Structure of a Secure Operating System

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security Overview

OpenVMS Security Model

Implementation of the Reference Monitor

Structure of a SecureOperating System

In the late 1960s, a great deal of research and developmentwas dedicated to the problem of achieving security in multiusercomputer systems. Much of the development work involved attemptsto find all the things that could go wrong with a system's securityand then to correct those flaws one by one. It became apparent tothe researchers that this process was ineffective; effective systemsecurity could result only from a basic model of the structure ofa secure computer system. The reference monitor concept was proposedas such a model and gained wide acceptance.

Reference Monitor Concept

According to the reference monitor concept, a computer systemcan be depicted in terms of subjects, objects, an authorizationdatabase, an audit trail, and a reference monitor, as shown in Reference Monitor. The reference monitor isthe control center that authenticates subjects and implements andenforces the security policy for every access to an object by asubject.

Figure 1 ReferenceMonitor
Reference Monitor

The following table describes the elements shown in Reference Monitor:

Item Element Description

1
Subjects
Active entities, such asuser processes, that gain access to information on behalf of people.

2
Objects
Passive repositories ofinformation to be protected, such as files.

3
Authorizationdatabase
Repository for the securityattributes of subjects and objects. From these attributes, the referencemonitor determines what kind of access (if any) is authorized.

4
Audit trail
Record of all security-relevant events,such as access attempts, successful or not.

Item	Element	Description
1	Subjects	Active entities, such asuser processes, that gain access to information on behalf of people.
2	Objects	Passive repositories ofinformation to be protected, such as files.
3	Authorizationdatabase	Repository for the securityattributes of subjects and objects. From these attributes, the referencemonitor determines what kind of access (if any) is authorized.
4	Audit trail	Record of all security-relevant events,such as access attempts, successful or not.

How the Reference Monitor Enforces SecurityRules

The reference monitor enforces the security policy by authorizingthe creation of subjects, by granting subjects access to objectsbased on the information in a dynamic authorization database, andby recording events, as necessary, in the audit trail. In an idealsystem, the reference monitor must meet the following three requirements:

Mediate every attempt by a subjectto gain access to an object

Provide a tamperproof database and audit trail thatare thoroughly protected from unauthorized observation and modification

Remain a small, simple, and well-structured pieceof software so that it is effective in enforcing security requirements

These are the requirements proposed for systems that are secureeven against penetration. In such systems, the reference monitoris implemented by a security-related subset, or security kernel,of the operating system.

Implementation of the Reference Monitor