Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Security kernel or utility
Reexamination Certificate
1990-02-13
2003-01-14
Harvey, Jack B. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Security kernel or utility
C713S166000, C713S152000, C713S152000
Reexamination Certificate
active
06507909
ABSTRACT:
1. BACKGROUND OF THE INVENTION
1.1 Introduction
This invention relates to a method for improving security in a computer system. More specifically, this invention concerns a method for implementing trusted commands through both trusted and untrusted code.
1.2 Background
The proliferation of computers has resulted in the need for reliable computer security systems. The need to protect certain information is great in areas dealing with national security, for example. Security measures are required in other fields, including areas which utilize financial, medical, and personal information. Many computerized information systems therefore include internal security measures which provide the users with different levels of access to the computerized information, and which attempt to provide at least a degree of protection of the information from undesirable access.
1.3 Security Criteria: Reference Validation Systems
In response to the need for secure computer systems, the Department of Defense has issued a publication titled Department of Defense Trusted Computer System Evaluation Criteria (reference No. DOD 5200.28-STD). This publication is sometimes referred to as the “Orange Book,” and is available from the Department of Defense. The Orange Book describes system security objectives and evaluation criteria for secure computer systems.
A “secure” computer system generally includes some type of “reference validation” system. These reference validation systems (known as reference monitors) are responsible for enforcing the security rules (security policy) for a given computer system.
Reference monitors mediate all access to “objects” by “subjects”. Objects are passive entities that contain or receive information. Access to an object implies access to the information that it contains. Subjects are active entities, generally in the form of a person, process or device that cause information to flow among objects or change the system state. A subject may ordinarily reference its own, subject-internal information without the involvement of the reference monitor. Reference monitors controlling such access to objects by subjects are known in the art, and may utilize a security kernel approach.
Proper implementation of a reference monitor calls for adherence to three principles:
(1) completeness, in that all access by subjects to objects or other subjects must involve the monitor;
(2) isolation, in that the monitor must be protected from tampering; and
(3) verifiability, in that correspondence must be shown between the security policy and the actual implementation of the monitor.
As discussed, every reference to information or change of authorization should go through the reference monitor. Thus, all commands issued by a user or other subject are monitored by the reference monitor. This approach is particularly useful in multiuser computer environments.
The totality of the protection mechanisms within a computer system—including hardware, software, and firmware, the combination of which is responsible for enforcing a security policy—is commonly known as a “trusted computing base” (TCB). If the trusted software is designed to be as simple as possible, for the sake of verifying the reference monitor, then the trusted software is known as a “security kernel”.
Generally, TCBs attempt to meet the control objectives set out in the Orange Book. Compliance with these objectives inspires user confidence, and increases the overall desirability of a computer system. These objectives deal with:
(1) security policy;
(2) accountability; and
(3) assurance.
The security policy objective entails enforcement by the TCB of the desired security rules. These security rules are designed to limit the access to and dissemination of information in a precisely defined manner.
Security policies may include provisions for the enforcement of both mandatory and discretionary access control rules. Mandatory access control rules control access based directly on comparisons of the user's security level and the sensitivity level of the information being sought. Discretionary access rules control and limit access to identified individuals who have been determined to have a need-to-know.
These access control rules call for associating with each user identification code a statement indicating the user's access rights. This statement often includes information representing the user's security level (for mandatory control purposes), and membership in groups (for discretionary control purposes).
The accountability objective calls for providing each user with an individual user identification code (often called a “user name”) and for the TCB to be able to recognize the code and ensure that it is being used by its proper user. This may be done by checking the user's password. This ensuring the user's identity is known as “authentication.”
In addition, the accountability requirement calls for the existence of auditing capabilities. Such capabilities allow for the auditing of actions which can cause access to, generation of, or release of classified or sensitive information.
1.4 Assurance Objectives and “Trusted” Systems
The assurance objective is especially important in the present context. That objective is concerned with taking steps to ensure that the security policy is correctly implemented and that the TCB accurately mediates and enforces the intent of that policy. Steps may be taken to insure that each portion of the TCB is assured. To accomplish this objective, two types of assurance are needed.
The first type of assurance is life-cycle assurance. This type of assurance refers to steps taken to ensure that the computer system is designed, developed, and maintained using formalized and rigorous control standards.
The second type of assurance is operational assurance. Operational assurance deals with the features and system architecture used to ensure that the security policy is uncircumventably enforced during system operation. All of the software (sometimes referred to informally in the art as “code”) in the TCB is generally analyzed to determine the assurance level of the system.
As the amount of code in the TCB increases, it becomes more difficult to ensure that the TCB accurately enforces the security policy. Because of this, it is desirable to minimize the amount of trusted code, and thus the complexity of the TCB.
A TCB is usually operated in a conjunction with a substantial amount of software, such as text editors and other applications, operating within the security policy of the TCB. Generally, this untrusted software asks the TCB for access to objects when the user or the untrusted software requires them. Thus, the majority of the user's requests to the TCB, and the majority of the information that a user obtains from the TCB, are handled through the agency of untrusted software.
This untrusted software, however, is by nature in danger of compromise and vulnerable to bugs. For some types of requests and displays, malicious or malfunctioning untrusted software could compromise the enforcement of the security policy. Generally, TCBs cannot distinguish between requests faithfully made by the untrusted software on command from a user and either (1) requests made by the untrusted software at its own initiative (2) or requests that misrepresent the user's actual command. For example, if commands issued by an authorized user to change certain users'security levels were made through the agency of untrusted software, it would be possible for malicious or malfunctioning untrusted software to inappropriately raise the security level of a user. Such inappropriate raising of a security level could result in the disclosure of sensitive information.
Furthermore, TCBs generally cannot ensure that displays made by untrusted software are faithful. This poses problems in that if displays of audit records were made through the use of untrusted software it would be possible for malicious untrusted software to misrepresent these audit records to hide suspicious activities.
To overcome these problems,
Casey, Jr. Thomas Andrew
Gasser Morrie
Hall Judith Shelhorse
Kahn Clifford Earl
Kendall Leslie Richard
Compaq Information Technologies Group L.P.
Diederiks & Whitelaw PLC
Harvey Jack B.
LandOfFree
Method for executing trusted-path commands does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for executing trusted-path commands, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for executing trusted-path commands will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3024667