Encapsulation: an approach to operating system security

Currently a certifiably secure multiuser operating system does not exist; no operating system has been able to withstand mallcious attacks by skilled penetrators. While there is a strongly felt need in both the military and civilian sectors for reliably secure operating system software, any solution to the security problem must also take into account the enormous investment in existing equipment and software. In the present paper, hypervisors are discussed as one approach to retrofitting security, but rejected due to the high cost and complexity of installing them on existing equipment. Encapsulation, an alternative solution proposed for batch and remote batch entry applications, requires only a small amount of additional hardware and verified software. The resulting system can be certified to be secure, and is thus suitable for stringent military requirements. The solution is applicable---essentially unchanged---to a wide class of hardware and software, and it is not sensitive to special versions of (or changes to) operating system code. Operating efficiency and construction costs of the encapsulation method are discussed to demonstrate its feasibility. This work has been performed under Advanced Research Projects Agency Contract DAHC15 72 C 0308. It is part of a larger effort to provide securable operating systems in DOD environments.