The subject invention is directed generally to computer security mechanisms, and more particularly to an efficient computer security mechanism.
There is a recognized need for security controls in computer systems which process sensitive and Department of Defense classified data. Historically "Computer Security" was achieved through "Periods Processing" and physical separation of computers, data and application programs. Research conducted over the last twenty years has lead to the design, implementation and evaluation of computer security mechanisms which can provide the necessary separation within the computer system. Today, the notion of "Computer Security" refers to the collection of techniques which properly implemented in a computer system provide for the separation of users, data, and application programs based on U.S. Department of Defense (DOD) defined security levels. The DOD security levels are based on security clearances granted by the government to individuals as a result of a DOD investigation and determination of an individual's "need to know."
Security controls within a computer system are aimed at preventing the disclosure of information to individuals not cleared for the information. This allows one computer system to be used by individuals who have been cleared for information at multiple levels of classification. Thus, through the implementation of proper controls a person possessing a "Confidential" security clearance and a person possessing a "Secret" security clearance may be able to use the same computer system.
The U.S. DOD has established standards for reviewing systems employing these techniques, and the standards are described in "Department of Defense Trusted Computer System Evaluation Criteria," DOD 5200 28.STD, December 1985, (referred to herein as TCSEC). The Criteria employ the concept of a "Trusted Computing Base" (TCB) which includes a combination of computer hardware and an operating system that supports untrusted applications and users. The Criteria identify seven levels of trust which range from systems that have minimal protection features to those that provide the highest level of security modern technology can produce. The Criteria was established as a means of defining objective guideline on which to base evaluations of both commercial systems and those developed for military applications. The National Computer Security Center was established in 1981 and given official responsibility for evaluating computer systems designed to meet one of the seven levels of trust for government use.
A fundamental computer security mechanism used to provide trust is a "Security Kernel" or "Reference Monitor." The use of such a mechanism was first described in "Computer Security Technology Planning Study," J. P. Anderson, ESD-TR-73-51, Vol. 1, AD-758 206, ESD/AFSC, Hanscom AFB, Bedford, Mass., October 1972. The security kernel approach is a method of building an operating system (the software that controls the execution of a computer) which is capable of enforcing DOD mandated controls on people's access to data. This approach has become to be accepted as one of the best techniques for providing computer security within a computing system.
In the reference entitled Building a Secure Computer System, M. Gassser, Van Nostrand Reinhold Company, New York, 1988, the security kernel is generally described as follows at pages 35-36:
The security kernel approach to building a system is based on the concept of a reference monitor--a combination of hardware and software responsible for enforcing the security policy of the system. Access decisions specified by the policy are based on information in an abstract access control database. The access control database embodies the security state of the system and contains information such as security attributes and access rights. The database is dynamic, changing as subjects and objects are created or deleted, and as their rights are modified. A key requirement of the reference monitor is the control of each and every access from subject to object.
Security kernels usually consult their access control database in order to compare security labels associated with all subjects and objects in a computer system. The labels are compared based on a dominance relation which is defined by a formal security policy. The security policy defined in "Secure Computer Systems: Unified Exposition and Multics Interpretation," D. E. Bell and L. J. LaPadula, MTR-2997, The MITRE Corp. Bedford, Mass., March 1976, has been widely accepted as a mathematical model of DOD controls when implemented in a computer system. The model describes controls on the accesses of subjects to objects in a computer system.
The Bell and LaPadula secrecy policy imposes two rules, stated in terms of subjects and objects they are:
1. A subject may not read from an object of a higher secrecy class.
2. A subject may not write into an object of a lower secrecy class.
These rules, when properly enforced in a computer system, prevent unauthorized disclosure of information. The first rule prevents a subject from seeing information that it is not cleared for. The second rule prevents a subject from giving information that it is cleared for to another subject who is not cleared for it.
While security kernels dramatically improve the security of a computer system they do so at some performance cost. That is, consulting the access control database introduces extra computational steps for each operation. The performance degradation has generally been around 25%. That is, a trusted computer system with a security kernel is in general 25% slower than a comparable computer system without a security kernel. For many classified processing applications this degradation has been acceptable when compared with the damage to the national security from disclosure of the sensitive information. However, many applications require both computer security controls and high performance computer systems.
Several computer manufactures have introduced specialized architectures in order to achieve the high performance needed for many critical military applications. Among them is the Intel 80960 MX.
It is clearly desirable in implement a security kernel on such an architecture as there are many applications which require both security and high performance.
The type of architecture employed on the 80960 MX is known as a capability architecture wherein access control is based on capability lists. A capability is a key to a specific object, along with a mode of access; and a subject possessing a capability may access the object in the specified mode. Capability architectures, however, can present significant difficulties with respect to satisfying security requirements. In the paper "On the Inability of an Unmodified Capability Machine to Enforce the *-Property," W. E. Boebert, Proceedings of the Seventh DoD/NBS Computer Security Conference, Gaithersburg, Md., 1984, it has been demonstrated that a pure capability-based machine architecture cannot be sufficient to implement a mandatory access control policy. Furthermore, it has been found in practice that capability-based systems may be intrinsically incapable of implementing a mandatory access control policy if they permit capabilities to be stored arbitrarily and passed freely to other subjects.
Numerous capability-based computing systems (both commercial and prototypical) have been implemented in the past, and deficiencies have subsequently been reported about their ability to enforce a rigorously defined access control policy. In general, attempts to correct the identified flaws in these systems could not be gracefully integrated into their structure and protection philosophy.
This invention addresses the problems encountered when attempting to implement a security kernel on specialized high performance capability-based architecture such as the Intel 80960 MX.