Skip to main content
SpringerLink
Log in

Design of secure operating systems with high security levels

  • Published:
Science in China Series F: Information Sciences Aims and scope Submit manuscript

Abstract

Numerous Internet security incidents have shown that support from secure operating systems is paramount to fighting threats posed by modern computing environments. Based on the requirements of the relevant national and international standards and criteria, in combination with our experience in the design and development of the ANSHENG v4.0 secure operating system with high security level (hereafter simply referred to as ANSHENG OS), this paper addresses the following key issues in the design of secure operating systems with high security levels: security architecture, security policy models, and covert channel analysis. The design principles of security architecture and three basic security models: confidentiality, integrity, and privilege control models are discussed, respectively. Three novel security models and new security architecture are proposed. The prominent features of these proposals, as well as their applications to the ANSHENG OS, are elaborated. Cover channel analysis (CCA) is a well-known hard problem in the design of secure operating systems with high security levels since to date it lacks a sound theoretical basis and systematic analysis approach. In order to resolve the fundamental difficulties of CCA, we have set up a sound theoretical basis for completeness of covert channel identification and have proposed a unified framework for covert channel identification and an efficient backward tracking search method. The successful application of our new proposals to the ANSHENG OS has shown that it can help ease and speedup the entire CCA process.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Spencer R, Smalley S, Loscocco P, et al. The Flask security architecture: System support for diverse security policies. In: Proceedings of the 8th USENIX Security Symposium. Washington DC: Usenix Assoc., 1999. 123–139

    Google Scholar 

  2. Wright C, Cowan C, Morris J, et al. Linux security modules: General security support for the Linux kernel. Usenix Security Symp., Usenix Assoc., 2002. 17–31

  3. Kuhnhauser W, Ostrowski M. A framework to support multiple security policies. In: Proceedings of the 7th Canadian Computer Security Symposium, Ottawa, Canada, 1995

  4. Bell D E. Modeling the multipolicy machine. In: Proc. of the New Security Paradigm Workshop, 1994, 2–9

  5. Bell D E, La Padula L J. Secure Computer System: Unified Exposition and Multics Interpretation. Mitre Report, MTR-2997 Rev. 1, 1976

  6. Ott A. Regel-Basierte zugriffskontrolle nach dem Generalized framework for access controlansatz am beispiel Linux. Diplomarbeit Universitat Hamburg, 1997

  7. Lee T. Using mandatory integrity to enforce “commercial” security. In: Proceedings of IEEE Symposium on Security and Privacy. Oakland: IEEE Computer Society Press, 1988. 140–146

    Chapter  Google Scholar 

  8. Bell D E. Security policy modeling for the next-generation packet switch. In: Proceedings of IEEE Symposium on Security and Privacy. Oakland: IEEE Computer Society Press, 1988. 212–216

    Chapter  Google Scholar 

  9. Mayer F L. An interpretation of refined Bell-La Padula model for the TMach kernel. In: Proc of the 4th Aerospace Computer Security Application. Orlando: IEEE Computer Society Press, 1988. 368–378

    Chapter  Google Scholar 

  10. Secure Computing Corporation. Assurance in the Fluke microkernel: Formal top-level specification. CDRL A004. Technical Report, Secure Computing Corporation, 1999

  11. Ji Q G, Qing S H, He Y P. An improved dynamically modified confidentiality policies model. J Software (in Chinese), 2004, 15(10): 1547–1557

    MATH  Google Scholar 

  12. Biba K. Integrity consideration for secure computer systems. MITRE TR-3153, MITRE Corporation, 1977

  13. Clark D, Wilson D. A comparison of commercial and military computer security policies. In: IEEE Symposium on Security and Privacy. Oakland, CA: IEEE, 1987. 184–194

    Google Scholar 

  14. Karger P. Implementing commercial data integrity with secure capabilities. In: IEEE Symposium on Security and Privacy. Oakland, CA: IEEE, 1988. 130–139

    Chapter  Google Scholar 

  15. O’Brien R, Rogers C. Developing applications on LOCK. In: Proc 14th National Computer Security Conference. Washington DC, 1991. 147–156

  16. National Security Agency, Security Enhanced Linux (SELinux). http://www.nsa.gov/selinux 2001

  17. Ji Q G, Qing S H, He Y P. A formal model for integrity protection based on DTE technique. Sci China Ser F-Inf Sci, 2006, 49(5): 545–565

    Article  Google Scholar 

  18. Saltzer J H, Schroeder M D. The protection of information in computer systems. Proc IEEE, 1975, 63(9): 1278–1308

    Article  Google Scholar 

  19. Ferraiolo D, Cugini J, Kuhn D. Role based access control (RBAC): Features and motivations. In: Proceedings of 11th Annual Computer Security Applications Conference, 1995

  20. Hoffman J. Implementing RBAC on a type enforced system. In: Proceedings of 13th Annual Computer Security Applications Conference. 1997. 158–163

  21. Chandramouli R. A framework for multiple authorization types in a healthcare application system. In: Proceedings of the 17th Annual Computer Security Application Conference. 2001. 137–148

  22. Portable Applications Standards. Committee of IEEE Computer Society. Standards Project, Draft Standard for Information Technology—Portable Operating System Interface (POSIX), PSSG Draft 17. New York: IEEE Inc., 1997

    Google Scholar 

  23. Ji Q G, Qing S H, He Y P. A new formal model for privilege control with supporting POSIX capability mechanism. Sci China Ser F-Inf Sci, 2005, 48(1): 46–66

    Article  Google Scholar 

  24. Lampson B. A note on the confinement problem. Comm ACM, 1973, 16(10): 613–615

    Article  Google Scholar 

  25. Tsai C, Gligor V, Chandersekaran C. On the identification of covert storage channels in secure systems. IEEE Trans Software Engin, 1990, 16(6): 569–580

    Article  Google Scholar 

  26. Kemmerer R. Shared resource matrix methodology: An approach to identifying storage and timing channels. ACM Trans Comput Syst, 1983, 1(3): 256–277

    Article  Google Scholar 

  27. Kemmerer R. Covert flow trees: A visual approach to analyzing covert storage channels. IEEE Trans Software Engin, 1991, 17(11): 1166–1185

    Article  Google Scholar 

  28. McHugh J, Handbook for the computer security certification of trusted systems — covert channel analysis. Technical Report, Naval Research Laboratory, Feb. 1996

  29. Kemmerer R, Taylor T. Modular covert channel analysis methodology for trusted DG/UX. IEEE Trans Software Engin, 1996, 22: 224–235

    Google Scholar 

  30. Qing S H. Covert channel analysis in secure operating systems with high security levels. J Software (in Chinese), 2004, 15(12): 1837–1849

    MATH  MathSciNet  Google Scholar 

  31. Qing S H, Zhu J F. Covet channel analysis on ANSHENG secure operating system. J Software (in Chinese), 2004, 15(9): 1385–1392

    MATH  Google Scholar 

  32. Qing S H, Ji Q G. Formal model design for secure operating system (invited paper). In: Proceedings of ITI First International Conference on Information & Communications Technology (ICICT2003), Egypt, 2003. 27–47

Download references

Author information

Authors and Affiliations

  1. Institute of Software, Chinese Academy of Sciences, Beijing, 100080, China

    Qing SiHan

  2. School of Software and Microelectronics, Peking University, Beijing, 102600, China

    Qing SiHan

  3. Institute of Computing Technology, Navy, Beijing, 100841, China

    Shen ChangXiang

Authors
  1. Qing SiHan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shen ChangXiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qing SiHan.

Additional information

Supported by the Natural Science Foundation of Beijing (Grant No. 4052016), the National Natural Science Foundation of China (Grant No. 60573042), and the National Grand Fundamental Research 973 Program of China (Grant No. G1999035802)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Qing, S., Shen, C. Design of secure operating systems with high security levels. SCI CHINA SER F 50, 399–418 (2007). https://doi.org/10.1007/s11432-007-0028-3

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-007-0028-3

Keywords

Search

Navigation