Browse Prior Art Database

Online Dynamic Testing of Security and Integrity of Operating Systems

IP.com Disclosure Number: IPCOM000082223D
Original Publication Date: 1974-Oct-01
Included in the Prior Art Database: 2005-Feb-28
Document File: 5 page(s) / 45K

Publishing Venue

IBM

Related People

Kurtzberg, JM: AUTHOR

Abstract

A software/hardware system is described herein for online periodic testing of security defenses of computer operating systems and allied hardware.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 31% of the total text.

Page 1 of 5

Online Dynamic Testing of Security and Integrity of Operating Systems

A software/hardware system is described herein for online periodic testing of security defenses of computer operating systems and allied hardware.

Certification of large complex systems - at best - is extremely difficult, particularly with respect to offering reasonable guarantees that the system can guard against attacks of penetrators. In particular, machine malfunctions, even though they may be transient hardware errors, could lead to unpredictable software pathologies with far-reaching effects. These defects may be evident only upon certain overload conditions or be timing dependent. Further, once a violation does occur, say during a machine malfunction or system crash, "trapdoors" can be left in the operating system for long-term penetrations. Thus, it is insufficient to certify system integrity or security on a static basis. Instead, it is necessary to verify security/integrity with reference to a dynamic job load on a working machine, of course, without any possible damage to any user of the system.

Particularly important is the testing of seldom used but vital functions, such as error recovery mechanisms. Essentially, there is a need for security/integrity diagnostics on a periodic basis as part of the normal running mode, somewhat equivalent to the use of machine diagnostics. Hopefully, the diagnostics or safeguards can be on a "fail-safe" basis. That is, failure of the safeguard would be detected so corrective action could be taken.

The following scheme comprises a possible construction for such a safeguard (see Fig. 1): (1) A set of files with typical processes operating upon

them -- termed the target.

(2) A set of programmed attacks on the target (with

provisions for manual intervention) -- termed the

prober.

(3) A means for restructuring the target -- termed the

director.

(4) A set of programs and devices to detect the attacks

of the prober (and possibly of actual penetration

attacks) -- termed the detector.

The interaction of these components are illustrated in Fig. 1. Briefly, it is assumed that the detector resides in firmware and hardware or in the "innermost" level of the operating system. The prober is treated as being on the level of the application programs, ones that are without any special system privileges. The director also is on the application program level, but is given special access rights to various target files and other service programs by the operating system. The target consists of a set of files and associated programs and thus is on the application program level (the programs) and in protected memory, such as main storage and discs (the files). The security officer represents the authority and guidance of the authorized external world and it functions via a terminal -- the ideal system organization would call for a dedicated direct-wire terminal.

1

Page 2 of 5

The functions of these components will now be discussed individual...