- \n
- Minimizing the TCB<\/li>\n
- Isolating components from each other<\/li>\n
- Maintaining strict control over all interactions of those components<\/li>\n<\/ol>\n
\nLet\u2019s look at these three principles in more detail.<\/p>\n
1. Minimize the TCB<\/h2>\n
\nThe TCB should contain as few lines of code as possible. After all, the less code \u2013 the smaller the attack surface and the fewer vulnerabilities in it. For this reason, a cyber immune operating system needs a microkernel architecture.<\/p>\n
The most popular modern operating systems such as Windows and Linux were originally built with functionality and ease-of-development in mind, meaning they use a monolithic kernel, which is a major disadvantage. That\u2019s because such kernels contain all sorts of stuff \u2013 from interrupt control code to drivers. The result is millions of lines of code, with their number only growing from version to version.<\/p>\n
A microkernel, on the other hand, is limited to the mechanisms critical for operation, amounting to no more than a few tens of thousands of lines of code. Everything else (drivers, file systems, etc.) runs as services in user mode.<\/p>\n
According to a relevant study<\/a>:\n<\/p>\n
- \n
- 96% of critical vulnerabilities in traditional operating systems would not be critical in a microkernel OS.<\/li>\n
- Up to 40% of critical vulnerabilities would not be possible at all.<\/li>\n
- 57% of all vulnerabilities would be low severity.<\/li>\n<\/ul>\n
\nThus, microkernel implementation renders entire classes of cyberattacks obsolete by default.<\/p>\n
![\"Minimizing](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/11\/23170730\/how-to-create-cyberimmune-system-minimization-EN.jpg\")
<\/a><\/p>\n2. Isolate components from each other<\/h2>\n
\nA cyber immune system is heterogeneous. It\u2019s divided into specific security domains according to the code\u2019s level of trust, with all components isolated from each other by means of these domains. If any system component is hacked, the intruder won\u2019t be able to access neighboring ones and expand the attack through them. This makes it possible to use third-party components (for example, open-source code) without compromising the security of the system.<\/p>\n
Isolation significantly reduces both the cyber-risks involved and the labor costs required to create a secure system due to use of third-party code.<\/p>\n
![\"Isolating](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/11\/23170746\/how-to-create-cyberimmune-system-isolation-EN.jpg\")
<\/a><\/p>\n3. Control all interactions<\/h2>\n
\nAll interactions among system components are carefully controlled by a special module: the security monitor. The security monitor checks every interaction between components for compliance with the security policies. If an interaction is valid \u2013 it\u2019s allowed; if not \u2013 it\u2019s blocked. The potential attacker\u2019s capabilities are significantly reduced as a result.<\/p>\n
The security monitor concept is based on the widely-used FLASK<\/a> architecture, which entails the separation of Policy Decision Points and Policy Enforcement Points.<\/p>\n
Using a security monitor eliminates the risk of entire classes of cyberattacks by ruling out any interactions that are not explicitly stated in the security policies.<\/p>\n
![\"Maintaining](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/11\/23170838\/how-to-create-cyberimmune-system-control-EN.jpg\")
<\/a><\/p>\nPutting all three principles together, we get the following scheme:<\/p>\n
![\"Complete](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/11\/23170923\/how-to-create-cyberimmune-system-scheme-EN.jpg\")
<\/a><\/p>\nAll entities are isolated, and they communicate with each other only through the microkernel \u2013 with such communication always checked for compliance with the security policies.<\/p>\n
It is these three principles that form the basis of our operating system \u2013 KasperskyOS<\/a>. KasperskyOS is built upon its own microkernel (not Linux) with around 100,000 lines of code, and employs the MILS<\/a> and FLASK architectural approaches to provide isolation and control of interactions. This makes KasperskyOS the perfect tool for creating cyber immune products.<\/p>\n