Various system architectures have been proposed for high assurance enforcement of multilevel security. This paper provides an analysis of the relative merits of three architectural types – one based on a security kernel, another based on a traditional separation kernel, and a third based on a least-privilege separation kernel. We introduce the Least Privilege architecture, which incorporates security features from the recent “Separation Kernel Protection Profile,” and show how it can provide several unique aspects of security and assurance, although each architecture has advantages. Categories and Subject Descriptors D.4 [Software]: Operating Systems – security and protection. D.2 [Software Engineering]: Software Architectures – Data ion; Domain-specific architectures. General Terms Measurement, Performance, Design, Security, Verification. Keywords Principle of Least Privilege, Security Kernel, Separation Kernel Partitioning Kernel, Multilevel Security, Architecture.
Timothy E. Levin, Cynthia E. Irvine, Clark Weissma