Re: Re: Trusted OS...

[Pere Camps <pere () pere net>]

Hello,

> There's the old-school definition (which I confess to favouring
> myself, just because I think it makes me sound like a grizzled old
> security stud:-) that a trusted OS is one that has passed the TPEP
> or one of its bastard children. This means not only posessing some
> cool features for expressing controls and restrictions, but also
> (particularly at higher levels) posessing design documentation that
> reflects a concern for security that tracks back to the start of
> implementation, and some amount of documentation and perhaps code
> review to help ensure that the product meets the claims.
>
> Then there's a newer school, that likes to use the term Trusted
> OS to describe an OS posessing the features --- mandatory or
> discretionary access control, domain type enforcement, whatever ---
> that allow more fine-grained control over processes and the
> resources they're permitted to access than the traditional OS
> permissions system. These speakers disregard the certification part,
> and just use the "Trusted OS" tag to refer to the presense of the OS
> features.

        It looks like the old school likes the "assurance" and the new
school likes the "capabilities".

        For example, the Orange Book doesn't specify many more
capabilities after the B1 level. It just adds more "assurance" that the
capabilities are implemented correctly.

        Personally, I'd like to have all the "features", but I'd rather
stick with less "assured" features if my work can get done that way, even
if it is harder to do.

        Just my 1/50 $ about my little knowledge about TOS.

-- p.