Information Technology Reference
In-Depth Information
concisely in arguing for exokernels [8]. Exokernels and VMs are in many ways quite
similar.
Grizzard in [9] proposes a Trusted Immutable Kernel Extension (TIKE) by way of
a VM. Using a host operating system as a trusted platform, a self-healing system uses
existing intrusion detection systems and corresponding self-healing mechanisms to
automatically heal the guest operating system once a compromise has occurred.
Garfinkel presents a closed-box abstraction for trusted computing through the use
of a VM monitor(
Terra
) for isolation and security [10].
Recently, the idea of isolated environments has become available in the form of
commodity platforms implementing TCPA. [11], which related to our conception of
combining trusted and untrusted components in one hybrid system. But TCPA is only
a hardware mechanism for trusted computing, lacking a vision for support of trusted
computing in operating systems.
In recognition of the need for OS support for trusted computing, Microsoft began
development of its NGSCB (formerly Palladium) architecture [12, 13]. This work is
the most similar to ours in that it provides a “whole system” solution to the problem
of trusted computing. NGSCB works by partitioning the platform into two parts
(“trusted” and “untrusted”) each of which runs a different operating system. It
achieves this through what can be seen as a very special purpose hybrid system that
only supports two VMs. The untrusted(guest) is one of today's commodity operating
systems (e.g. Windows) while the trusted(host) part is a dedicated trusted operating
system (the “nexus” in NGSCB parlance).
NGSCB differs from Linux over Fenix most prominently in its security
architecture. Linux over Fenix is a combination two full-power operating systems, in
contrast, the trusted part of NGSCB is a dedicated operating system designed to run
small, high-assurance programs called “agents.” Agents work in conjunction with
code on the untrusted side of the system, providing all of the security-critical
functionality that programs on the untrusted side need (e.g. sensitive key storage).
6 “Linux over Fenix” Hybrid OS
The hybrid OS technology can be used for the construction of a secure operating
system where the secure host OS would provide for the security, and the guest OS —
for compatibility with applications and the user interface. What is required for this
purpose is, first, the possibility of starting the guest OS as a common user process
within the secure OS, and, second, the possibility of access by the applications of the
guest OS to the resources of the secure OS under control of the embedded security
features. Thus the multitude of applications of the secure OS is further expanded by
both existing applications of the guest OS and those under development.
An example of a secure hybrid system is furnished by the solution developed by
the Department of Information Security of the SPSPU School of Technical
Cybernetics, which received the name “Linux over Fenix” secure hybrid system. The
secure Fenix OS, having a special architecture and implementing a flexible model of
access control to the information resources, plays the part of the secure OS. Within
the environment provided by this OS, copies of the modified “Linux” kernel are run,
adapted for operation in the user mode in the Fenix OS environment. Each user has at
