article

Cost profile of a highly assured, secure operating system

Author:
Richard E. Smith

Secure Computing Corp., Roseville, MN

Secure Computing Corp., Roseville, MN
View Profile

Authors Info & Claims

ACM Transactions on Information and System Security Volume 4 Issue 1pp 72–101https://doi.org/10.1145/383775.383778

Published:01 February 2001Publication History

ACM Transactions on Information and System Security

Abstract

The Logical Coprocessing Kernel (LOCK) began as a research project to stretch the state of the art in secure computing by trying to meet or even exceed the “A1” requirements of the Trusted Computer System Evaluation Criteria (TCSEC). Over the span os seven years, the project was transformed into an effort to develop and deploy a product: the Standard Mail Guard (SMG). Since the project took place under a US government contract, the development team needed to maintain detailed records of the time spent on the project. The records from 1987 to 1992 have been combined with information about software code size and error detection. This information has been used to examine the practical impacts of high assurance techniques on a large-scale software development program. Tasks are associated with the A1 formal assurance requirements added approximately 58% to the development cost of security-critical software. In exchange for these costs, the formal assurance tasks (formal specifications, proofs, and specification code correspondence) uncovered 68% of the security flaws detected in LOCK's critical security mechanisms. However, a study of flaw detection during the SMG program found that only 14% of all flaws detected were of the type that could be detected using formal assurance, and that the work of the formal assusrance team only accounted for 19% of all flaws detected. While formal assurance is clearly effective at detecting flaws, its practicality hinges on the degree to which the formally modeled system properties represent all of a system's esential properties.

References

AIM TECHNOLOGY. 1988. AIM Technology published price list. AIM Technology, Santa Clara, CA.Google Scholar
ANDERSON, J. P. 1972. Computer security technology planning study. Tech. Rep. ESD-TR-73-51. James P. Anderson and Co., Fort Washington, PA.Google Scholar
BELL,D.E.AND LA PADULA, L. 1975. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. ESD-TR-75-306; ESD/AFSC; DTIC AD-A023588.Google Scholar
BOEBERT, W. E. 1988. Annotated TCSEC. Tech. Rep. Honeywell Information Systems, Waltham, MA.Google Scholar
BOEBERT,W.E.AND KAIN, R. Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Conference on Computer Security. 18-27.Google Scholar
BOEBERT,W.E.,KAIN,R.Y.,AND YOUNG, W. D. 1985. Secure computing: The secure Ada target approach. Scientific Honeyweller (June).Google Scholar
BOEHM, B. 1981. Software Engineering Economics. Prentice-Hall, New York, NY. Google ScholarDigital Library
CHESWICK,W.R.AND BELLOVIN, S. M. 1994. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Professional Computing Series. Addison-Wesley Longman Publ. Co., Inc., Reading, MA. Google ScholarDigital Library
CHOKHANI, S. 1992. Trusted products evaluation. Commun. ACM 35, 7 (July), 64-76. Google ScholarDigital Library
CLARK,D.AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 184-194.Google ScholarCross Ref
DEMILLO,R.A.,LIPTON,R.J.,AND PERLIS, A. J. 1979. Social processes and proofs of theorems and programs. Commun. ACM 22, 5 (May). Google ScholarDigital Library
DENNING, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 2 (May), 236-243. Google ScholarDigital Library
DOD. 1978. Security requirements for automatic data processing (ADP) systems. DOD Directive 5200.28.Google Scholar
DOD. 1985. Specification practices. MIL-STD 490A.Google Scholar
DOD. 1985. Department of Defense trusted computer system evaluation criteria. Department of Defense Standard DoD 5200.28-STD.Google Scholar
DOD COMPUTER SECURITY CENTER. 1985. Computer security requirements: Guidance for applying the Department of Defense trusted computer system evaluation criteria in specific environments. CSC-STD-003-85.Google Scholar
DOD. 1991. Department of Defense Federal acquisition regulation supplement: 48 code of Federal regulations.Google Scholar
FRAIM, L. 1986. The challenge after A1: A view of the security market. In Proceedings of the 9th National Conference on Computer Security (Sept.). 41-46.Google Scholar
GOOD,D.I.,AMBLER,A.L.,BROWNE,J.C.,BURGER, W., COHEN, R., HOCH, C., AND WELLS, R. 1977. Gypsy: A language for specification and implementation of verifiable programs. In Proceedings of the ACM Conference on Language Design for Reliable Software (Mar.). ACM Press, New York, NY. Google ScholarDigital Library
GOOD,D.I.,COHEN,R.M.,HOCH,C.G.,HUNTER,L.W.,AND HARE, D. F. 1978. Report on the language Gypsy. Tech Rep. ICSCA-CMP-10. University of Texas at Austin, Austin, TX.Google Scholar
HAIGH,T.J.AND YOUNG, W. D. 1987. Extending the noninterference version of MLS for SAT. IEEE Trans. Softw. Eng. 13,2. Google ScholarDigital Library
KAIN, R. Y. 1988. Throughput benchmarks with AIM. Memorandum. LOCK program archives.Google Scholar
LAMPSON, B. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct.). Google ScholarDigital Library
LEVIN,T.E.,PADILLA,S.J.,AND SCHELL, R. R. 1989. Engineering results from the A1 formal verification process. In Proceedings of the 12th NIST/NCSC National Conference on Computer Security (Gaithersburg, MD, Oct.). 65-74.Google Scholar
LIPNER, S. 1985. Secure system development at Digital Equipment: Targeting the needs of a commercial and government customer base. In Proceedings of the 8th National Conference on Computer Security (Sept.). 47-54.Google Scholar
NATIONAL COMPUTER SECURITY CENTER. 1997. Trusted network interpretation of the trusted computer system evaluation criteria. NCSC-TG-005, Version 1.Google Scholar
NATIONAL COMPUTER SECURITY CENTER. 1994. Introduction to certification and accreditation. NCSC-TG-029, Version 1.Google Scholar
NEUMANN,P.G.,ROBINSON, L., LEVITT,K.N.,BOYER,R.S.,AND SAXENA, A. R. 1975. Provably secure operating system. M79-225. Institute of Communication Research, Stanford University, Stanford, CA.Google Scholar
O'BRIEN,R.C.AND ROGERS, C. 1991. Developing applications on LOCK. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington,DC, Oct.).Google Scholar
ROCHKIND, M. J. 1975. The source code control system. IEEE Trans. Softw. Eng. SE-1,4 (Dec.), 364-370.Google ScholarDigital Library
SANDHU, R. S. 1993. Lattice-based access control models. IEEE Computer 26, 11, 9-19. Google ScholarDigital Library
SAYDJARI,O.S.,BECKMAN,J.K.,AND LEAMAN, J. R. 1987. LOCKing computers securely. In Proceedings of the 10th National Conference on Computer Security.Google Scholar
SAYDJARI,O.S.,BECKMAN,J.K.,AND LEAMAN, J. R. 1989. LOCK trek: Navigating uncharted space. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA, May 1-3). IEEE Computer Society Press, Los Alamitos, CA.Google ScholarCross Ref
SCHAFFER,M.A.AND WALSH, G. 1988. LOCK/ix: On implementing Unix on the LOCK TCB. In Proceedings of the 11th National Conference on Computer Security (NIST-NCSC, Balti-more, MD, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD.Google Scholar
SMITH, R. E. 1994. Constructing a high assurance mail guard. In Proceedings of the 17th National Conference on Computer Security (Baltimore, MD).Google Scholar
SMITH, R. E. 1996. Sidewinder: Defense in depth using type enforcement. J. Syst. Manage.Google Scholar
SMITH, R. E. 2000. Trends in government endorsed security product evaluations. In Proceedings of the 23rd National Conference on Information Systems Security (Baltimore, MD, Oct.).Google Scholar
STONEBURNER,G.R.AND SNOW, D. A. 1989. The Boeing MLS LAN: Headed towards an INFOSEC security solution. In Proceedings of the 12th NIST/NCSC National Conference on Computer Security (Gaithersburg, MD, Oct.). 254-266.Google Scholar
TAYLOR, T. 1991. FTLS-based security testing for LOCK. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington,DC, Oct.).Google Scholar
THOMSEN,D.AND SCHWARTAU, W. 1996. Is your network secure? BYTE (Jan.).Google Scholar
WARE, W. 1970. Security controls for computer systems (U): Report of Defense Science Board Task Force on Computer Security. Rand Rep. R609-1. RAND, Santa Monica, CA.Google Scholar
WEISSMAN, C. 1969. Security controls in the ADEPT-50 time-sharing system. In Proceedings of the 1969 Fall Joint Conference on Computers.Google ScholarDigital Library

Index Terms

Cost profile of a highly assured, secure operating system
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Applying Formal Methods to a Certifiably Secure Software System

A major problem in verifying the security of code is that the code's large size makes it much too costly to verify in its entirety. This article describes a novel and practical approach to verifying the security of code which substantially reduces the ...
Read More
Operating System Security
Read More
Faithfully formalizing OSEK/VDX operating system specification
SoICT '12: Proceedings of the 3rd Symposium on Information and Communication Technology

OSEK/VDX has proposed a standard for operating systems used in automotive systems. This standard is described in the form of informal specification. The informal specification is not suitable for applying formal methods to the whole of the software ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Information and System Security Volume 4, Issue 1
Feb. 2001
101 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/383775
Editors:
Ravi Sandhu
George Mason Univ., Fairfax, VA
,
John McLean
Naval Security Lab., Washington, DC
,
Eugene Spafford
Purdue Univ., West LaFayette, IN
Issue’s Table of Contents
Copyright © 2001 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 February 2001
Published in tissec Volume 4, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
LOCK (Logical Coprocessing Kernel)
security kernels
Qualifiers
- article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 22
  Total Citations
  View Citations
- 1,815
  Total Downloads
- Downloads (Last 12 months)8
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Cost profile of a highly assured, secure operating system

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Applying Formal Methods to a Certifiably Secure Software System

Operating System Security

Faithfully formalizing OSEK/VDX operating system specification