Wednesday, January 11, 2006

Learning about KeyKOS and CapROS

I've been reading through the documentation for KeyKOS, which was a secure OS running on the IBM/370 series of hardware back in the 1980s. I began to realize exactly what an honestly secure system involves, and started to get into the mindset.

First was the idea of only the barest minimum of code in the kernel. Everything runs in its own context. Even device drivers run each in their own context. Each context is essentially a well isolated virtual machine, with NO peripherals of any kind, except for the ability to call the system to ask for things. All the RAM is actually virtuallized out to disk, so that if the system gets restarted, the application can't even tell.

Needless to say, that's a big shift in mindset. It got kinda scarey thinking of a machine with NO filesystem... but it made sense in terms of security. Then I started to see why VM/370 had all these run time systems... and that started to come in to view.

I get the idea now, process containment over all else... and it's very secure.

Things got tweaky for me when I then read about the KeySafe project to attempt to qualify for Orange Book B2 security. The need to support 4 nested layers, each of which can completely spy on the lower layers, and must be undetectable... and the KeyKOS folks just wrote a set of rules to do it... that's it. VERY powerful system stuff going on here...

I've followed the trail from KeyKOS to EROS, and am now looking at CapROS, which has a sourceforge page and everything. I'm considering putting together a Fedora Core machine so I can get in on the action, and maybe even help.

I'd like to get a copy of it to boot inside VMware, if that's possible. Looks like I'm going to have to learn C, and lots of stuff about Mach, Kernels, etc...

It's going to be interesting.


1 comment:

Charles Landau said...

Let me encourage you to play with CapROS. I can always use help.