Outline for June 2, 1997

  1. Greetings and Felicitations

  2. VAX VMM Security Kernel Design Approach
    1. Layers (from lowest to highest):
      1. VAX hardware
      2. modified microcode for virtualization
      3. hardware interrupt handlers
      4. lower-level scheduler; for real system
      5. I/O services: device drivers controlling real I/O devices
      6. VM-physical space manager: manages physical memory, assigns it to VMs
      7. VM-virtual space manager: shadow page tabvles used by VM page managers
      8. higher-level scheduler
      9. audit trail
      10. files-11 Files: subset of ODS-2 file system, used by VMS; all files must be preallocated and contiguous volumes: registries of objects, implements volumes
      11. virtual terminals: physical terminal lines, virtual terminals
      12. virtual printers: VM printers, labelling of output
      13. kernel interface: virtual I/O & security function controllers (loading virtual disks onto virtual drives)
      14. secure server/virtual VAX: implements trusted path/emulates sensitive instructions
        ---------security perimeter---------
      15. virtual machine OS: virtual machine's OS
      16. users
  3. Programming Language
    1. Want strong typing, but also ability to compile very large programs correctly, produce high-quality VAX code, and be supported; limited choices to 3 langs:
      • BLISS-32; not strongly typed
      • PASCAL; high-quality code generation not yet available
      • C; good code generator, but not much experience with it
      • PL/I; same code generator as C, better typing support, more experience
    2. When PASCAL compiler became available, switched to it. Also used MACRO-32, the assembler (out of 49,000 lines, 11,500 were in assembler, 29,500 in PASCAL, and 8,000 in PL/I)
    3. Coding Strategies: avoid use of global pools (like sharing input buffers) to minimize covert channels; different sections of kernel memory separated by no-access pages, to force failures on buffer overflows; unused memory initialized to 1's, not 0's, to increase chances of faulting; used special mamagement systems to enforce layering
  4. Human Interfaces
    1. Secure Server: commands implemented in trusted code; SECURE commands (administrative commands) are parsed in VM.
    2. BREAK key = SAK; controls terminal connections
    3. SECURE commands: VM secure executed in context of issuing VM; User secure executed by Secure Server. Latter provides trust & accountability due to trusted path and SS displaying command from within the Secure Server
  5. Network Security

    1. Quick review of ISO/OSI model
    2. Link v. end-to-end encryption
  6. Network Security Threats (review)
    1. snooping
    2. modification
    3. masquerading
    4. replay
    5. delay
    6. denial of service
    7. repudiation of origin
    8. denial of receipt

Notes by Eric Rosenthal [TXT]
You can get this document in Postscript, ASCII text, or Framemaker version 5.1.
Send email to cs253@csif.cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 6/12/97