Relationships Among the TCB, the OS, the Kernel, and the Security Kernel

1. This presentation is intended to be viewed in slide show mode; if you’re reading this text, you’re not in slideshow mode • Press F5 to enter slideshow mode ─ or hit the slide show icon, or use the Slide Show menu, or … . Relationships Among the TCB, the OS, the Kernel, and the Security Kernel

2. The Security Kernel (SK) TCB&OS The Operating System Kernel Security Kernel audit DBMS audit record-levelaccess control OSKernel DBMS (or other application) Supplied by an operating system (OS) Optional, depends on the presence of software not supplied as part of the OS And “regular” (file level) audit is probably used often enough that it might be part of the OS kernel (depending possibly on the vendor) but is not in the security kernel, although it is still within the TCB • The security kernel implements the reference monitor • By definition, it is a subset of the TCB • Beyond that, there are a lot of “it depends” to consider in analyzing its relationship to other software TCB Operating System … and might also include other TCB software that might nonetheless not be SK software biometric Software mount … if not, additional software packages providing finer granularity access control, capabilities – e.g., a data base management system – would be providing parts of the SK … • The software necessary to mount a disk volume is presumably part of any security kernel – a corrupted mount could compromise access control – but, since it isn’t used very frequently, might not need to be continuously memory resident • So if the OS kernel is defined as OS code that is “always running” (which should be better said as “always memory resident”), then the mount software would be in the security kernel but not in the OS kernel • Large portions of the TCB are usually provided by an operating system • Whether or not the entire TCB is a subset of the operating system depends on whether or not the security architecture requires software mechanisms not provided by the OS • Whereas the short-term scheduler is almost always considered part of the OS kernel, it is surely not part of the security kernel and perhaps not even part of the TCB at all, if the TCB is (perhaps too narrowly?) construed as only MDIA (as in the old Orange Book) • But since a corrupted short term scheduler could be a denial of service attack, perhaps it should be (considered as part of the TCB) short termscheduler ? The SK would be a subset of the operating system if the OS could manage access control over all objects and modes at the finest level of granularity needed by the system’s access control policy, but … Few OS’s come with biometric identification/authentication software built in, for example; but if a security policy called for biometric authentication, the biometric software would assuredly be part of the TCB, no? By any reasonable definition of the OS kernel, there’s a large overlap between it and the security kernel but more precisely nailing down the relationship is complicated by the lack of any standard, technically precise definition for the OS kernel

3. The Point? • The essences of the four entities – the OS, the TCB, the OS kernel, and the security kernel– are conceptually distinct, but the boundaries and relationships can be fuzzy • The OS kernel is probably the least well defined and seems to vary from author to author, or, perhaps worse, from OS vendor to OS vendor • There’s not really a right or wrong answer here, but it’s important to establish a well understood, common vocabulary for any given technical conversation – beware the undiagnosed Tower of Babel problem!