Abstract:This paper describes the development of a virtual-machine monitor (VMM) security kernel for the VAX architecture. The paper particularly focuses on how the system's hardware, microcode, and software are aimed at meeting Aleffort has bccn primarily aimcd at identifying the differences and their cost in development effort and in kernel complexity.This paper dcscribes how the VAX security kcrncl meets its five InajOr goals:* Mcet all AI security rcquircments.levcl security requirements while maintaining the stand… Show more
“…Today, discussions of layered design tend to introduce additional complexity by allowing a richer tree of objects. SVS was an almost pure sequence of single layers (see Figure 1, from [1]). The absolute simplicity of the layering of the system is what gave the layered design some of its power as a structure for both call flow and overall system organization.…”
Section: Layered Designmentioning
confidence: 99%
“…In May of 1990, "A VMM Security Kernel for the VAX Architecture" [1] was lead paper at the IEEE Symposium on Security and Privacy, and was awarded Best Paper. "The Auditing Facility for a VMM Security Kernel" [2] was also presented that year, and the year after, two papers on covert channels, "An Analysis of Covert Timing Channels" [3] and "Storage Channels in Disk Arm Optimization" [4] were presented.…”
Section: Introductionmentioning
confidence: 99%
“…More than 20 years later, we are taking this opportunity to highlight what we consider to be the most important results from [1], with an eye toward how they can inform how high assurance systems are considered and built today.…”
VAX/SVS was a high assurance virtual machine monitor (VMM) project, documented in several published papers from the 1990's. We take a look back, extracting the most pertinent lessons from that work for today. These lessons cover reference monitor architectural principles, approaches to verifiable and tamperproof access control, the benefits of layering, the impacts of minimization and verification, and the business reasons behind its cancellation as a product.
“…Today, discussions of layered design tend to introduce additional complexity by allowing a richer tree of objects. SVS was an almost pure sequence of single layers (see Figure 1, from [1]). The absolute simplicity of the layering of the system is what gave the layered design some of its power as a structure for both call flow and overall system organization.…”
Section: Layered Designmentioning
confidence: 99%
“…In May of 1990, "A VMM Security Kernel for the VAX Architecture" [1] was lead paper at the IEEE Symposium on Security and Privacy, and was awarded Best Paper. "The Auditing Facility for a VMM Security Kernel" [2] was also presented that year, and the year after, two papers on covert channels, "An Analysis of Covert Timing Channels" [3] and "Storage Channels in Disk Arm Optimization" [4] were presented.…”
Section: Introductionmentioning
confidence: 99%
“…More than 20 years later, we are taking this opportunity to highlight what we consider to be the most important results from [1], with an eye toward how they can inform how high assurance systems are considered and built today.…”
VAX/SVS was a high assurance virtual machine monitor (VMM) project, documented in several published papers from the 1990's. We take a look back, extracting the most pertinent lessons from that work for today. These lessons cover reference monitor architectural principles, approaches to verifiable and tamperproof access control, the benefits of layering, the impacts of minimization and verification, and the business reasons behind its cancellation as a product.
“…Various virtual machine monitor approaches have been suggested [14,42,7] for supporting COTS applications while reliably separating different domains of data. In general, for these approaches to be trustworthy requires both the use of strictly virtualizable hardware [29], and a trustworthy monitor mechanism for separating the activities of the virtual machines.…”
Section: Related Workmentioning
confidence: 99%
“…Creating a monitor sufficiently trusted to both separate different domains of activity, and allow read-down to less sensitive domains (as does MYSEA) is all the more difficult. While at least one was designed to provide high assurance read-down capabilities [42], it was never fielded. The VMM approach remains problematic for separation of different domains of data because of the difficulty of creating a trusted VMM.…”
Mandated requirements to share information across different sensitivity domains necessitate the design of distributed architectures to enforce information flow policies while providing protection from malicious code and attacks devised by highly motivated adversaries. The MYSEA architecture uses component security services and mechanisms to extend and inter-operate with commodity PCs, commodity client software, applications, trusted components, and legacy single level networks, providing new capabilities for composing secure, distributed multilevel secure solutions. This results in an architecture that meets two compelling requirements: first, that users have a familiar work environment, and, second, that critical mandatory security policies are enforced.
The need to provide standard commercial-grade productivity applications as the general purpose user interface to high-assurance data processing environments is compelling, and has resulted in proposals for several di erent t ypes of \trusted" systems. We c haracterize some of these systems as a class of architecture. We discuss the general integrity property that systems can only be trusted to manage modi able data whose integrity is at or below that of their interface c omponents. One e ect of this property is that in terms of integrity these hybrid-security systems are only applicable to processing environments where the integrity of data is consistent with that of low-assurance software. Several examples are provided of hybrid-security systems subject to these limitations.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.