The KeyKOS/KeySAFE System Design


Key Logic systems have been designed from their inception to provide high levels of security, integrity, and availability. Research and design of KeyKOS (and its forerunner, GNOSIS) was begun in the early 1970s at Tymshare Corporation. From the beginning, the design goals of the system included high standards of security, such as strong isolation, enforcement of the Principle of Least Privilege, tamper resistance, trusted path facilities, secure backup and recovery, and many other aspects which were later described in the TCSEC. The system was first demonstrated running native on System/370 hardware in 1981, and was first used in production in early 1983. After the acquisition of Tymshare by McDonnell Douglas Corporation in 1984 and the subsequent divestiture of various R & D activities, Key Logic was formed as a totally independent company spun off from McDonnell Douglas in April, 1985. The first commercial licenses for both KeyKOS (a System/370 operating system) and KeyTECH (a portable technology for OEMs) were executed in 1986.

The original design of KeyKOS was developed long before the existence of the TCSEC. However, the strong security design goals and the strict adherence to high security implementations of each feature throughout the development cycle resulted in a system whose underlying architecture and standard facilities readily demonstrate many of the TCSEC requirements. Built on this architectural foundation, KeySAFE has been created to deliver additional security features and functions as specified in the high B-level requirements of the TCSEC (such as the choice of a Bell and LaPadula based model included in the security policy definition).

Because one of the prominent features of the KeyKOS architecture is its ability to provide a "place to stand" in order to implement additional features in a secure manner, the addition of KeySAFE features and sharing policies was possible without the redesign or re-implementation of the KeyKOS architecture. For example, KeyKOS directly implements the Principle of Least Privilege and provides strict isolation as the default. The definition of the desired policies for "sharing" any data, process, or other TCSEC-type object between subjects can be represented entirely in an isolated, non-privileged part of the KeySAFE Reference Monitor which is not part of the privileged KeyKOS kernel code. The KeyKOS architecture ensures that all communications or requests between any TCSEC subjects and objects will be absolutely constrained by whatever sharing policies are defined in the policy definition domain, and provides the assurances that there is no way to circumvent these enforcement mechanisms. This allows for great flexibility for defining and implementing diverse commercial, military, or other appropriate policies and models in KeySAFE, including Bell and LaPadula, without effecting the underlying KeyKOS architecture or any privileged code.

In summary, KeyKOS provides all the fundamental architectural and enforcement mechanisms necessary to operate a secure system. KeySAFE is not an "add-on" to KeyKOS to provide security. Rather, it is a flexible user interface that provides to the system's users (especially to the security administrators and auditors) the appropriate "window" or view of all the security mechanisms and facilities provided by KeyKOS, and of the security- related sharing policies chosen for that installation. For example, in the Bell and LaPadula version, KeySAFE includes the tools for appropriately authorized individuals to assign maximum and minimum security levels to all attached physical devices, as well as the definitions for the external (human-readable) representations of these security levels.

Also of special importance to the Key Logic approach to trusted systems is that a number of established system design concepts (such as the user of a small software kernel) were selected as a part of KeyKOS, then modified to heighten their security relevant aspects, and finally combined in innovative ways to form the basis of KeyKOS. These design concepts were also further augmented by a number of unique security facilities such as the "factory[1]" mechanism. As a result, the KeyKOS system has numerous strengths previously identified in other systems but has avoided many of the inherent weaknesses of most traditional systems.

KeyKOS has been designed as a kernelized, object-oriented, capability-based, single level store operating system delivering high security, reliability, and availability. The definitions and importance of each of these major architectural design concepts are described further in the next section. Specific special facilities and features, such as the factory mechanism, are discussed later in the descriptions of individual TCB elements and the discussions of how KeyKOS/KeySAFE meet specific TCSEC requirements.

Although KeyKOS was designed and developed from the start with security as the utmost goal, the system was also targeted as a high performance base for high volume on-line transaction processing systems. Therefore high performance, although not a TCSEC requirement, is also fundamental to the KeyKOS/KeySAFE implementations. This concern for performance should also make the system more functional and useable, without compromising security. Decisions were made at the beginning of the design and development process that ensured that the security-related design principles (such as least privilege and consistent policy enforcement) were not compromised for performance or other goals. However, KeyKOS has demonstrated both in performance benchmarks and in production situations that systems can be designed and implemented to deliver high security and integrity, including full backup and journaling, while also attaining tremendously high throughput. Key Logic feels that these goals have also been reached in great part due to the same architectural design concepts chosen for their security attributes.