Electrical computers and digital processing systems: virtual mac – Task management or control – Process scheduling
Reexamination Certificate
1999-11-19
2004-08-03
An, Meng-Al T. (Department: 2126)
Electrical computers and digital processing systems: virtual mac
Task management or control
Process scheduling
C713S164000, C711S153000
Reexamination Certificate
active
06772416
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to using the separation principle to design a kernel of an operating system, and more particularly, the present invention relates to a kernel that applies the separation principle to memory allocation, remote procedure call and exception handling mechanisms.
2. Discussion
Separation is an extremely important property in the construction and analysis of secure systems. If two logical entities A and B (for example, two pieces of software) are separate, then separation means that there is no way for A to influence the operation of B, and vice versa. If the operation of A is important to the security of a system, the separation of A and B means that the operation of B can be ignored when evaluating how A supports the security of the system. If A and B are not separate, so that B could influence the operation of A, then both A and B must be considered in evaluating how A supports the security of the system. The necessity of evaluating A and B increases the difficulty and cost of the security evaluation, and usually yields a lower assurance of security. Thus lack of separation yields the combination of higher cost and lower assurance.
Complete separation (no influence between A and B) yields a conceptually clean system. Incomplete separation can still be very good if there are a small (e.g. one, two, or three) number of known influence paths between A and B, and these paths have low bandwidth and/or are difficult to use. Incomplete separation is unacceptable in a high assurance system when it results from the inherent complexity of the system, and the resulting inability to analyze the possible influences between A and B. Therefore, it is desirable to construct a high assurance system applying strong separation principles.
Separation is a principal that has been investigated for the construction of secure systems for some time. The idea behind separation can be described with the assistance of
FIG. 1. A
system is sometimes implemented as a set of separate physical devices, with the devices interconnected by physical wires. In
FIG. 1
, if it is important to the security of the system that box
1
does not directly intercommunicate with box
4
, then one need only look at the arrangement of the physical boxes and wires to determine the truth of this property.
It is often the case that the same system will be implemented in one physical box, but with logical entities (e.g. software processes) performing the same functions as the physical boxes of FIG.
1
. This new implementation may result from increasing miniaturization of components, or the increasing memory and processing power available within on processor platform. This new implementation of the same system is depicted in FIG.
2
. The tasks are performing the same functions and are interconnected in the same way as the boxes of FIG.
1
. If it was important before that box
1
does not directly intercommunicate with box
4
, then it is still important that task
1
does not directly intercommunicate with task
4
. Analyzing the system of
FIG. 2
may not be as easy as it was in FIG.
1
. The reason for the increasing difficulty of analysis is shown in FIG.
3
.
The problem is that all of the tasks communicate with the operating system, thus the operating system becomes a means whereby information can be transmitted between tasks, and tasks can influence each other even when not permitted by the communication policy of the operating system.
FIG. 3
shows task
3
influencing task
1
by means of operating system mechanisms. A standard example of this is memory allocation. If all of the tasks allocate memory from a shared pool of resources, then task
3
could allocate all of the memory. When task
1
runs and attempts to allocate memory, it will receive a failing return from the operating system. This failing return could encode a “1” transmitted from task
3
to task
1
. If task
3
then releases some memory, when task
1
runs, it will try to allocate some memory again, this time receiving a successful return from the operating system. This successful/failure return from the operating system was never intended to be used as a communication channel, nevertheless a good hacker can make use of it in this way. In other words, the problem is that the other software (e.g., other tasks and the operating system) can now influence the operation of the task under analysis, and thus the task under analysis cannot be analyzed in isolation.
Therefore, it is desirable to provide a high-grade separation between processing elements in a system. This high-grade separation permits the system designer to establish high assurance secure systems by allowing each processing element to be analyzed in isolation. To achieve high-grade separation, the present invention applies the separation principle to the design a kernel of an operating system. More specifically, the kernel incorporates memory allocation, remote procedure call and exception handling mechanisms in such a way that supports the separation concept.
REFERENCES:
patent: 5504814 (1996-04-01), Miyahara
patent: 5729710 (1998-03-01), Magee et al.
patent: 5841869 (1998-11-01), Merkling et al.
patent: 6199181 (2001-03-01), Rechef et al.
Isa H et al. “Multi-threading Architecture for Multilevel Secure Transaction Processing” May 1999 pp. 1-15.*
Wahbe R “Efficient Software-Based Fault Isoation” Aug. 1993 pp. 203-216.*
“A Guide to Understanding Covert Channel Analysis of Trusted Systems.” National Computer Security Center, Nov. 1993, XP-002192422.
“Setrlimit(2)”, Red Hat Linux/I386 5.2 Man Page, Jul. 23, 1993, XP-002192423.
Amstutz Jennifer Lynn
Carmony Pamela Tam
Chen Hua
Dailey Conan Brian
Hines Keith Michael
An Meng-Al T.
Anya Charles
General Dynamics Decision Systems, Inc.
Ingrassia Fisher & Lorenz P.C.
LandOfFree
Separation kernel with memory allocation, remote procedure... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Separation kernel with memory allocation, remote procedure..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Separation kernel with memory allocation, remote procedure... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3329971