On a normal system, if an attacker gains root or administrator access, he or she can run rampant. Not so on a trusted system — at least so long as it is properly configured. Read the article at NewsFactor.
Inside the World of Secure Operating Systems
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
“The main focus of a trusted system is to manage information — to ensure information can only be viewed, altered or moved by individuals with appropriate access rights.”
Isn’t that what each modern OS does?
Good point, mr X!
I guess this is all about choices: if you really need a very secure environment, you will have to make combined choices on security, usability, and maybe price (at least for the SUN example 🙂
the difference lies in having a superuser in the usual OS compared to a trusted system like Trusted Solaris, which doesn’t have “root access”. Instead of having one guy/group do the configuration of the system, you can have it configure the system to have a number of approvals from several people. Sort of like in the movies, usually post-nuclear themes where a lot of people have the pass/keys to launch the nuke
Most OS’s only enforce discretionary access controls, so the owner of the file can control who can see it. A trusted OS that uses mandatory access controls enforces this so that the owner can only make it available to those at the same clearance.
Pity the article didn’t mention Trusted IRIX since this has been evaluated at LSPP while I believe we are still waiting for Trusted Solaris to finish its evaluation.
If you are interested in a system which has no ‘root’ user check out Plan 9.
A doc on the security is here:
http://cm.bell-labs.com/sys/doc/auth.html
in the space of whatever mechanism does the checking….
(no idea if this is possible or not as ive never actually ~used~ a system with this type of mechanism… yet somehow i feel there is likely to be a way)
If you’re looking for a good mix between security and usability, I found OpenBSD to be very well fit for that purpose.
I can’t really think of anything that requires more security than the level of security a (well maintained) OpenBSD box offers, or at least nothing we regular people would ever see.
surely there is a “root” on a Trusted system to allocate the priviliges… in the earlier example by jsg – someone has given the “keys/codes” to the individuals beofre they can launch the bomb. and who is this person – the uber-root?
and who revokes these rights in case they were missassigned or the situation has changed? the uber-root?
so whats the difference? surely the OS itself doesn’t install, boot up and ask to see 5 different individuals identified by their fingerprints?
t
Does anyone know what the difference is between a Trusted OS and a Capability based system like EROS ( http://www.eros-os.org/ )? It would seem that the Capability system has the finest possible grain of assignment of access rights – each and every O/S operation is controlled by a capability, which a process must explicitly aquire in order to perform that operation. Is this better than the guarantees provided in a trusted system?
The article doesn’t mention another approach to improving system security – isolation through a virtualized O/S, as is enabled by the FreeBSD jail system call for example, or (as I understand it) the upcoming Solaris Zones ( http://www.theregister.co.uk/content/4/30179.html ). Does anyone know of other virtualized O/S layers? What would one do in Linux to get a virtual O/S … User mode linux, perhaps? ( http://user-mode-linux.sourceforge.net/ )
Presumably this approach provides a high level of application isolation, but with consequent limitations on inter-process communications. How does this compare with the security guarantees made in Trusted systems?
If you check out the link http://wwws.sun.com/software/solaris/trustedsolaris/
there is a blurb about the role based authentication. It seems as though its more like a ‘distributed’ root user rather than a single root user that always has maximum privileges. Of course there is the paradox that you have to have an initial user that has the privileges to assign the privileges…
But aside from that, I think that the various roles will become more distributed to various user accounts so that instead of one gran-daddy root user you’ll have a bunch of baby roots, buds, and possibly some tender saplings 
But exactly how it works isn’t noted clearly that I could find.