|
|
CSSM's set of self-contained security services establishesa security perimeter around CDSA. These services incorporate techniquesto protect against malicious attacks. Because application and add-insecurity service modules are dynamic components in the system, CSSMuses and requires the use of a strong verification mechanism toscreen all components as they are added to the CSSM environment.
Applications can extend CSSM's security perimeter to includethemselves by using bilateral authentication, integrity verification,and authorization checks during dynamic binding.
The establishment of integrity between two dynamically loaded,executable objects proceeds in three phases:
Self-Check
In the first phase, the self-check phase, the software modulechecks its own digital signature. The Embedded Integrity ServicesLibrary (EISL) defines a statically linked library procedure toperform self-check.
BilateralAuthentication
In the second phase, bilateral authentication routines inthe EISL offer support for securely loading, verifying, and linkingto partner software modules. The process of bilateral authenticationbegins in the MDS registry, where each program can find the credentialsas well as the object code of all other CDSA modules.
Verification of other modules can be done prior to loading,or, if a module is already loaded, it can be verified in memory. Verification prior to loading prevents activating file virusesin infected modules. Verification in memory prevents stealth viralattacks where the file is healthy, but the loaded code is infected.
SecureLinkage Check
Once verified, programs can use the verified in-memory representationof the credentials to perform validity checks of addresses to providesecure linkage to modules. The addresses of both the callers andthe procedures to be called can be verified using the Secure LinkageCheck facility.
|
|