Trusted Code Base in a UNIX Environment

Linda Walsh law at sgi.com
Wed Apr 19 03:57:29 GMT 2000 

The TCB - Trusted "Computing" Base specifies a base of software *and* hardware
that implements the security policy set for the system.  In order for
the TCB to be effectively evaluated, it may be evaluated in a 'minimalist'
configuration.  For example, no 'lisp', or no 'emacs'.  If you include
those apps then you might be asked for the full security analysis you did
of the given program -- I can see the lisp eval: um, it semi-arbitrary
code then executes the written code which then may write some more...etc.
Ick!

Ideally you would like a way to identify the TCB files -- for example,
a bit somewhere that specifies 'in TCB' is simplist but even that isn't
required.  For C2 (and CAPP, I believe), it is sufficient to document the
files root is to use to administer the system and that root should execute
no other files.  A pain, you might say, but if you wish to maintain the
system in it's certified state, it must be operated within specified
parameters.  As soon as root runs something outside of the Trusted Computing
Base, system security maybe compromised.  That's why with just a bit, you
can have the OS check, if uid==0, then only execute files that have the
'bit' turned on.  There are obviously more general mechanisms to do this
such as the Biba Integrity model (part of the "MAC label" on Irix).
MAC, or Mandatory Access Control is implemented with the Bell LaPadula 
for Sensitivity and the Biba model for Integrity.  This way information flow
is controlled in both the downward and upward directions.  I can argue
that Biba can be considered MAC as well, as root can't execute or read
files of lower *integrity* than it is operating at -- i.e. -- when in
a "more 'privileged" state.

So basically the TCB concept is only valid in so far as root willingly
or 'guidedly' follows security policy.

If you aren't enforcing some type of TCB integrity model automatically,
(in the kernel), then it's just a "paper" exercise which is only needed 
for a formal evaluation, since on most systems you'd likely have so 
many files loaded, keeping track of the TCB and enforcing the policy of
no root exec's out of that TCB by following a written list would be
impractical in anything other than very controlled environment.

-l

-- 
Linda A Walsh                    | Trust Technology, Core Linux, SGI
law at sgi.com                      | Voice: (650) 933-5338
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list