darrell@beowulf.ucsd.edu (Darrell Long) (05/21/87)
A subject that I have been wondering about for sometime is OS security. What are the necessary conditions for building a secure OS? Has anyone studied this in detail at the implementation level? Darrell Long Department of Computer Science & Engineering, UC San Diego, La Jolla CA 92093 ARPA: Darrell@Beowulf.UCSD.EDU UUCP: darrell@sdcsvax.uucp Operating Systems submissions to: mod-os@sdcsvax.uucp
darrell@sdcsvax.UUCP (05/22/87)
In article <3205@sdcsvax.UCSD.EDU> darrell@beowulf.ucsd.edu writes: >A subject that I have been wondering about for sometime is OS security. What >are the necessary conditions for building a secure OS? Has anyone studied >this in detail at the implementation level? > Um, Mr. Long, have you been living under a rock? ;-) [ No, just trying to provoke discussion. Besides, considering how easy UNIX ] [ is to crack (especially System V), it appears that no one is paying much ] [ attention to this extensive body of research. Most operating systems that ] [ I know of (research and production) are very easy to crack. Why is all of ] [ the research Mr. Margulies mentions being ignored? --DL ] There are a couple of conferences a year on this. IFIP has one, for example. If you get the proceedings of IFIP/Sec'85, you will even see a paper by me. Which is about as rare an avis as there is. The research here goes back to the early seventies. For theoretical foundations, start with Bell and LaPadula. Bell, D.E. and LaPadula, L.J. Secure Computer Systems: Unified Exposition and Multics Interpretation, MTR-2997, Rev 1, MITRE Corp, Bedford MA, March 1976. For practical rules, "Department of Defense Trusted Computer System Evaluation Criteria" CSC-STD-001-83. The bibliography at the back of this is quite extensive. Benson I. Margulies Kendall Square Research Corp. harvard!ksr!benson All comments the responsibility ksr!benson@harvard.harvard.edu of the author, if anyone.
david@dhw68k.UUCP (David H. Wolfskill) (05/23/87)
In article <3205@sdcsvax.UCSD.EDU> you write: >A subject that I have been wondering about for sometime is OS security. What >are the necessary conditions for building a secure OS? Has anyone studied >this in detail at the implementation level? I think that the folks at Gould might be able to give you a few pointers/horror stories. One of them wrote a piece for "UNIX Review" a few months back about security, and I believe they're working on a version of UNIX that is intended to be classified at the "B" security level (Orange Book). [ There must be someone from Gould out there that can expand on this. --DL ] david -- David H. Wolfskill uucp: ...{trwrb | hplabs}!felix!dhw68k!david InterNet: david@dhw68k.CTS.COM
jack@cwi.nl (Jack Jansen) (05/25/87)
In the Amoeba distributed OS, we make sure that communication is secure. This means that nobody will be able to receive messages that are meant for someone else. According to the official papers, this is done using a device called 'F-box' that sits between your machine and the network. Addressing is done with 48 bit numbers, called ports. If you want to be talked to, you invent a port. You then ask your F-box to apply a one way function to this (think of DES, for instance). You give this encrypted port to all your friends. Now, to receive a message, you give your original port to the F box. This port is immedeately encrypted, and the F box starts listening to this encrypted port. Now, messages transmitted to you, using your encrypted port, will arrive at your machine. There is much more to it, of course, but this is it in a nutshell. Look for articles by Andy Tanenbaum and/or Sape Mullender, or ask me and I'll dig out the references. -- Jack Jansen, jack@cwi.nl (or jack@mcvax.uucp) The shell is my oyster. PS: Needless to say, of course, in real implementations there are no such things as F-boxes, their function is provided by the kernel. However, if you wanted to, you could hook up untrusted hosts by providing them (assuming you'll find someone willing to build them:-)
kck@wdl1.UUCP (Karl C. Kelley) (05/27/87)
There has been extensive research and development going on in this area for the last 15 years, much of it related to developing what are called multi-level secure operating systems, but the research applies as well to systems for providing commercial protection of information, privacy, funds transfer, etc. We actually think these days that we have a handle on how to build a system which is secure, the very first step of which is the formulation of a concise statement of the security policy, that is what you intend to mean by secure. Since there are SO MANY references and bibliographies on the subject, you will be overcome with them when/if you drag yourself notebook in hand to the nearest large-scale computer science research library. In the past when I have found it necessary to come up to speed on research areas that other people have been imersed in for years, I have found the IEEE Tutorials an excellent kickoff for my efforts. For that reason (since I haven't gotten through the whole thing myself to comment on the contents), I might recommend a current edition: "Tutorial: Computer and Network Security" editted by Marshal D. Abrams and Harold J. Podell. IEEE Compter Society Order Number 756, IEEE Catalog Number EH0255-0, ISBN 0-8186-0756-4, Published by IEEE Computer Society Press and selling for some $35. As if that were not enough to get you started, the last section of said document is a Bibliography of recommend readings, from Saltzer's early work (1975) to the present time, sprinkled with the names of legends in the field: Landwehr, Lipner, Schaefer, Denning, Gasser, Millen, ... [Some legends are missing] After that I recommend going through the last 2 years of IEEE Computer, Transactions on Software Engineering, and similar such.