One aspect of producing secure operating systems involves the confinement of programs. This paper discusses the program confinement problem as addressed by the developers of a retrofitted version of the IBM VM/370 virtual machine monitor. This version of the system (called KVM/370) uses a security-kernel architecture to provide a provably secure multi-level environment for Department of Defense computer operations. To produce an efficient system, software and hardware resources must be globally shared among all processes of the security hierarchy. Since not all portions of KVM/370 can be formally proven, it is possible that untrusted software controlling global resources can be used to transmit sensitive information from a high-level to a low-level process. This paper discusses the techniques used in KVM/370 to confine programs (to prevent data leakage) so that the security of the system is preserved. A brief architectural description of the system is presented as well.
[1]
D. E. Bell,et al.
Secure Computer Systems : Mathematical Foundations
,
2022
.
[2]
Butler W. Lampson,et al.
A note on the confinement problem
,
1973,
CACM.
[3]
Dorothy E. Denning,et al.
A lattice model of secure information flow
,
1976,
CACM.
[4]
Richard R. Linde,et al.
Operating system penetration
,
1975,
AFIPS '75.
[5]
Butler W. Lampson,et al.
Dynamic protection structures
,
1899,
AFIPS '69 (Fall).
[6]
Stuart E. Madnick,et al.
Hierarchical Approach to Computer System Integrity
,
1975,
IBM Syst. J..
[7]
C. Richard Attanasio,et al.
Penetrating an Operating System: A Study of VM/370 Integrity
,
1976,
IBM Syst. J..
[8]
B. D. Gold,et al.
VM/370 security retrofit program
,
1977,
ACM '77.