Small TCBs of policy-controlled operating systems

IT systems with advanced security requirements increasingly apply problem-specific security policies for describing, analyzing, and implementing security properties. Security policies are a vital part of a system’s trusted computing base (TCB). Hence, both correctness and tamper-proofness of a TCB’s implementation are essential for establishing, preserving, and guaranteeing a system’s security properties. Today’s operating systems often show that implementing security policies is a challenge; for more than forty years, they have provided only a rather elementary support for discretionary, identity-based access control policies. As a consequence, major parts of the applications’ security policies are implemented by the applications themselves, resulting in large, heterogeneous, and distributed TCB implementations. Thus, precisely identifying a TCB’s functional perimeter is hard, which renders essential TCB properties – correctness, robustness, and tamper-proofness – difficult to achieve. Efforts have been made to re-collect the policy components of operating systems and applications into a central component. So called policy-controlled operating systems provide kernel abstractions for security policies along with a policy decision and enforcement environment to protect and enforce the policies. Current policy-controlled operating systems are based on monolithic architectures so that their policy enforcement mechanisms are distributed all over the kernel. Additionally, they share the ambition to provide support for a wide variety of security policies that leads to universal policy decision and enforcement environments. Both results in large, complex, and expensive operating system TCBs, whose functional perimeter can hardly be precisely identified. As a consequence, a TCB’s essential properties are hard to ensure in its implementation. This dissertation follows a different approach based on the idea of methodically engineering TCBs by tailoring their policy decision and enforcement environment to support only those security policies that are actually present in a TCB. A TCB’s functional perimeter is identified by exploiting causal dependencies between security policies and TCB functions, which results in causal TCBs that contain exactly those functions that are necessary to establish, enforce, and protect their policies. The precise identification of a TCB’s functional perimeter allows for implementing a TCB in a safe environment that indeed can be isolated from untrusted system components. Thereby, causal TCB engineering sets the course for implementations whose size and complexity pave the way for analyzing and verifying a TCB’s correctness and tamper-proofness. The application scenarios for causal TCB engineering range from embedded systems and policy-controlled operating systems to database management systems in large information systems.