1. Technical Field
The present invention relates generally to using the separation principle to design a kernel of an operating system, and more particularly, the present invention relates to a kernel that applies the separation principle to memory allocation, remote procedure call and exception handling mechanisms.
2. Discussion
Separation is an extremely important property in the construction and analysis of secure systems. If two logical entities A and B (for example, two pieces of software) are separate, then separation means that there is no way for A to influence the operation of B, and vice versa. If the operation of A is important to the security of a system, the separation of A and B means that the operation of B can be ignored when evaluating how A supports the security of the system. If A and B are not separate, so that B could influence the operation of A, then both A and B must be considered in evaluating how A supports the security of the system. The necessity of evaluating A and B increases the difficulty and cost of the security evaluation, and usually yields a lower assurance of security. Thus lack of separation yields the combination of higher cost and lower assurance.
Complete separation (no influence between A and B) yields a conceptually clean system. Incomplete separation can still be very good if there are a small (e.g. one, two, or three) number of known influence paths between A and B, and these paths have low bandwidth and/or are difficult to use. Incomplete separation is unacceptable in a high assurance system when it results from the inherent complexity of the system, and the resulting inability to analyze the possible
Separation is a principal that has been investigated for the construction of secure systems for some time. The idea behind separation can be described with the assistance of FIG. 1. A system is sometimes implemented as a set of separate physical devices, with the devices interconnected by physical wires. In FIG. 1, if it is important to the security of the system that box1 does not directly intercommunicate with box4, then one need only look at the arrangement of the physical boxes and wires to determine the truth of this property.
It is often the case that the same system will be implemented in one physical box, but with logical entities (e.g. software processes) performing the same functions as the physical boxes of FIG. 1. This new implementation may result from increasing miniaturization of components, or the increasing memory and processing power available within on processor platform. This new implementation of the same system is depicted in FIG. 2. The tasks are performing the same functions and are interconnected in the same way as the boxes of FIG. 1. If it was important before that box1 does not directly intercommunicate with box4, then it is still important that task1 does not directly intercommunicate with task4. Analyzing the system of FIG. 2 may not be as easy as it was in FIG. 1. The reason for the increasing difficulty of analysis is shown in FIG. 3.
The problem is that all of the tasks communicate with the operating system, thus the operating system becomes a means whereby information can be transmitted between tasks, and tasks can influence each other even when not permitted by the communication policy of the operating system. FIG. 3 shows task3 influencing task1 by means of operating system mechanisms. A standard example of this is memory allocation. If all of the tasks allocate memory from a shared pool of resources, then task3 could allocate all of the memory. When task1 runs and attempts to allocate memory, it will receive a failing return from the operating system. This failing return could encode a “1” transmitted from task3 to task1. If task3 then releases some memory, when task1 runs, it will try to allocate some memory again, this time receiving a successful return from the operating system. This successful/failure return from the operating system was never intended to be used as a communication channel, nevertheless a good hacker can make use of it in this way. In other words, the problem is that the other software (e.g., other tasks and the operating system) can now influence the operation of the task under analysis, and thus the task under analysis cannot be analyzed in isolation.
Therefore, it is desirable to provide a high-grade separation between processing elements in a system. This high-grade separation permits the system designer to establish high assurance secure systems by allowing each processing element to be analyzed in isolation. To achieve high-grade separation, the present invention applies the separation principle to the design a kernel of an operating system. More specifically, the kernel incorporates memory allocation, remote procedure call and exception handling mechanisms in such a way that supports the separation concept.