Design and implementation of an audit subsystem for a separation kernel

Abstract

A separation kernel can be used as the foundation of a high assurance system that enforces mandatory security policies. The contexts in which such separation kernels might be used include support for a distributed trusted path, high assurance routing, and for a multilevel secure mobile device that supports an extraordinary access partition for access to sensitive data during a crisis. Separation kernel requirements call for an audit subsystem that helps to enforce accountability policy by allowing administrators to detect unauthorized activities from the logs collected. The Least Privilege Separation Kernel (LPSK) being implemented for the Trusted Computing Exemplar (TCX) project did not have an audit subsystem. This thesis describes the design and implementation of an audit subsystem for the LPSK. Requirements were gathered based on an existing specification and protection profile. A variable-length token-based audit log format was designed to allow flexibility in recording different types of events. Interfaces to other LPSK modules and non-LPSK modules were designed and a prototype was developed. Testing results show that the prototype supports the LPSK audit requirements. Hence, this work demonstrates the feasibility of implementing the LPSK audit subsystem based on the proposed design.