In Guards We Trust: Security and Privacy in Operating Systems Revisited

With the rise of formally verified micro kernels, we finally have a trusted platform for secure IPC and rigorous enforcement of our mandatory access control policy. But, not every problem in computer security and privacy could possibly be solved by a trusted micro kernel, because we have higher level security and privacy concepts like packet filtering, data encryption and partitioning of shared hardware devices, which we also need to trust. Numerous authors have described the need for a trusted middleware, fulfilling these higher level security and privacy goals, but detailed requirements for the different security and privacy goals are still missing. We provide a collection of output filters that can be applied to trusted operating system components to enforce higher level security goals. We further provide a typology of operating system guards, which are essentially trusted components utilizing different compilations of input and output filters. The storage guard, the audio filtering guard and the sequencing guard are specifically targeted at providing solutions to three common security and privacy problems in component-based operating systems. Finally, we develop a guard reference architecture and present the concept of a guard construction kit for the development of new types of operating system guards, enabling operating system developers to build their own guard components for both component-based and commodity operating systems.