Ensuring continuity during dynamic security policy reconfiguration in DTE

摘要

Operating system kernels capable of simultaneously enforcing multiple security policies provide economic benefits over those that cannot: they allow a single kernel to concurrently provide its costly or unique resources to a number of projects, each with its own individual security requirements. The additional ability to dynamically reconfigure its policy during run time allows a kernel to take on new projects and their policies and to remove old ones without disturbing those that remain. Unfortunately, the policy added to govern a new project may conflict with the kernel's existing policy components, invalidating their security properties and negating the protection they pro vide. This danger is an obstacle to the practical operation of these kernels. The paper describes how the Domain and Type Enforcement (DTE) prototype kernel implements automatic safeguards to reject policy extensions which would invalidate BLP, Ring, Strict Integrity, Clark-Wilson, and Assured Pipeline security properties of its existing policy.