What Is a Security Kernel?
The security kernel refers to the core computer mechanism in a computer system that can access resources in accordance with a security access control policy to ensure secure interoperability between system users. The goal of the security kernel is to be able to flexibly control the protected objects from being illegally used and copied. The security mechanism of the security kernel is defined by the protection domain and controlled by the access monitor. The access monitor checks and enforces security access policies. [1]
- The concept of a secure kernel was proposed by Roger Schell in 1972, and is usually defined as hardware and software that implement the abstraction of an access supervisor. In the past 16 years, this idea has been implemented, and only a small number of security kernels have been implemented. This rare improvement is not due to the kernel method itself, but to the buyer's lack of interest in the security method, which we discussed in Chapter 2. Today, with increasing interest in security issues in the industrial and government sectors, it is expected that more commercial systems based on kernel development will emerge in a few years.
- The first security kernel was developed by MITRE as a government aided project and was run on a DEC PDP-1 1/45 machine to prove the concept of a security kernel. Another notable security kernel study is UCLA Data Secure Unix on PDP-11 / 4 and 1 1/70. The Department of Defense has funded a design and formal description of Multics' security kernel in a program called the Protector, but this kernel has never been implemented. Development of government-funded functional systems (now rarely used), including KVM-an enhanced version of IBM's VM / 370 (and Ksos-developed by Ford Space Communications) Support developed by the company on PDP-11 / 70
- In summary, the design and implementation of the security kernel should conform to the following three basic principles.
- 1. Integrity principle
- The integrity principle requires that the subject must pass through the security kernel when referring to the object, that is, all access to information must pass through the security kernel. But there is usually a big difference between the implementation of the operating system and the explicit requirements of the integrity principle: the operating system believes that system information exists in obvious places, such as files, memory, and input and output buffers, and the operating system has reasons to control these Object of visit. The principle of completeness is not satisfied with a special definition of an object. It considers that any information wherever it exists, regardless of its size and use, is a potential object.
- At the same time, the integrity principle also has certain requirements for the hardware that supports the kernel system. If the kernel allows efficient execution of untrusted programs without checking every machine instruction, the hardware must ensure that the program cannot bypass the kernel's access control. All pairs
- The main role of the security kernel is to maintain the confidentiality and integrity of information. It manages the following four basic operations:
- (1) Process activation . In the environment of multiple programs concurrent processing, process activation and collision often occur: switching from one process to another requires a secure
- There are two ways to design the security kernel:
- 1. Add security protection function in the operating system kernel . The system's security protection functions, such as access control, monitoring, and auditing, are generally related to memory access, I / 0 operations, file or program access. In a modularly designed operating system, these functions are handled by different modules. Add security functions to these modules to form a secure kernel for the operating system.
- If all security functions are added to the original kernel, the modularity of the operating system will be destroyed and its original functions will be reduced. Therefore, some functions can be completed in the outer layer or application layer of the operating system, and only the most basic security functions are retained in the kernel. And form a secure kernel.
- 2. Design the secure kernel first . A reasonable design is to design the security kernel first, and then design the operating system around the security kernel. In the security-based design, the security kernel is the interface layer, which completes all hardware access protection functions of the operating system, and the security kernel depends on the supported hardware. It should be small and effective. For example, the actual security kernel of more mature security operating systems has only about 10,000 lines of original programs. [4]