, H. Tajalli and D. Dalva, "Access mediation in a message-passing kernel," in IEEE Conference on Security and Privacy, 1989, pp. 66--71.

....environment as a basis [23] An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [24], 25] that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed ....

F. Mayer M. Branstad, H. Tajalli and D. Dalva, "Access mediation in a message-passing kernel," in IEEE Conference on Security and Privacy, 1989, pp. 66--71.

No context found.

Branstad, M., Tajalli, H., Mayer, F., and Dalva, D. 1989. Access mediation in a message passing kernel. In Proc. IEEE Symp. on Security and Privacy (Oakland, CA, 1989), pp. 66--72.

No context found.

M. Branstad, H. Tajalli, F. Mayer, and D. Dalva. Access mediation in a message passing kernel. In Proceedings of IEEE Symposium on Security and Privacy, pages 66--72, Oakland, CA, May 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC