Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA13992; Fri, 1 Jun 90 11:59:01 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA20801; Fri, 1 Jun 90 11:59:00 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA02576; Fri, 1 Jun 90 11:58:51 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa24210; 1 Jun 90 16:16 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Fri, 01 Jun 90 16:08:28 BST 
Message-Id:   <$TGTWCZCFFBTF at UMPA>
Subject:      Virus-L vol 0 issue #0521



Virus-L Digest Sat, 21 May 88, Volume 0 : Issue #0521

Today's Topics

Additional LOCK Info

------------------------------

Date:         Sat, 21 May 88 23:21:00 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         "Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Subject:      Additional LOCK Info
In-Reply-To:  Message of 20 May 88 08:46 EDT from "Kenneth R. van Wyk"


Re:  LOCK

One of the problems with building security into Operating Systems, has
been the serial nature of a computer.  When the user's program is
operating, the security software is not.  The user is then only
constrained by what the TCB (trusted computing base) has done *before*.
If there is a failure, and the user is jumped into mastermode, he can do
whatever he wants.  There is also an obvious performance penalty; the
more security processing is necessary, the less time there is for user
programs.

LOCK is (essentially) adding a separate computer onto the computer to be
secured (called the Host).  This allows us to monitor without the
performance penalty.  It also allows us to keep the tcb code physically
separate from user applications -- there is *no way* for the user to
generate an address that reaches into the tcb code -- it is on a
separate machine (albeit attached to the Host's bus).

Most "secure" systems being built are designed to stop the compromise of
information, pretty useless against an integrity attack (such as a
virus).  That's one of the reasons we are building the Type Enforcement
mechanism; to stop viruses and ordinary Trojan Horses.

Although this mechanism cannot "detect" or "screen" viruses, it can at
least reduce them to ordinary Trojan Horse status (disallowing them
anyway of propagating).  Of course, if you audit, you should be able to
pick up a virus attempting to propagate (due to rejected actions).

Joseph