The Distributed Trusted Operating System (DTOS) Home Page

Project Summary

The Distributed Trusted Operating System (DTOS) project was a joint effort by the National Security Agency (NSA) and Secure Computing Corporation (SCC) to encourage strong, flexible security controls in next generation operating systems. DTOS was a successor to the Distributed Trusted Mach (DTMach) program. During the DTOS project, Secure Computing Corporation developed security enhancements to the Mach microkernel and a separate security server, using an earlier prototype of DTMach developed by the NSA for reference. The NSA developed security enhancements for the process management, file system, and network protocol implementations in the Lites Unix single server. DTOS was part of a broad operating system security research program by the NSA known as Synergy. The Synergy program is no longer active, although the Flask and Security-Enhanced Linux projects have continued to pursue its goals.

Secure Computing Corporation had two main tasks under the contract:

The first main task on the program was to develop a prototype secure microkernel by incorporating security mechanisms into the Mach microkernel. This prototype was distributed to various government and university sites for use in other research and development efforts. In adding these mechanisms, two basic principles were followed:
- Provide flexible security mechanisms so that the microkernel can be used as a base for a secure system in many different environments, government and corporate.
- Do no harm - existing applications must not break and there must be no significant performance degradation due to the security mechanisms.
To support the goal of policy flexibility, two studies were conducted:
- The range of potential security policies were studied to determine the mechanisms needed to support them.
- Several different operating systems with flexible security mechanisms were studied to determine their ability to support a range of security policies.
The second main part of the program was to perform research into assurance techniques for microkernel-based operating systems, with an emphasis on the practical use of formal mathematical methods.
- To support the goal of policy flexibility, a flexible security policy model was developed which separates the specification of the controls which are provided from the specification of how the controls are used to support a particular policy.
- To support the goal of flexible implementation and interchangeable parts, a concrete approach for composing analysis of separate system components was developed.
- New techniques for analyzing information flow in a system were investigated.

More Information

This page is currently being maintained by: Stephen Smalley.
Last Modified: 26 Dec 2000