Separation kernel

Separation kernel

A separation kernel is a type of security kernel used to simulate a distributed environment. The concept was introduced by John Rushby in a 1981 paper.John Rushby, "The Design and Verification of Secure Systems," Eighth ACM Symposium on Operating System Principles, pp. 12-21, Asilomar, CA, December 1981. ("ACM Operating Systems Review", Vol. 15, No. 5).] Rushby proposed the separation kernel as a solution to the difficulties and problems that had arisen in the development and verification of large, complex security kernels that were intended to "provide multilevel secure operation on general-purpose multi-user systems." According to Rushby, "the task of a separation kernel is to create an environment which is indistinguishable from that provided by a physically distributed system: it must appear as if each regime is a separate, isolated machine and that information can only flow from one machine to another along known external communication lines. One of the properties we must prove of a separation kernel, therefore, is that there are no channels for information flow between regimes other than those explicitly provided."

A variant of the separation kernel, the partitioning kernel, has gained acceptance in the commercial aviation community as a way of consolidating, onto a single processor, multiple functions, perhaps of mixed criticality. Commercial real-time operating system products in this genre have been used by aircraft manufacturers for safety-critical avionics applications.

In 2007 the Information Assurance Directorate of the U.S. National Security Agency published the Separation Kernel Protection Profile (SKPP) Information Assurance Directorate, National Security Agency, Fort George G. Meade, MD. "U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness," Version 1.03, June 2007. ] , a security requirements specification for separation kernels suitable to be used in the most hostile threat environments. The SKPP describes, in Common Criteria [ "Common Criteria for Information Technology Security Evaluation," Version 3.1, CCMB-2006-09-001, 002, 003, September 2006. ] parlance, a class of modern products that provide the foundational properties of Rushby's conceptual separation kernel. It defines the security functional and assurance requirements for the construction and evaluation of separation kernels while yet providing some latitude in the choices available to developers.

The SKPP defines separation kernel as "hardware and/or firmware and/or software mechanisms whose primary function is to establish, isolate and separate multiple partitions and control information flow between the subjects and exported resources allocated to those partitions." Further, the separation kernel's "core functional requirements include:
* protection of all resources (including CPU, memory and devices) from unauthorized access
* separation of internal resources used by the TSF from exported resources made available to subjects
* partitioning and isolation of exported resources
* mediation of information flows between partitions and between exported resources
* audit services"

"The separation kernel allocates all exported resources under its control into partitions. The partitions are isolated except for explicitly allowed information flows. The actions of a subject in one partition are isolated from (viz., cannot be detected by or communicated to) subjects in another partition, unless that flow has been allowed. The partitions and flows are defined in configuration data. Note that 'partition' and 'subject' are orthogonal abstractions. 'Partition,' as indicated by its mathematical genesis, provides for a set-theoretic grouping of system entities, whereas 'subject' allows us to reason about the individual active entities of a system. Thus, a partition (a collection, containing zero or more elements) is not a subject (an active element), but may contain zero or more subjects." ]

"The separation kernel provides to its hosted software programs high-assurance partitioning and information flow control properties that are both tamperproof and non-bypassable. These capabilities provide a configurable trusted foundation for a variety of system architectures." ]

References


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Kernel (computing) — A kernel connects the application software to the hardware of a computer In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware… …   Wikipedia

  • Kernel (computer science) — In computer science, the kernel is the central component of most computer operating systems (OS). Its responsibilities include managing the system s resources (the communication between hardware and software components). As a basic component of… …   Wikipedia

  • Separation of protection and security — In computer sciences the separation of protection and security is a design choice. Wulf et al. identified protection as a mechanism and security as a policy,[1] therefore making the protection security distinction a particular case of the… …   Wikipedia

  • Separation of mechanism and policy — The Separation of mechanism [Butler W. Lampson and Howard E. Sturgis. [http://research.microsoft.com/Lampson/15 ReflectionsOnOS/Acrobat.pdf Reflections on an Operating System Design] [http://portal.acm.org/citation.cfm?id=360051.360074]… …   Wikipedia

  • Hybrid kernel — is a kernel architecture based on combining aspects of microkernel and monolithic kernel architectures used in computer operating systems. The category is controversial due to the similarity to monolithic kernel; the term has been dismissed by… …   Wikipedia

  • Partitioning Communication System — is an high assurance computer security architecture based on an information flow separation policy. The PCS extends the four foundational security policies of a MILS (Multiple Independent Levels of Security) separation kernel to the network:* End …   Wikipedia

  • Multiple Independent Levels of Security — Multiple Independent Levels of Security/Safety (MILS) is a high assurance security architecture based on the concepts of separation[1] and controlled information flow; implemented by separation mechanisms that support both untrusted and… …   Wikipedia

  • Mandatory access control — In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.… …   Wikipedia

  • Hypervisor — In computing, a hypervisor, also called virtual machine monitor , is a virtualization platform that allows multiple operating systems to run on a host computer at the same time.ClassificationsHypervisors are currently classified in two types: [… …   Wikipedia

  • LynxSecure — The [http://www.lynuxworks.com/virtualization/hypervisor.php LynxSecure separation kernel] for X86 virtualization is a native (bare metal) hypervisor intended for use in embedded systems and high assurance security applications.Within LynxSecure… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”