Today's computer and software technology solves a broad spectrum of tasks, ranging from simple ones like playing games or creating documents, to incredibly complex ones, such as controlling industrial facilities. Such computerization acutely raises the need of ensuring computer security. Security is important for the users of home computers, since malicious software, such as viruses, computer worms and Trojan programs, is quite widespread and can be a tool for committing serious cybercrimes, such as theft of funds from bank accounts. But the security matters are especially important for critical infrastructure facilities and for industrial systems. For example, the Stuxnet computer worm demonstrated that software already exists which can be used as a tool for unauthorized data collection and for sabotaging automated process control systems (APCSs) of industrial companies, power plants, airports and other facilities of critical importance. Ensuring security is a very important issue which must be resolved in real time during the operation of home computers and industrial systems.
At present, software has its own security-related functionality, which can exist separately or jointly with the security functionality of the operating system. In other words, security and functional logic can be united in today's operating systems and software. This approach has its drawback. For example, an offender utilizing errors in functional logic and zero-day vulnerabilities can often bypass the assigned security level. An example can be a TCP/IP stack—a set of network protocols in which a protocol located at a higher level operates “over” the lower one, using encapsulation mechanisms. This set of protocols is functionally designed for transfer of information on a network. At the same time, Microsoft Corporation's operating systems contained a vulnerability due to an error in a TCP/IP stack during the processing of IPv4 packets. A remote user was able to end the system's operation using a specially created packet. Another example is the NTFS file system, which has its own security mechanisms—for example, access differentiation. Thus, the NTFS driver which initiates access to information blocks on the disc also performs access control. If these security functions are removed from the driver, the NTFS file system will become vulnerable to a number of possible attacks.
Moreover, the mechanisms for protection of the existing OSs are insufficient to meet confidentiality and integrity requirements imposed on information systems. The diversity of information systems and applications launched in them creates a large list of various security requirements which necessitate the use of various types of security policies. A security architecture must be sufficiently reliable and flexible to support a large number of security policies.
As an example of a security architecture for automated systems, the Flask mandate access control architecture was proposed; it was developed by the National Security Agency (NSA) jointly with Secure Computing Corporation (SCC) and based on the Type Enforcement (TE) mechanism. The Flask architecture was integrated into the Linux OS's kernel. This project was titled SELinux (Security Enhanced Linux).
Under the Flask architecture, a separate component is allocated in the OS, called a security server, within which the security policy is implemented. The security server provides a specific programming interface to the other components of the OS, thereby allowing the other components to receive security policy solutions. The other components of the OS are called object managers. For example, the file system is a file manager. The Flask architecture defines only the interface provided by the security server to the object managers. In SELinux, the security server supports the following three access control mechanisms: type enforcement (TE—Type Enforcement), role-based control (RBAC—Role Based Access Control) and multi-level security (MLS—Multi-Level Security). These security models are hard-written in the architecture, and any changes of this list will cause the need to make changes to the main components of the architecture (i.e. to the security server and to the object managers).
The above-described examples suffer from the problem of lack of differentiation between functionality and security. Any software module which ensures both functionality and security, if hacked by an offender, allows the offender to bypass system security and, for example, to raise the privileges of a process required to perform the offender's actions.