Cost profile of a highly assured, secure operating system

The Logical Coprocessing Kernel (LOCK) began as a research project to stretch the state of the art in secure computing by trying to meet or even exceed the “A1” requirements of the Trusted Computer System Evaluation Criteria (TCSEC). Over the span os seven years, the project was transformed into an effort to develop and deploy a product: the Standard Mail Guard (SMG). Since the project took place under a US government contract, the development team needed to maintain detailed records of the time spent on the project. The records from 1987 to 1992 have been combined with information about software code size and error detection. This information has been used to examine the practical impacts of high assurance techniques on a large-scale software development program. Tasks are associated with the A1 formal assurance requirements added approximately 58% to the development cost of security-critical software. In exchange for these costs, the formal assurance tasks (formal specifications, proofs, and specification code correspondence) uncovered 68% of the security flaws detected in LOCK's critical security mechanisms. However, a study of flaw detection during the SMG program found that only 14% of all flaws detected were of the type that could be detected using formal assurance, and that the work of the formal assusrance team only accounted for 19% of all flaws detected. While formal assurance is clearly effective at detecting flaws, its practicality hinges on the degree to which the formally modeled system properties represent all of a system's esential properties.

[1]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[2]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[3]  Richard E. Smith Trends in Government Endorsed Security Product Evaluations , 2000 .

[4]  James C. Browne,et al.  Gypsy: A language for specification and implementation of verifiable programs , 1977 .

[5]  O. Sami Saydjari,et al.  LOCK trek: navigating uncharted space , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[6]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[7]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[8]  Marc J. Rochkind,et al.  The source code control system , 1975, IEEE Transactions on Software Engineering.

[9]  Richard Y. Kain,et al.  Secure Computing: The Secure Ada Target Approach , 1985 .

[10]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[11]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[12]  Willis H Ware Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security , 1979 .

[13]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[14]  Richard E. Smith Sidewinder: Defense in depth using type enforcement , 1995, Int. J. Netw. Manag..

[15]  Richard E. Smith Constructing a High Assurance Mail Guard , 1994 .

[16]  Santosh Chokhani Trusted products evaluation , 1992, CACM.

[17]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[18]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[19]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[20]  W. F. Burger,et al.  Gypsy: A language for specification and implementation of verifiable programs , 1977, Language Design for Reliable Software.

[21]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[22]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[23]  Lawrence Robinson,et al.  A Provably Secure Operating System. , 1975 .

[24]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[25]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .