Trusted operating system

Abstract: The trusted path mechanism guarantees that data typed by a user on a terminal keyboard is protected from any intrusion by unauthorized programs. It allows a user to create a non-forgeable and non-penetrable communication path between the user's terminal and the trusted operating system software. The user can create a trusted path by simply pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This operation can be called when the user logs into the system in order to be sure that the user is communicating with the real login program and not a Trojan horse program masquerading as a login program, which could steal the user's password. After the user establishes the trusted path, he can enter his critical data, such as a password, and can be sure that his critical data is not being stolen by an intruder's program. Then, after the user logs out, he can be sure that the trusted path has actually logged him out of the system so that a Trojan horse program is not capable of continuing the session started by the user.

Abstract: A computer network (20) including secure nodes (26) and unsecured nodes (28). The secure nodes (26) may communicate private data without compromising security provisions. The secure nodes (26) include a security kernel (36) that implements communication security provisions and a trusted operating system (40) that imposes computer data security provisions. A trusted interface (44) is used to transfer data between the trusted operating system (40) and the security kernel (36). In addition, this interface (44) insures that computer security attributes are compatible with communication security attributes. If incompatibilities are discovered, requested communications are thwarted and audit records for the security linkage violations are recorded.

Abstract: A CPU architecture guarantees that untrusted software will handle multi-level classified data in a secure manner. A single copy of untrusted software is granted simultaneous read and write access to multiple levels of classified data, with assurance that both the Bell-LaPadula simple security property and the *-property will be correctly enforced. This enforcement is accomplished without the severe constraints normally imposed by computers that do not incorporate this invention. The technique may also be used to enforce integrity policy constraints alone or in conjunction with security policy constraints (classifications). This method relies upon hardware comparison of sensitivity level tags (and/or integrity level tags) associated with data storage blocks. Software need not be examined before it is permitted to handle multi-level secure data because any attempted violation of a security policy (or an integrity policy) will cause a trap to the trusted operating system. Internal label registers are dynamically updated for permitted accesses by the untrusted software.

Abstract: Transferring application secrets in a trusted operating system environment involves receiving a request to transfer application data from a source computing device to a destination computing device. A check is made as to whether the application data can be transferred to the destination computing device, and if so, whether the application data can be transferred under control of the user or a third party. If these checks succeed, a check is also made as to whether the destination computing device is a trustworthy device running known trustworthy software. Input is also received from the appropriate one of the user or third party to control transferring of the application data to the destination computing device. Furthermore, application data is stored on the source computing device in a manner that facilitates determining whether the application data can be transferred, and that facilitates transferring the application data if it can be transferred.