The Distributed Trusted Operating System (DTOS) Home Page
The Distributed Trusted Operating System (DTOS) project was a joint
effort by the National Security Agency (NSA) and Secure Computing
Corporation (SCC) to encourage strong, flexible security controls in next
generation operating systems. DTOS was a successor to the Distributed
Trusted Mach (DTMach) program. During the DTOS project, Secure Computing
Corporation developed security enhancements to the Mach microkernel and
a separate security server,
using an earlier prototype of DTMach developed by the NSA for reference.
The NSA developed security enhancements for the process management,
file system, and network protocol implementations in the Lites Unix
single server. DTOS was part of a broad operating system security research program
by the NSA known as Synergy. The Synergy program is no longer active, although
the Flask and
Security-Enhanced Linux projects
have continued to pursue its goals.
Secure Computing Corporation had two main tasks under the contract:
- The first main task on the program was to develop a prototype
secure microkernel by incorporating security mechanisms into the
Mach microkernel. This prototype was distributed to various
government and university sites for use in other research and
development efforts. In adding these mechanisms, two basic
principles were followed:
To support the goal of policy flexibility, two studies were
- Provide flexible security mechanisms so that the microkernel can
be used as a base for a secure system in many different
environments, government and corporate.
- Do no harm - existing applications must not break and there must
be no significant performance degradation due to the security
- The range of potential security policies were studied to
determine the mechanisms needed to support them.
- Several different operating systems with flexible security
mechanisms were studied to determine their ability to support
a range of security policies.
- The second main part of the program was to perform research into
assurance techniques for microkernel-based operating systems, with
an emphasis on the practical use of formal mathematical methods.
- To support the goal of policy flexibility, a flexible security
policy model was developed which separates the specification
of the controls which are provided from the specification of
how the controls are used to support a particular policy.
- To support the goal of flexible implementation and
interchangeable parts, a concrete approach for composing
analysis of separate system components was developed.
- New techniques for analyzing information flow in a system were
This page is currently being maintained by:
Last Modified: 26 Dec 2000