A least privilege model for static separation kernels
NPS-CS-05-003.pdf (501.4Kb)Abstract
We extend the separation kernel abstraction to represent the enforcement of the principle of least privilege. In addition to the inter-block flow control policy prescribed by the traditional separation kernel paradigm, we describe an orthogonal finer-grained flow control policy by extending the protection of elements to subjects and resources, as well as blocks, within a partitioned system. We show how least privilege applied to the actions of subjects and resources provides enhanced protection for secure systems, and how only trusted subjects may cause certain information flows between partitions. A high assurance separation kernel based on least privilege can provide all of the functionality and protection of the traditional separation kernel, combined with a high level of confidence that the effects of subjects' activities can be minimized to their intended scope.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.NPS Report Number
NPS-CS-05-003Related items
Showing items related by title, author, creator and subject.
-
A Least Privilege Model for Static Separation Kernels
(2004-10); NPS-CS-05-003We extend the separation kernel abstraction to represent the enforcement of the principle of least privilege. In addition to the inter-block flow control policy prescribed by the traditional separation kernel paradigm, we ... -
Least Privilege in Separation Kernels
(International Conference on Security and Cryptography, Setubal, Portugal,, 2006-08-00);We extend the separation kernel abstraction to represent the enforcement of subjects provides enhanced protection for secure systems We extend the separation kernel abstraction to represent the enforcement of the principle ... -
A Note on High Robustness Requirements for Separation Kernels
(International Common Criteria Conference (ICCC 05), September 28-29, 2005., 2005-09-28);The development of a protection profile for high-robustness separation kernels requires explicit modifications of several Common Criteria requirements as well as extrapolation from existing (e.g., medium assurance) guidance ...
