What is a secure OS?

Credit to Author: Andrey Doukhvalov| Date: Tue, 28 Nov 2017 21:51:38 +0000

I am often asked: “If there’s nothing absolutely secure in our world, how can you say KasperskyOS is secure?”

The answer is, there’s a difference — really, a tremendous semantic gap — between those two things!

Indeed, there’s no absolute cybersecurity in this world — and that is by design. Each security system’s job is to come as close as possible to the desirable 100%, and the closer you get to it, the harder, slower, and more expensive the task gets. After reaching the conventional 99.9% effectiveness, each thousandth of a subsequent percent, with its resource consumption and complexity, seems equal to all previous work. But the effort is important; the huge market for such security technologies includes critical infrastructure, automotive, networking devices, and many other areas that require maximum security — where every thousandth of a percent that isn’t secure can cause a catastrophe with unforeseeable outcomes and dreadful damage.

A secure operating system aims to get so close to 100% that cyberattacks become almost impossible, or at least economically unprofitable

In other words, a secure operating system aims to get so close to 100% that cyberattacks become almost impossible, or at least economically unprofitable. In its efforts toward that goal, KasperskyOS (KOS) is unmatched. It’s a truly secure platform, and I will explain why.

Briefly: KOS is originally based on a secure microkernel architecture. It works in a protected address space following the Default Deny concept, and it allows customers to define its business logic to the smallest detail. The system is compact and transparent, and it contains no redundancies.

Here are some more details.

Architecture

They say that theater begins with the cloakroom, and so does an operating system with its architecture.

What do all modern desktop and mobile, and even many industrial, OSs aspire to? Usability, scalability, functionality, stability, and being proprietary. Every vendor promises “security,” but if you dig deeper, you won’t find much — it’s all marketing with no real technology inside.

It’s in the OS architecture where the major difference lies: A secure OS is based on a security-kernel-applications paradigm, as opposed to the classic kernel-applications-security hierarchy inherent in unprotected systems. The KOS ecosystem is rooted in the fundamental cybersecurity principles that define how kernel and applications work.

The third ring

One of the fundamental approaches is to transfer the majority of operating system code into a low-privilege address space — for example, to the third ring within x86 architecture.

At first glance, that might seem strange, but there is a good reason for it: The third ring provides a secure address space. There, it is much easier to provide control over code actions and protect code from external influences. The inevitable decline in performance here is offset by the compactness-driven acceleration (see microkernel details below) and programming excellence. In addition, the code gets even more transparent and, therefore, more reliable.

Allow not prohibit

At the traditional OS application level, the Default Deny concept has been implemented for a long time and has been used successfully in a variety of scenarios. It is effective enough, a well-established method used to improve the security of many systems.

In KasperskyOS, we implemented Default Deny concept at the system level. All actions in this secure OS are prohibited by default. When implementing, customers define rules to permit specific actions that meet specific business challenges, creating their own security policies. In other words, a security policy is a set of laws under which a system operates. The policy is something like the rules governing traffic, but with one important exception: It is impossible to violate these rules. Thus, KOS provides a qualitatively higher certainty of protection.

The right micromanagement

KasperskyOS’s user action rules are extremely flexible, expressive, and granular. You can define a very specific logic, including the nature of interprocess communication and the use of system services, network protocols, OS modules, and applications — down to the smallest details, if necessary — to achieve specific security requirements. Any actions that go beyond the defined logic are automatically blocked. The system performs only explicitly permitted operations.

Less is more

One day at Embedded World, I found myself confused by a company’s boast that its software enhanced a car that “rides on a hundred million lines of code.” In fact, the more code, the more dangerous a product is, because of potential vulnerabilities. As a rule, such a product is hard to audit, it shows worse resource intensity and speed, and it carries a bunch of other negative side effects. Finally, code size is a measure of programming skill; elegant, concise code can accomplish even highly complex tasks.

KOS’s kernel has only about 1,500 lines. That’s right: Fifteen hundred lines define the entire logic of the operating system kernel. The latter is linked to processors (Intel, ARM, MIPS), and the drivers, system utilities, interface, and business applications are on top. We call KOS a microkernel operating system, but with this kernel size it could well be called a nanokernel OS.

Clear air

Geopolitical turbulence in recent years has caused a serious crisis of confidence in the IT industry. Paranoia paints omnipresent state hackers and ubiquitous secret government operations using commercial software for cyberespionage. Some companies have resorted to even greater secrecy, but we believe this is the time for reasonable openness. Thanks to its kernel compactness and transparency, KasperskyOS perfectly fits this initiative.

Why aren’t we afraid to open our product source code?

First, we have nothing to hide. Second, we will be happy for any vulnerability detection; fixes make our products even more reliable. Third, KOS’s kernel has been repeatedly tested with not a single bug or undeclared procedure observed so far. I am sure the transparency initiative we started recently will once again confirm this. Finally, observing source code is not a condition of vulnerability detection — in most cases, vulnerabilities are found in other ways.

Nothing in excess

For many decades, the software market has been suffering a sort of functionality race. More buttons, more features, and more goodies to stuff into yet-another-version-launch press releases to rapturous “wows,” only to be abandoned when it turned out that people never used them. Here is a peculiar example: Just five Word commands account for one-third of total usage. And how many commands have never been used by anyone?

Each new feature entails a range of risks including vulnerabilities, performance and fault-tolerance reduction, management complexity, and more. KasperskyOS works on a principle we call nothing in excess. The operating system is simple, clear, and transparent. Moreover, within specific implementations, it helps cut functionality redundant to other operating systems and applications, and ensures that only declared functionality is implemented on older platforms (such as legacy SCADA systems).

Learn more about KasperskyOS here.

https://blog.kaspersky.com/feed/