A Distributed Secure System
Summary (3 min read)
Acronym Definitions
- The trusted portion of a secure system is generally identified with a small operating system nucleus known as a security kernel; the rest of the operating system and all applications and user programs belong to the untrusted component.
- This can be minor when specialized applications are concerned, since the kernel can be tuned to the application, but general-purpose kernelized operating systems are three to ten times slower than their insecure counterparts.
- Finally, and as the authors have argued elsewhere [3] , security kernels for general-purpose operating systems tend to be complex, and their interactions with nonkernel trusted processes are also complex.
- The authors approach is to finesse the problems that have caused difficulty in the past by constructing a distributed secure system instead of a secure operating system.
- The latter each provide services to a single security partition and continue to run at full speed.
Principles and mechanisms for secure and distributed systems
- The structure of all secure systems constructed or designed recently has been influenced by the concept of a reference monitor.
- The real challenge is to find ways of structuring the system so that the separation provided by physical distribution is fully exploited to simplify the mechanisms of security enforcement without destroying the coherence of the overall system.
- Because it is costly to provide physically separate systems for each security partition and reference monitor, the authors use physical separation only for the untrusted computing resources of their system and for the security processors that house its trusted components.
- Unix United conforms to a design principle for distributed systems that the authors call the "recursive structuring principle".
- Just as the operating system of an ordinary host machine can return an exception when asked to operate on a nonexistent file, so a specialized server that provides no file storage can always return exceptions when asked to perform file operations.
A securely partitioned distributed system
- The authors will describe a secure Unix United system composed of standard Unix systems (and possibly some specialized servers that can masquerade as Unix) interconnected by a local area network, or LAN.
- The consequence of not trusting the individual systems is that the unit of protection must be those systems themselves; thus, the authors will dedicate each to a fixed security partition.
- The initial and very restrictive purpose of TNIUs is to permit communication only between machines belonging to the same security partition.
- A corrupt host can therefore signal to a wiretapping accomplice by modulating the length of the prefix that successive messages have in common.
- The careful use of CBC-mode encryption prevents information from leaking through channels that modulate message contents, but significant channels for information leakage still remain.
All techniques for introducing noise inevitably reduce the bandwidth available for legitimate communications and may increase the latency of message delivery.
- (Presumably the source is fixed at the location of the corrupt host.).
- Long messages must be broken into a number of separate message units; short ones, and the residue of long ones, must be padded to fill a whole unit.
- When this is done, a wiretapper cannot observe the exact length of a message but can only estimate the number of message units that it occupies.
- Two methods are available for securely separating the communications channels belonging to different security partitions.
- The integrity of all message units accepted is thereby guaranteed because they cannot be forged, modified, or formed by splicing parts of different units together during transmission over the LAN, Consequently, TNIUs can trust the value of the security partition identifier embedded in each message unit, then they can (and must) reject those bearing a different identifier.
A multilevel secure file store
- The design introduced so far imposes a very restrictive security policy.
- If the Secret-level user John of SUnix wishes to make his "paper" file available to the Top Secret user Brian, he does so by simply copying it into a directory that is subordinate to the SFS directory.
- This machine could then encode the information received into a file that could subsequently and legitimately be retrieved by a Secret-level host.
- Any attempt by a file storage machine to modify a file will be detected on its subsequent retrieval by the SFM when the recomputed checksum fails to match the one stored with the file.
- Once clandestine information has been prevented from leaving a file storage machine, there is no longer any need to provide separate file storage machines for each security partition; the integrity checks performed by the SFM constitute the required separation mechanism.
The accessing and allocation of security partitions
- A Secret-level user can send mail to a Top Secret user via the secure file system, but the recipient can only reply by leaving his Top Secret machine and logging in to one at the Secret level, or lower.
- The Newcastle Connection software in the TTIU will then be able to contact its counterpart in a host machine belonging to the appropriate security partition, and the user will thereafter interact with that remote machine exactly as if he were connected to it directly.
- With the exception of the file system, the local storage available to a host is all used for strictly temporary purposes and can simply be erased and reinitialized when the host changes security partitions.
- In outline, the complete scenario for automatically changing the security partition in which a host operates is as follows.
- The security mechanisms of the prototype will be provided by ordinary user processes in a standard Unix United system.
Did you find this useful? Give us your feedback
Citations
274 citations
259 citations
180 citations
177 citations
138 citations
References
2,671 citations
1,937 citations
"A Distributed Secure System" refers background or methods in this paper
...... and that because the encrypted value of each block within a message unit is a complex function of all previous blocks, messages formed by splicing parts of different messages together will decrypt unintelligibly, In fact, this is not so. Although the encrypted value of each block produced by CBC-mode encryption depends implicitly on all prior plaintext blocks, it depends explicitly on only the immediately preceding ciphertext block[ 8 ]....
[...]
...Readers who wish to learn more about issues and techniques relating to computer security should consult the excellent book by D. E. Denning[ 8 ]....
[...]
...Trustworthy network interface units use the Data Encryption Standard, or DES[ 8 ] to protect information sent over the LAN....
[...]
...Clandestine communications channels based on plaintext patterns that persist into the ciphertext can be thwarted by employing a more elaborate mode of encryption called cipher block chaining, or CBC, which uses a feedback technique to mask such patterns by causing the encrypted value of each block to be a complex function of all previous blocks[ 8 ]....
[...]
...Although the basic principles of encryption management are well established[ 8 ], a tutorial outline of the issues and techniques as they affect our system may benefit readers to whom this material is new....
[...]
470 citations
459 citations
195 citations