This paper discusses how mandatory access mediation and discretionary access mediation are performed in the Trusted Mach (TMach) kemel, a system that uses message passing as its primary means of communication both between tasks and with the kernel. As a consequence, control of interprocess communication in the TMach kernel is a central concem whereas controlled sharing of segments is the central focus in trusted systems with a more traditional architecture.
This note presents a concise summary and comparison of two environmental guidelines for secure systems: that developed by the National Computer Security Center (i.e., the "yellow books") and a competing methodology proposed by Landwehr and Lubbes of the US. Navy. Both methodologies are described and applied to a hypothetical example along with a discussion of the strengths and weaknesses of each.
PurposeThis note compares and contrasts the two most widely cited methodologies for determining appropriate levels of trust (as defined by the evaluation classes of the DoD nusted Computer System Evaluation Criteria (TCSEC) [2]) for deployed automated systems given certain characteristics of the operational environment. The first methodology was developed by the National Computer Security Center (NCSC) and is described in two documents commonly referred to as the "Yellow Books" [l, 31. The NCSC methodology has also been incorporated in the 1988 DoD Directive 5200.28 [4].
Thesecond methodology was developed by Landwehr and Lubbes of the Naval Research Laboratory (NRL) and is fully described in [5]. The NRL methodology was published immediately prior to *This paper was largely written while the author worked for Trusted Information Systems, Inc. TH0351-7/90/0000/0244$01.00 0 1990 IEEE 244 the NCSC methodology and is commonly considered an acceptable alternative methodology (as allowed by DoD 5200.28).
Trusted Mach (TMach) is a message-passing, serveroriented system being targeted at the B3 level of the Trusted Computer System Evaluation Criteria (TCSEC). Its architecture differs from the security kemel plus layers structure that was established for trusted systems by Multics. This paper examines security issues associated with its dependence upon capability-like mechanisms and TMach's use of servers.A brief rationale for its compliance with TCSEC architectural requirements is presented. Why the structure of the TMach trusted computing base makes it readily extensible, amenable to the inclusion of trusted applications, is also discussed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.