Research On The Trusted Operating System

Security of the Operating System (OS) is the foundation for that of the information systems. Move than 40 in the last yeares, the Secure Operating System (SOS) had been developing greatly, and had achieved plentiful and substantial achievements. But viewed the developing history of the SOS, there is no mature SOS yet in commercial and civil fields, and the SOS is still used in the national defense and the military affairs fields. Until now, the SOS does't succeeds in the whole world. What are the reasons on earth? One is that the SOS is incomplete and has some problems; the other is that the traditional information security technologies can't resolve the currently complex secure problems which grow day by day with the increasing application systems in Internet.In this thesis, we have reviewed the post progress of the SOS and the important achievements in this research area. According to the current state of the SOS, the main problems about the SOS are analyzed, and depended on the Trusted Computing (TC), the concept of the Trusted Operating System (TOS) is firstly put forward. After that, the properties, the connotation of the TOS, and the relationship to the SOS are addressed. Moreover, this thesis lucubrates on the architecture, booting, self-integrity measure, login, the framework of dynamic multi-policies with time character, the behaviors creditability and the object creditability of the TOS and results in the following innovative achievements:1. Proposing firstly the concept of the TOSBased on the technologies of the SOS and the TC, the concept of the TOS is firstly defined. The TOS is the OS which can fit for the environment changes by supporting the flexible and adaptive multi-policies, and can guarantee the inside user behaviors are always in ways their advocates predict, and can assure the confidentiality, the integrity, and the creditability of the object and the self-integrity. Then, we have addressed some relationships between the TOS and the SOS: on the one hand, the SOS is the foundation of the TOS, the security models and the access frameworks in the SOS are fit for the TOS too; on the other hand, the TOS is different to the SOS, the object of the SOS is providing a basic secure platform to users, but that of the TOS is providing a trusted computing environment to users. [TAN2006a]2. Proposing a new parallel recovery trusted startup process based on the Trusted Hardware for self-integrity of the TOSBased on the analysis of the common startup process in the traditional OS, the trusted startup process is analysed, which is divided into two phases, the former phase is the startup of the TH, the later phase is the startup of the OS kernel, and some problems about the trusted startup process are addressed. For resolving those problems, a new trusted boot process, called a Parallel Recovery Trusted Startup Process (PRTSP), which makes a parallel working between CPU and TPM, and supports backup and recovery, has been put forward. The PRTSP has been implemented by channel technology. It is shown by analysis of the security and performance of the PRTSP that high assurance of system security has been gained, thus the basis for building the trusted computing environment has been provided [TAN2006b, TAN2006c].3. Proposing a trusted login authentication projectThere are some deficiencies about the login authentication in the traditional OS as follows: (1) the untrusted storage. The important data, such as the passwords, the keys or the character codes, and so on, which must be verified when the user logins, are saved insecurely, for example, the passward is saved in the file system, the protection supplied by the file system to these important data is insufficient; (2) the login authentication in the traditional OS is the one-way authentication, that is to say, only the OS can verify the user, but the other way round can' t. So a new identity authentication, called the Trusted Login Authentication Based on the TH (TLABT), has been put forward. The TLABT can be come true by USB interface which joints the TH, and stores the users' identities and the keys in the TH. The TLABT can overcome the traditional deficiencies and support the bidirectional authentication technology [TAN2007a].4. Proposing an insider behavior monitoring model based on the user behavior tree to preventing from the "open authority behavior" and the "insider threat behavior"The "open authority behavior" and the "insider threat behavior" have become the main behavior mode which lets the inside information out. The Insider Threat caused by the "open authority behavior" and the "insider threat behavior" is more serious than the Outsider Threat, so the TOS should monitor the insider behavior. For solving that, the characters of the insider behaviors and the formal description are analyzed firstly, and then, an insider behavior monitoring model based on the user behavior tree has been put forward. This mode can acquire the "open authority behavior" and the "insider threat behavior" traces by the OS behavior-tree, and make use of the behavior-tree hierarchy to monitor the insider behaviors. In all, this model, which uses the algorithm based on the user behavior-tree for filtering the user vice-behavior, can effectively prevent from the "open authority behavior" and the "insider threat behavior", guarantee the user behaviors creditability, and is an available complementarity for the traditional access control theory [TAN2006f].5. Proposing the concept of the trusted objectThe SOS can' t guarantee authenticity of the objects. For resolving that, the object types in the operating system have been analyzed firstly, the concepts of the trusted static object, the trusted dynamic object, and the trusted object have been put forward, and then the characters of the trusted object, the relationship between the secure object and the trusted object are addressed[TAN2007b]. To guarantee creditability of the trusted static object in the TOS, the Trusted Authentication System for the Static Object Based on the TH (TASSOBT) has been brought forward. The TASSOBT will create the mapping file for each trusted static object, which records the original, the actions and the signature for the content changes and is saved into the TH [TAN2007c]. For preventing the dynamic object in the TOS from leaking the information out, the Monitor System for the Trusted Dynamic Object based on the TH (MSTDOBT) has been presented, which can guarantee identity authentication between the subject and the trusted dynamic each other[TAN2007d]. The TASSOBT and the MSTDOBT are the foundation for the trusted computing environment.Besides those works, this paper has done some works in exploring the other security mechanism which has positive effects for the trused operating system:1. Proposing the Segmented and Over-Issued CRL synthesis mode and the Delta and Over-Issued CRL synthesis modelThe client needs the identity authentication in the network, and the technology foundation of the TC is PKI which comes true the identity authentication by some certifications. With the increasing scale of the certification, the maintenance of CRL is becoming a hot potato. So the Segmented and Over-Issued CRL synthesis mode and the Delta and Over-Issued CRL synthesis model are brought forward.The Segmented and Over-Issued CRL synthesis mode is realized by that CRL is segmented first, and then over-issued. Compared to other models, the improved model minimizes the size of CRL which can accelerate to request serve, as well as the peak request rate, peak bandwidth, average loads and time piece on CRL repository. Though the average request rate of the improved model is bigger than over-issued model, as long as the parameters of O and S are acquired and adjusted properly, the peak request rate, peak bandwidth ,average request rate and average loads of the improved model can be controlled to fit for the large-scale PKIs according to the requirements [TAN2005a].The Delta and Over-Issued CRL synthesis model is realized by that Base CRL of Delta-CRLs is over-issued. Compared to other models, the improved model minimizes the size of CRL which can accelerate to response time and time piece, as well as the peak request rate for Base CRL, the peak bandwidth and average loads on CRL repositories. Simultaneously it is presented in this paper that the improved model is better than traditional model and Delta-CRLs, but the issuance performance of the improved model depends on the rate of certificate revocation, period of certificate validity , time span and issue periods on Delta CRL. Rate of certificate revocation is more higher, time span and issue periods on Delta CRL is more longer and period of certificate validity is more shorter, the performance improvement by over -issued Base CRL is more less. So the improved model is fit for the large-scale PKIs whose rate of certificate revocation is not high, period of certificate validity is more longer, time span and issue periods on Delta CRL is more shorter [TAN2005b].2. Proposing an XML-based software security requirements architecture description language (XSSRA/ADL) is presentedIt is imperative to considerate the functional requirements and the security requirements on architecture level when developing the large and complex software systems in Internet, and the security requirements architecture description language (SADL) is the foundation for researching and implementing the security requirements architecture. Because traditional architecture description languages have no direct component, connector and style for the security requirements, it is difficult to descript these security requirements on the architecture level. In this paper, an XML-based software security requirements architecture description language (XSSRA/ADL) is presented, which, based on the traditional software architecture, puts forward some new fundamental units, such the security component, the security connector, the half-security component and the half-security connector, and so on. XSSRA/ADL not only can descript the security architecture of software systems, but also can resolve the interaction and dependency between security requirements and other functional requirements on the architecture level of software systems. On the other hand, XSSRA/ADL adopts XML, the data inter-operation standard, as the meta-language, this enables it to have inter-operability with other ADLs, and is convenient for supporting refinement and evolution of the system [TAN2006e].