Gidis Trusted Linux


Project Goals: Security Enhancement

Mainstream Operating System implements many flavors of Discretionary Access Control (DAC) in which ordinary users may be involved in the definition of the security policy functions and/or the assignment of security attributes (e.g. access control of owned files). Generally, DAC seems to be useful for defining any reasonable security policy in a flexible way. However, DAC mechanisms have one mayor drawback, regardless of the specific implementation scheme used, they are, by their very nature, subject to Trojan horse2 attacks. The most insidious aspect of a Trojan horse attack is that it does not require discovery or exploitation of loopholes in the operating system. A successful Trojan horse attack can be mounted through the use of only the most well documented and obviously desirable features of a flawless, bug-free system. Usually, once a Trojan horse is executed, the program hidden feature starts gaining access to every data the executor has permission to, it filters the information that is not within the scope of its interest, and sends the rest to a location accessible to the attacker. Such actions are possible because accessing files, opening connections, requesting resources for an authorized user are completely natural and ordinary tasks for the operating system.

Besides, if the Trojan horse is carefully programmed and used, it will not be considered a virus, the example above mentioned shows it well enough. Such a facility will not be detected as a virus by any anti-virus software just because nobody has reported it as such, and it is not very likely that someone may do so since it does not cause any visible harm, it just sends information outside the site (which is a daily routine).

Since Trojan horses may render useless any DAC mechanism, and in practice it is extremely expensive and difficult to preserve the system from them, we believe that the true solution for maintaining acceptable confidentiality levels lies in the implementation of some form of mandatory access control (MAC) at the operating system level. MAC restricts access to objects based largely on administrative actions. A mandatory security policy is a security policy where the definition of the policy logic and the assignment of security attributes are tightly controlled by a system security policy administrator. The implementation of a highly reliable MAC security scheme, such as Multi-level security, is one of the project's goals.

High-Quality Software

Due to the constant growing of e-commerce much confidence was built around cryptography and all kind of security gadgets, but the fact is that we cannot trust these useful tools unless we have a trusted base. Let us focus on this problem. We should not only pay attention on how security is achieved and implemented at this level, but also whether the design and its implementation are correct. The Lifia Secure Linux project has this goal in mind. Our commitment is to develop a high quality secure O.S. based on the Unix interface (Linux) using the most advanced and strict Software Engineering tools and methods available, including formal methods for specification, design, implementation and verification.


Operating systems ruled by mandatory security could not become mainstream of commercial systems. Maybe, the primary reason for that was their lack of usability. Multi-level security (MLS) is a MAC security scheme based on the Bell-LaPadula model, and is one of the most commonly known MAC schemes. MLS is a powerful security model, but if it is not properly implemented it can be too restrictive. We think we have located most of the problems of the previous implementations and developed smart solutions against them. The ultimate goal of this project is to overcome these issues and build a highly usable piece of software.

The concept of a new, usable, reliable and secure OS gives little advantage if we are unable to reuse the existing software applications. This is just the case in many MLS implementations, since they require the re-codification of almost every running application. Hence, as our final goal, we want to add the aforementioned security capabilities to the system kernel and modify existing ones, in order to provide strong security enforcement mechanisms without affecting the existing applications functionality and performance. This is why it will not be necessary to re-code almost any existing program, and therefore, a huge market portion will soon be available for the new version.
© 2003 por Grupo Gidis. Todos los derechos reservados.
Sitio diseñado por Lorena Cantarini [mailto]