Trusted path from user to secure system
prevents programs from spoofing interface of secure components
prevents programs from tapping path(e.g. keyloggers)
Audit log showing object accesses – only useful if you /look/ at the log
detect unusual use of the system
Kernel Design
Security kernel enforce all security mechanisms
Good isolation, small size for verifiability, keeps security code together
Reference monitor controls access to objects (monitors all references to objects)
Tamperproof[impossible to break or disable]
Un-Bypassable[always invoked, complete mediation]
Analyzable [small enough to analyze & understand]
All parts of OS needed for correct enforcement of securioty policy
handles primitive I/O, clocks, interrupt handling, hardware capabilities, label checkikng
Virtual machine provides hardware isolation, logical OS separation
Assurance: Ways of convincing ourselves that a model, design, & implementation are correct
Methods of assurance validation:
Testing / Penetration testing
Formal verification validation
Checking that developers have implemented all requirements
Requirements checking, design & code reviews, system testing
