Security Kernel

When we’re talking about managing every single transaction between a subject and an object, we need to make sure that that process is complete. And in technology– In the physical world, the example we gave of accessing a property, we were the mediator for that process. In a technology environment, in an operating system, what manages that process is the security kernel. And we have the concept of the reference monitor. In fact, if you’re on a Windows machine, if you open up the task viewer and look down the list of processes, you will see a process called refmon.exe. This is our reference monitor. So this is an abstract concept that mediates all access that subjects have to objects.

So, all access between subjects and objects go through the reference monitor. This is to make sure that every single transaction is appropriately authorized, that the subject has the appropriate rights and permissions to conform to the access that is being requested. The security kernel is made up of hardware, of software, and firmware components. And, typically, we call this the trusted computer base, or the TCB. The security kernel mediates all access and functions between our subjects and objects, and the trusted computer base gives us that security.

Here we’ll also see things like the hardware security module, things like the TPM chip in Windows devices (the trusted platform module) that contains some of our stored keys or that can help with our crypto processes. So we want our security kernel to be isolated, to be able to operate in isolation – in effect, for it to become tamper-proof. And typically, we see a different level of privilege assigned to something like the security kernel than is granted to users. So it operates at a much higher security state. We need it to mediate all access. If it’s not mediating all access, if it’s mediating some, then potentially the security kernel can be bypassed.

Also, if we think about the real world, with things like door entry systems or data centre fire suppression systems, we want those to be fail-safe. We want people to be left in an environment where they are physically safe. With logical processes and logical security, we typically want to fail secure. We want the secure outcome to be the default one rather than safe. So here what we’re wanting is the security kernel – if it fails in any way, if it detects tampering – for it to fail in a way that leaves the operating system secure.

The final principle around the security kernel that we want to enforce is that we want to make sure that it is small enough to be tested comprehensively. So typically, the security kernel, in coding terms, is a very, very small, very tightly defined element of software. And it is understood. It can be tested and verified completely. We understand what it is doing, and we can verify that its operation is complete and accurate.