Browse Prior Art Database

Trusted Path Mechanism in AIX

IP.com Disclosure Number: IPCOM000106963D
Original Publication Date: 1992-Jan-01
Included in the Prior Art Database: 2005-Mar-21
Document File: 4 page(s) / 203K

Publishing Venue

IBM

Related People

Langford, JS: AUTHOR [+3]

Abstract

Disclosed is a mechanism for providing a Trusted Path between the system Trusted Computing Base (TCB) and the user in a UNIX*-based operating system. This mechanism allows the user to communicate with the TCB in a manner which is not susceptible to integrity, disclosure or availability attacks. In addition, the AIX** Trusted Path mechanism allows the administrator to tailor the mechanism for each account or terminal line, provides a high degree of security while still offering the user a flexible command environment and requires only simple processing by the terminal drivers.

This text was extracted from an ASCII text file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 29% of the total text.

Trusted Path Mechanism in AIX

       Disclosed is a mechanism for providing a Trusted Path
between the system Trusted Computing Base (TCB) and the user in a
UNIX*-based operating system. This mechanism allows the user to
communicate with the TCB in a manner which is not susceptible to
integrity, disclosure or availability attacks. In addition, the AIX**
Trusted Path mechanism allows the administrator to tailor the
mechanism for each account or terminal line, provides a high degree
of security while still offering the user a flexible command
environment and requires only simple processing by the terminal
drivers.

      The Trusted Computing Base is the part of the operating system
which is privileged to perform the security functions of the system,
including access control, accountability and authentication. For many
of these functions, it is considered highly desirable to provide a
method to insure both the TCB and the user that their communications
are secure. As an example of this, consider the log-in program which
authenticates the user and then assigns credentials to the user for
the session. Since users must trust this program with their passwords
(or other means of authentication), a very common attack on operating
systems is to imitate the log-in program. In systems without a
Trusted Path, there is no defense against this sort of attack.

      There are three components of the Trusted Path subsystem in
AIX.  These are Secure Attention Key (SAK) processing, the Terminal
State Manager (TSM) and the Trusted Shell.  Secure Attention Key
processing consists of detecting that the Secure Attention Key has
been entered by a user and then notifying the

Terminal

State

Manager
of this occurrence. The Terminal State Manager will establish a clean
environment for the terminal line and then execute the Trusted Shell.
The Trusted Shell, in turn, provides the user with a safe environment
for executing commands.

      Terminal state management is the most important component and
is implemented by the TSM program. The TSM program incorporates
aspects of the init program and all of the functions of the getty and
log-in programs. TSM is spawned by init for each defined terminal
line in the system. TSM first does the line conditioning formerly
done by getty.  It then establishes a secure communications
environment by:
         1) opening the terminal device and making it accessible only
by privileged processes.
         2) revoking access to the terminal by all other processes.
All processes sleeping in the terminal driver are killed, and any
process with the terminal device open will be killed if it accesses
the device.
         3) It marks the terminal as trusted and registers itself
with the terminal driver as the Terminal State Manager for this line.
These steps insure that any program which accesses the terminal after
this point must be part of the TCB. At this point, it performs the
log-in function by a...