TOS Resource Center Overview General Topics

[an error occurred while processing this directive]

Overview
General Topics

Concepts

The Need for Trusted Operating Systems
The Least Privelege Model

Related Papers

Trusted OS and the Apache web site attack – Written by Jeff Thompson

Slideshows

Here are a few slideshows that give information on TOS systems and how they can be applied.

Argus Systems Group – PitBull Technical Overview – July 2000
Argus Systems Group – Advanced E-Business Systems – June 1999

The Need for Trusted Operating Systems

Trusted operating systems were originally designed to enforce military security policies on government computers. However, with the growth of Internet-based commerce, the need for TOS-based security is no longer restricted to government environments.

"The threats posed by the modern computing environment cannot be addressed without secure operating systems. Any security effort which ignores this fact can only result in a 'fortress built upon sand.'" (Loscocco, 1998)

Certain threats, such as buffer-overflow/stack-overwrite attacks, administrator hijacking, multi-network communication, improper application interaction, and other application software bugs, can only be controlled via the operating system, which can impose limits on all software.

A trusted operating system does not take the place of encryption, intrusion detection, or authentication, but often makes a firewall unnecessary. It strengthens all other security mechanisms. Trusted OS's can create partitions for applications and resources, so damage from compromised programs is limited.

Only trusted operating systems can provide the stability and security required for critical commercial servers.

The Least Privelege Model

CERT is constantly sending advisories about newly discovered buffer-overflow attacks. Yet another bug is found in yet another priveleged program. Now anyone can take over the program, and since it is running as root, they have power to do anything they want on the system. There are no limits.

Why is a program such as a domain name server granted ultimate power on a computer? The only thing it needs to do that a normal user cannot is to bind to a low port number. There is only one adjective that describes the policy of giving name server software total control of the system: "stupid." But most "secure" web servers are running dozens of programs that are trusted to an astonishing degree.

To repeat, setuid root is an incredibly stupid idea. But...

If you have any information that you would like added to this page, please use our Contact Us section.