Fine, T. and Minear, S. E. 1993. Assuring distributed trusted mach. In Proc. IEEE Symp. on Security and Privacy (Oakland, CA, 1993), pp. 206--218.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....: 12 6 Schedule 13 Glossary 14 Appendix 17 Bibliography 23 1 Chapter 1 Introduction The wide spread use of computers and networks has emphasized the necessity for secure operating systems and network security mechanisms. Security in operating systems has long been a topic of research [19, 7, 8] and this has led to the formulation of different security models and policies for operating systems. Some basic differences exist between the security requirements for stand alone systems and networks. This chapter gives a brief introduction to the concepts related to network security. In a ....

T. Fine and S. E. Minear. Assuring distributed trusted mach. In Proceedingsof the

....extension can consume all the extension s resources, even those allocated by other users. As a consequence, all the users of an extension have to trust each other. Capability based systems like Keykos with KeySafe [15] Eros [75] Mach [1] or one of its many derivatives like DTOS [73] DTMACH [29], TRIAD [80] and TMACH [78] have the same goal as Escort to support the principle of least privilege. However, capability based systems have the drawback of not being able to control the migration and efficient revocation of capabilities. Additionally, in many 79 cases the management of dynamic ....

Todd Fine and Spencer E. Minear. Assuring distributed trusted Mach. Technical report, Secure Computing Corporation, 1210 West Country Road E, Suite 100, Arden Hills, Minnesota 55112.

....in its environment, and imposes security constraints on these messages. In contrast, a seal is not able to peek and poke the internals of any of its children seals, or of any other seal. The design has been inspired by the Fluke micro kernel [14] and work on interposition in operating systems [12, 15, 16]. We have not addressed interposition of low level resources such as memory and the scheduler as this requires modifications to the virtual machine [3] Two types of agents: In JavaSeal there are two categories of agents. The leaves of the seal hierarchy, which are called complets, are ....

....achieve this level of security, rather a fundamental redesign of the JDK. Protection domains are also an operating system issue and many of the ideas here are influenced by such work. For instance, the hierarchial model is influenced by Fluke [14] and L3 [27] as well as by work on interposition [12, 15, 16]. 8 Conclusion This paper has described the JavaSeal platform. This is a secure kernel for mobile environments (envlets) and mobile objects (complets) JavaSeal is a kernel in that it offers minimal service funtionality. Since services differ between sites, one should be able to build different ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In IEEE, editor, Proceedings of the 32nd IEEE Conference on Decision and Control, San Antonio, TX, USA, December 15--17, 1993, pages 206--217, 1109 Spring Street, Suite 300, Silver Spring, MD 20910, USA, 1993. IEEE Computer Society Press. 112 The JavaSeal Mobile Agent Kernel

....a change of policy does not necessarily require changing the whole implementation. Third, it is possible to devise mechanisms that can enforce multiple policies at the same time, thus allowing users to choose the policy that best suits their needs when stating protection requirements on their data [22, 28, 29, 46, 50]. The definition and formalization of a set of policies specifying the working of the access control system, providing thus an abstraction of the control mechanism, is called a model . A main classification of access control policies distinguishes between discretionary and mandatory policies (and ....

T. Fine and S. E. Minear. Assuring distributed trusted mach. In Proc. IEEE Symp. on Security and Privacy, Oakland, CA, May 1993.

....layer provides UNIX services. As a consequence, the type enforcement mechanism controls UNIX emulations instead of individual UNIX applications and does not distinguish among multiple applications running on a single UNIX emulation. This limitation also exists for a Mach based LOCK derivative [14], which adds type enforcement to the Mach port, task, and virtual memory abstractions but provides no type enforcement within the UNIX emulation layer. In [24] type enforcement was added to Trusted XENIX as a TCB subset. This system provides type enforcement at the UNIX system call interface and ....

T. Fine and S. E. Minear, "Assuring Distributed Trusted Mach," 1993 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, p. 206, 1993.

....approach would push security onto the operating system without solving any of the underlying issues. In operating systems research, the issue of defining flexible security policies is a well known problem. Several research groups have advocated interposition as a technique for enforcing security [16, 17, 18]. This technique relies on being able to intercept all requests to the operating system and interposing security checks to decide whether the request should be forwarded to the operating system. The hierarchical model of JavaSeal was designed to support arbitrary levels of transparent ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In IEEE, editor, Proceedings of the 32nd IEEE Conference on Decision and Control, San Antonio, TX, USA, December 15--17, 1993, pages 206--217, 1109 Spring Street, Suite 300, Silver Spring, MD 20910, USA, 1993. IEEE Computer Society Press.

.... As we mentioned, type casting and sharing can easily violate the constraint that one domain not reference an object of another domain (name space) The hierarchical communication model has been inspired by the Fluke micro kernel [13] L3 [27] and work on interposition in operating systems [11, 14, 15]. We have not addressed interposition of low level resources such as memory and the scheduler as this requires modifications to the virtual machine [3] 8 Conclusion This paper has described the JavaSeal platform. This is a secure kernel for mobile environments (envlets) and mobile objects ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In IEEE, editor, Proceedings of the 32nd IEEE Conference on Decision and Control, San Antonio, TX, USA, December 15--17, 1993, pages 206--217, 1109 Spring Street, Suite 300, Silver Spring, MD 20910, USA, 1993. IEEE Computer Society Press.

.... for capability based mechanisms [22] In addition to limiting privileges, overriding the actual identification can be used to provide anonymity in communications or to allow for transparent interposition, such as through a network IPC server connecting the client and server in a distributed system [11]. Map (SID, SID, Perms) Access Check AVC Obj Obj (C) Object Manager Security Server Modify Object Request Access Query Access Ruling Objects Client (SID C) Policy Enforcement Access Rules Policy Logic SID Context Figure 3: Requesting and caching security decisions in Flask. A client requests ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206--218, May 1993.

.... for capability based mechanisms [21] In addition to limiting privileges, overriding the actual identification can be used to provide anonymity in communications or to allow for transparent interposition, such as through a network IPC server connecting the client and server in a distributed system [11]. The Flask microkernel provides this service directly as part of IPC processing, rather than relying upon complicated and potentially expensive external authentication protocols such as those in Spring and the Hurd [7] The microkernel provides the SID of the client to the server along with the ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206--218, May 1993.

....dangerous from a security viewpoint since it makes the tasks of verification, modification, and adequate enforcement of the policy difficult. The recent implementations of the microkernel based operating systems (e.g. Trusted Mach [4] Synergy [10] and Distributed Trusted Operating System (DTOS) [6]) cleanly separate the policy enforcement from the policy decision. A policy neutral security server which is inside the microkernel is responsible for the enforcement of the policy decision; the policy decision is left to a security server which is outside the microkernel. Since the computation ....

T. Fine and S. E. Minear. Assuring distributed trusted mach. In Proc. IEEE Symp. on Security and Privacy, pages 206--218, Oakland, CA, May 1993.

....an MLS UNIX computing service using untrusted hosts sharing a multilevel file server via trusted network interface units. By 1987 at least half a dozen projects were underway [NRL87] and similar ones have continued to the present, for example in the TMach, DTMach, and Synergy efforts [Bran89] Fine93] Sayd94] Developments during the 1980 s underlined the cost of developing software to meet criteria for high assurance. IBM reported, for example, that 80 of the resources used to modify Xenix to meet TCSEC class B2 requirements went toward satisfying the assurance requirements; meeting the ....

Fine, Todd, S.E. Minear, "Assuring Distributed Trusted Mach," Proc. 1993 IEEE Computer Society Symposium on Research in Security and Privacy , Oakland, California. IEEE CS Press, ISBN: 0-8186-3370-0, pp. 206-218.

....protect against attacks by denying network services, other than those considered secure, to outsiders. They cannot defend against insider attacks, nor can they support sophisticated trust relationships with external entities. Security in operating systems has long been a topic of research [1, 4, 5], which has led to the formulation of various security models and policies for operating systems. This research has shown that mandatory security provided by the operating system is essential for supporting secure applications. This thesis presents the design and implementation of a framework for ....

T. Fine and S. E. Minear, "Assuring Distributed Trusted Mach," in Proc. 1993 IEEE Symposium on Research in Security and Privacy, (Oakland, CA), pp. 206--218, May 1993.

....components in the example are: # A kernel which provides services to client processes. # A security server which performs policy computations as requested by the kernel. The example presented here is a much simplified version of the DTOS security architecture described in references [4] and [3]. The kernel is policy neutral in that it simply enforces policy decisions made by the security server. The kernel attaches labels called security identifiers (SIDs) to processes and system resources. At each enforcement point, the kernel asks the security server to make a policy decision based on ....

....receiving a request from the kernel, the security server would first determine the levels associated with the provided SIDs, next perform the computation, and finally return the access vector. Another example of the type of policy that might be defined in the security server is type enforcement[3]. In this policy, a process SID is mapped to 5 TheDTOS kerneldoes not actually provide files as a resource. Instead, files are provided by an operating system personality that runs on top of DTOS. We use files in the example here since we expect readers to have more familiarity with files than ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy , pages 206--218, Oakland, CA, May 1993.

....and the second implements the Clark Wilson integrity policy [5] We have also investigated the ORCON policy [10] 4. 1 MLS WITH TYPE ENFORCEMENT The only security server currently included in Secure Computing s DTOS release is one that performs level based and type enforcement security checks [7]. This security server ffl maps each subject SID to a level domain pair, ffl maps each object SID to a level type pair, and ffl makes security decisions based on the levels, domains, and types associated with the SIDs provided by the microkernel according to the usual level dominance and type ....

Todd Fine and Spencer E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206--218, Oakland, CA, May 1993.

....components in the example are: ffl A kernel which provides services to client processes. ffl A security server which performs policy computations as requested by the kernel. The example presented here is a much simplified version of the DTOS security architecture described in references [4] and [3]. The kernel is policy neutral in that it simply enforces policy decisions made by the security server. The kernel attaches labels called security identifiers (SIDs) to processes and system resources. At each enforcement point, the kernel asks the security server to make a policy decision based on ....

....receiving a request from the kernel, the security server would first determine the levels associated with the provided SIDs, next perform the computation, and finally return the access vector. Another example of the type of policy that might be defined in the security server is type enforcement[3]. In this policy, a process SID is mapped to 5 TheDTOS kerneldoes not actually provide files as a resource. Instead, files are provided by an operating system personality that runs on top of DTOS. We use files in the example here since we expect readers to have more familiarity with files than ....

T. Fine and S. E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206--218, Oakland, CA, May 1993.

No context found.

Fine, T. and Minear, S. E. 1993. Assuring distributed trusted mach. In Proc. IEEE Symp. on Security and Privacy (Oakland, CA, 1993), pp. 206--218.

No context found.

T.Fine and S.E.Minear. Assuring distributed trusted mach. In Proceedings of IEEE Symposium on Security and Privacy, pages 206--218, Oakland, CA, May 1993.

No context found.

Todd Fine and Spencer E. Minear. Assuring Distributed Trusted Mach. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206--218, Oakland, CA, May 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC