|
Project
Goals: Security Enhancement |
Mainstream Operating System implements
many flavors of Discretionary Access Control (DAC) in which ordinary
users may be involved in the definition of the security policy
functions and/or the assignment of security attributes (e.g. access
control of owned files). Generally, DAC seems to be useful for
defining any reasonable security policy in a flexible way. However,
DAC mechanisms have one mayor drawback, regardless of the specific
implementation scheme used, they are, by their very nature, subject
to Trojan horse attacks. The most insidious aspect of a Trojan
horse attack is that it does not require discovery or exploitation
of loopholes in the operating system. A successful Trojan horse
attack can be mounted through the use of only the most well documented
and obviously desirable features of a flawless, bug-free system.
Usually, once a Trojan horse is executed, the program hidden feature
starts gaining access to every data the executor has permission
to, it filters the information that is not within the scope of
its interest, and sends the rest to a location accessible to the
attacker. Such actions are possible because accessing files, opening
connections, requesting resources for an authorized user are completely
natural and ordinary tasks for the operating system.
Besides,
if the Trojan horse is carefully programmed and used, it will
not be considered a virus, the example above mentioned shows it
well enough. Such a facility will not be detected as a virus by
any anti-virus software just because nobody has reported it as
such, and it is not very likely that someone may do so since it
does not cause any visible harm, it just sends information outside
the site (which is a daily routine).
Since Trojan
horses may render useless any DAC mechanism, and in practice it
is extremely expensive and difficult to preserve the system from
them, we believe that the true solution for maintaining acceptable
confidentiality levels lies in the implementation of some form
of mandatory access control (MAC) at the operating system level.
MAC restricts access to objects based largely on administrative
actions. A mandatory security policy is a security policy where
the definition of the policy logic and the assignment of security
attributes are tightly controlled by a system security policy
administrator. The implementation of a highly reliable MAC security
scheme, such as Multi-level security, is one of the project's
goals.
|
High-Quality
Software |
Due to the constant
growing of e-commerce much confidence was built around cryptography
and all kind of security gadgets, but the fact is that we cannot
trust these useful tools unless we have a trusted base. Let us
focus on this problem. We should not only pay attention on how
security is achieved and implemented at this level, but also whether
the design and its implementation are correct. The Lifia Secure
Linux project has this goal in mind. Our commitment is to
develop a high quality secure O.S. based on the Unix interface
(Linux) using the most advanced and strict Software Engineering
tools and methods available, including formal methods for specification,
design, implementation and verification.
|
Usability |
Operating systems
ruled by mandatory security could not become mainstream of commercial
systems. Maybe, the primary reason for that was their lack of
usability. Multi-level security (MLS) is a MAC security scheme
based on the Bell-LaPadula model, and is one of the most commonly
known MAC schemes. MLS is a powerful security model, but if it
is not properly implemented it can be too restrictive. We think
we have located most of the problems of the previous implementations
and developed smart solutions against them. The ultimate goal
of this project is to overcome these issues and build a highly
usable piece of software.
|
Compatibility |
The concept of a
new, usable, reliable and secure OS gives little advantage if
we are unable to reuse the existing software applications. This
is just the case in many MLS implementations, since they require
the re-codification of almost every running application. Hence,
as our final goal, we want to add the aforementioned security
capabilities to the system kernel and modify existing ones, in
order to provide strong security enforcement mechanisms without
affecting the existing applications functionality and performance.
This is why it will not be necessary to re-code almost any existing
program, and therefore, a huge market portion will soon be available
for the new version.
|
|