The Caernarvon secure embedded operating system

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

The Caernarvon secure embedded operating system

Full text

Pdf (452 KB)

Source

ACM SIGOPS Operating Systems Review archive
Volume 42 , Issue 1 (January 2008) table of contents

SESSION: Systems work at IBM Research table of contents

Pages 32-39

Year of Publication: 2008

ISSN:0163-5980

Authors

David C. Toll	IBM T. J. Watson Research Center, Yorktown Heights, NY
Paul A. Karger	IBM T. J. Watson Research Center, Yorktown Heights, NY
Elaine R. Palmer	IBM T. J. Watson Research Center, Yorktown Heights, NY
Suzanne K. McIntosh	IBM T. J. Watson Research Center, Yorktown Heights, NY
Sam Weber	IBM T. J. Watson Research Center, Yorktown Heights, NY

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 30, Downloads (12 Months): 206, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1341312.1341320 What is a DOI?

ABSTRACT

The Caernarvon operating system was developed to demonstrate that a high assurance system for smart cards was technically feasible and commercially viable. The entire system has been designed to be evaluated under the Common Criteria at EAL7, the highest defined level of assurance.

Historically, smart card processors have not supported the hardware protection features necessary to separate the OS from the applications, and one application from another. The Caernarvon OS has taken advantage of the first smart card processors with such features to be the first smart card OS to provide this kind of protection. Even when compared with conventional systems where the hardware protection is routine, the Caernarvon OS is noteworthy, because of the EAL7 assurance.

This approach facilitated implementation of a formally specified, mandatory security policy providing multi-level security (MLS) suitable for both government agencies and commercial users. The mandatory security policy requires effective authentication of its users that is independent of applications. For this reason, the Caernarvon OS also contains a privacy-preserving, two-way authentication protocol integrated with the Mandatory Security Policy.

The Caernarvon OS includes a strong cryptographic library that has been separately certified under the Common Criteria at EAL5+ for use with other systems. The Caernarvon OS implements a secure method for downloading trusted and untrusted application software and data in the field, with the assumption that all applications are potentially hostile. While the initial platform for the operating system was smart cards, the design could also be used in other embedded devices, such as USB tokens, PDAs, cell phones, etc.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Dakshi Agrawal , Bruce Archambeault , Josyula R. Rao , Pankaj Rohatgi, The EM Side-Channel(s), Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, p.29-45, August 13-15, 2002
	2	Application interface for smart cards used as secure signature creation devices -- part 1: Basic requirements. CWA 14890-1, Comité Européen de Normalisation, Brussels, Belgium, March 2004. URL: ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14890-01-2004-Mar.pdf.
	3	Application interface for smart cards used as secure signature creation devices -- part 1: Basic requirements. prEN 14890-1:2007, Comité Européen de Normalisation, Brussels, Belgium, March 2007.
	4	D. E. Bell and L. J. LaPadula. Computer Security Model: Unified Exposition and Multics Interpretation. ESD-TR-75-306, The MITRE Corporation, Bedford, MA, HQ Electronic Systems Division, Hanscom AFB, MA, June 1975.
	5	K. J. Biba. Integrity Considerations for Secure Computer Systems. ESD-TR-76-372, The MITRE Corporation, Bedford, MA, HQ Electronic Systems Division, Hanscom AFB, MA, Apr. 1977.
	6	F. C. Bormann, L. Manteau, A. Linke, J. C. Pailles, and J. van Dijk. Concept for trusted personal devices in a mobile and networked environment. In Fifteenth IST Mobile & Wireless Communication Summit, Myconos, Greece, June 2006.
	7	G. W. Bush. Policy for a common identification standard for federal employees and contractors. Homeland Security Presidential Directive HSPD-12, The White House, Washington, DC, 27 August 2004. URL: http://csrc.nist.gov/policies/Presidential-Directive-Hspd-12.html.
	8	Ran Canetti , Hugo Krawczyk, Security Analysis of IKE's Signature-Based Key-Exchange Protocol, Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology, p.143-161, August 18-22, 2002
	9	M. G. Carter, S. B. Lipner, and P. A. Karger. Protecting data & information: A workshop in computer & data security. Order No. EY-AX00080-SM-001, Digital Equipment Corporation, Maynard, MA, 1982.
	10	S. N. Chari, V. V. Diluoffo, P. A. Karger, E. R. Palmer, T. Rabin, J. R. Rao, P. Rohatgi, H. Scherzer, M. Steiner, and D. C. Toll. Method, apparatus and system for resistence to side channel attacks on random number generators. United States Patent Application No. US 2006/0104443A1, Filed 12 November 2004.
	11	Pau-Chen Cheng , Pankaj Rohatgi , Claudia Keser , Paul A. Karger , Grant M. Wagner , Angela Schuett Reninger, Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.222-230, May 20-23, 2007 [doi>10.1109/SP.2007.21]
	12	Common Criteria for Information Technology Security Evaluation, Parts 1, 2, and 3. Version 2.3 CCMB2005-08-001, CCMB2005-08-002, and CCMB2005-08-003, August 2005. URL: http://www.commoncriteriaportal.org/public/expert/index.php?menu=2.
	13	Department of defense trusted computer system evaluation criteria. DOD 5200.28-STD, Washington, DC, Dec. 1985. URL: http://csrc.nist.gov/publications/history/dod85.pdf.
	14	Edsger W. Dijkstra, The structure of the “THE”-multiprogramming system, Communications of the ACM, v.11 n.5, p.341-346, May 1968 [doi>10.1145/363095.363143]
	15	Functionality classes and evaluation methodology for physical random number generators. AIS 31, Version 1, Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn, Germany, 25 Sept. 2001. URL: http://www.bsi.bund.de/zertifiz/zert/interpr/ais31e.pdf.
	16	D. Harkins , D. Carrel, The Internet Key Exchange (IKE), RFC Editor, 1998
	17	Information technology security evaluation criteria (ITSEC). Version 1.2, Commission of the European Communities, Brussels, Belgium, June 1991. URL: http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf.
	18	Identification cards -- Integrated circuit(s) with contacts -- Part 3: Electronic signals and transmission protocols, Second edition. ISO Standard 7816-3, International Standards Organization, Dec. 1997.
	19	Identification cards -- Integrated circuit(s) with contacts -- Part 4: Interindustry commands for interchange, First edition. ISO Standard 7816-4, International Standards Organization, Sept. 1995.
	20	P. A. Karger. Multi-Organizational Mandatory Access Controls for Commercial Applications. RC 21673 (97655), IBM Thomas J. Watson Research Center, Yorktown Heights, NY, 22 February 2000. URL: http://domino.watson.ibm.com/library/CyberDig.nsf/home.
	21	P. A. Karger, V. R. Austel, and D. C. Toll. A New Mandatory Security Policy Combining Secrecy and Integrity. RC 21717 (97406), IBM Thomas J. Watson Research Center, Yorktown Heights, NY, 15 March 2000. URL: http://domino.watson.ibm.com/library/CyberDig.nsf/home.
	22	Paul C. Kocher , Joshua Jaffe , Benjamin Jun, Differential Power Analysis, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, p.388-397, August 15-19, 1999
	23	H. Krawczyk. SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols. In Advances in Cryptology -- CRYPTO 2003 Proceesings, pages 399--424, Santa Barbara, CA, 17--21 August 2003. Lecture Notes in Computer Science, Vol. 2729, Springer Verlag.
	24	D. Safford and M. Zohar. Trusted computing and open source. Information Security Technical Report, 10(2):74--82, 2005.
	25	Gerhard Schellhorn , Wolfgang Reif , Axel Schairer , Paul A. Karger , Vernon Austel , David Toll, Verification of a Formal Security Model for Multiapplicative Smart Cards, Proceedings of the 6th European Symposium on Research in Computer Security, p.17-36, October 04-06, 2000
	26	H. Scherzer, R. Canetti, P. A. Karger, H. Krawczyk, T. Rabin, and D. C. Toll. Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card. In 8th European Symposium on Research in Computer Security (ESORICS 2003), pages 181--200, Gjøvik, Norway, 13--15 October 2003. Lecture Notes in Computer Science, Vol. 2808, Springer Verlag.
	27	W. L. Schiller. The design and specification of a security kernel for the PDP-11/45. ESD-TR-75-69, The MITRE Corporation, Bedford, MA, HQ Electronic Systems Division, Hanscom AFB, MA, May 1975. URL: http://csrc.nist.gov/publications/history/schi75.pdf.
	28	J. Whitmore, A. Bensoussan, P. Green, D. Hunt, A. Kobziar, and J. Stern. Design for Multics security enhancements. ESD-TR-74-176, Honeywell Information Systems, Inc., HQ Electronic Systems Division, Hanscom AFB, MA, Dec. 1973. URL: http://csrc.nist.gov/publications/history/whit74.pdf.
	29	Kun-Lung Wu , Kirsten W. Hildrum , Wei Fan , Philip S. Yu , Charu C. Aggarwal , David A. George , Buǧra Gedik , Eric Bouillet , Xiaohui Gu , Gang Luo , Haixun Wang, Challenges and experience in prototyping a multi-modal stream analytic and monitoring application on System S, Proceedings of the 33rd international conference on Very large data bases, September 23-27, 2007, Vienna, Austria