Professional Documents
Culture Documents
Motivation For Separation Kernels
Motivation For Separation Kernels
Inzemamul Haque
Department of Computer Science and Automation
Indian Institute of Science
Bangalore-560012
Email: inzemamul.haque@csa.iisc.ernet.in
AbstractThis article tries to figure out the motivation behind
the use of separation kernels as secure systems. In this article the
author has tried to draw a complete picture in the mind of the
reader that how the security issues in different types of systems
led to the development of separation kernels.
Keywordskernel, Multics, operating systems, security, security
kernel, separation kernel, UNIX.
I.
I NTRODUCTION
Tamperproof: The access control enforcement mechanism cannot be modified by untrusted processes.
H ISTORY
size of the system becoming too large. Hence the vendors and
the researchers started to choose one of the two directions (i) generality and performance oriented systems with limited
security and (ii) security oriented systems with reasonable
performance. The first one resulted in the development of
UNIX like systems and second one resulted in secure kernels
like security kernels and separation kernels.
As stated earlier Bell Labs left the Multics project in 1969.
Ken Thompson and Dennis Ritchie(researchers from Bell Labs
who also worked in Multics project) used their experience
from Multics project and developed the new operating system
UNIX, which was going to rule the world for almost next
four decades. UNIX was developed to play a game on a
PDP-7 computer. Hence it was very small in the beginning,
however it grew in size in later decades because of its use
in academics and industries. UNIX was simpler and smaller
than Multics. Hence it was easier to program and was better
in performance as compared to Multics. UNIX adopted many
of security features of Multics, but the security goals of UNIX
were different from Multics as it was a personal project. We
shall discuss the security problems and a few vulnerabilities
of UNIX in next section.
In 1970s research was going on to build a secure operating
system. And then the Anderson report [1] came up with the
reference monitor concept. Implementation of reference monitor concept came to be known as Security Kernels. The first
security kernel was developed by MITRE in 1974 which had
less than 20 subroutines in less than 1000 source lines of code.
Other systems which came out as a result of addressing the
security limitations of Multics were Secure Communications
Processor (Scomp) [4] from Honeywell, the Gemini Secure
Operating System (GSOS or GEMSOS) [8] from Gemini, the
Secure Ada Target (SAT) etc. We shall discuss the problems
with security kernels in section V.
Then in 1981 John Rushby came up with the idea of
a separation kernel [7] which tried to address some of the
problems in security kernels. Separation kernels are discussed
in section VI.
IV.
UNIX
So finally we can say that UNIX fails to meet the requirements of complete mediation, tamperproof and verifiability.
Hence UNIX is not a secure system.
B. UNIX vulnerabilities
In this part we try to show the problems which can be
faced if the system design does not focus on the security as
one of the main goals.
V.
S ECURITY K ERNELS
S EPARATION K ERNELS
Separation kernel is a type of security kernel which partitions the system into different partitions which are isolated
with each other. There can be some explicit communication
channels as given by the policy but no implicit communication
channels. Different processes can run in different partitions.
Rushby solved the problem of printer spooler by taking the
printer spooler and the file system in different partitions with
some explicit communication channels. Here the security is
maintained by the isolation provided by the separation kernel.
ACKNOWLEDGMENT
Most of the material covered in this article, especially the
section III is taken from the book Operating System Security
[5] by Trent Jaeger. The issues in security kernel because of
trusted processes described in section V are mostly from the
paper by Rushby [7].
The author would like to thank Prof. Deepak DSouza,
Indian Institute of Science, Bangalore and Arnab Kundu,
CAIR, DRDO for their valuable discussions on this topic.
R EFERENCES
[1]
J. P. Anderson, Computer Security Technology Planning Study, Technical Report ESD-TR-73-51, The MITRE Corporation, Air Force Electronics Systems Division, Hanscom AFB, Badford, MA, 1972.
[2] D. E. Bell and L. J. LaPadula, Secure COmputer Systems: Unified
Exposition and Mul- tics Interpretation,
Technical Report ESD-TR75-306, MITRE corporation, Bedford, MA, March 1976.
[3] F. J. Corbato and V. A. Vyssotsky, Introduction and Overview of Multics
System,
In Proceedings of the 1965 AFIPS Fall Joint Computer
Conference, 1965.
[4] L. J. Fraim, SCOMP: A Solution to the Multilevel Security Problem,
IEEE Computer, 16(7):26-34, 1983.
[5] T. Jaeger, Operating System Security, Morgan & Claypool Publishers,
2008.
[6] C. E. Landwehr, Assertions for Verification of Multilevel Secure Military
Message Systems, ACM Software Engineering Notes. 5(3):46-47, July
1980.
[7] J. Rushby Design and Verification of Secure Systems, In Proceedings of
the Eighth ACM Symposium on Operating System Principles, pp. 12-21,
Dec 1981.
[8] W. R. Shockley, T. F. Tao, and M. F. Thompson, An Overview of
the GEMSOS class A1 Technology and Application Experience,
In
Proceedings of 11th National Computer Security Conference, pp.238245, October 1988.