The Mic security model lets you implement mandatory integrity control. In other words, this security model provides the capability to manage data streams between different processes and between processes and the KasperskyOS kernel by controlling the integrity levels of processes, the kernel, and resources that are used via IPC.
In Mic security model terminology, processes and the kernel are called subjects while resources are called objects. However, the information provided in this section slightly deviates from the terminology of the Mic security model. In this section, the term "object" is not used to refer to a "resource".
Data streams are generated between subjects when the subjects interact via IPC.
The integrity level of a subject/resource is the level of trust afforded to the subject/resource. The degree of trust in a subject depends on whether the subject interacts with untrusted external software/hardware systems or whether the subject has a proven quality level, for example. (The kernel has a high level of integrity.) The degree of trust in a resource depends on whether this resource was created by a trusted subject within a software/hardware system running KasperskyOS or if it was received from an untrusted external software/hardware system, for example.
The Mic security model is characterized by the following provisions:
Methods of the Mic security model let you assign integrity levels to subjects and resources, check the permissibility of data streams based on a comparison of integrity levels, and elevate the integrity levels of resources.
A PSL file containing a description of the Mic security model is located in the KasperskyOS SDK at the following path:
toolchain/include/nk/mic.psl
For an example of using the Mic security model, we can examine a secure software update for a software/hardware system running KasperskyOS. Four processes are involved in the update:
Downloader
is a low-integrity process that downloads a low-integrity update image from a remote server on the Internet.Verifier
is a high-integrity process that verifies the digital signature of the low-integrity update image (high-integrity process that can read data from a low-integrity resource).FileSystem
is a high-integrity process that manages the file system.Updater
is a high-integrity process that applies an update.A software update is performed according to the following scenario:
Downloader
downloads an update image and saves it to a file by transferring the contents of the image to the FileSystem
. A low integrity level is assigned to this file.Verifier
receives the update image from the FileSystem
by reading the high-integrity file, and verifies its digital signature. If the signature is correct, the Verifier
queries the FileSystem
so that the FileSystem
creates a copy of the file containing the update image. A high integrity level is assigned to the new file.Updater
receives the update image from the FileSystem
by reading the high-integrity file, and applies the update.In this example, the Mic security model ensures that the high-integrity Updater
process can read data only from a high-integrity update image. As a result, the update can be applied only after the digital signature of the update image is verified.