Trusting Software:
Functional correctness
Does what it was designed to do
Maintains data integrity
Even for bad input
Protects disclosure of sensitive data
Does not pass to untrusted software
Confidence
Experts analyze program & assure trust
Statement giving security we expect system to enforce
Do this formally when and where possible
TCB Design Princeples
Least privilege for users & programs, Economy, Open design, Complete mediation, Fail-safe defaults, Ease of use
How do we build a TCB:
Support key security features
-Must implement certain security relevant functions
Authentication
Access control to files & general objects
Mandatory access control(SELinux)
Discretionary access control(standard file permissions)
-Protection of data used by OS(OS must protect itself)
Security features of trusted OSes
Object reuse protection
Disk blocks, memory frames reused
Process can allocate disk or memory, then look to see what’s left behind
Trusted OS should zero out object before reuse
Secure file deletion: overwrite with varying patterns of zeros & ones
Secure disk destruction: degaussing, physical destruction