Maintaining CDSA Integrity
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
As the foundation of the security framework, CSSM provides a set of integrity services that can be used by CSSM, module managers, add-in modules, and applications to verify their own integrity, and the integrity, identity, and authorizations of other components in the CDSA environment.
CSSM's set of self-contained security services establishes a security perimeter around CDSA. These services incorporate techniques to protect against malicious attacks. Because application and add-in security service modules are dynamic components in the system, CSSM uses and requires the use of a strong verification mechanism to screen all components as they are added to the CSSM environment.
Applications can extend CSSM's security perimeter to include themselves by using bilateral authentication, integrity verification, and authorization checks during dynamic binding.
The establishment of integrity between two dynamically loaded, executable objects proceeds in three phases:
Self-check
Bilateral authentication
Secure linkage check
In the first phase, the self-check phase, the software module checks its own digital signature. The Embedded Integrity Services Library (EISL) defines a statically linked library procedure to perform self-check.
In the second phase, bilateral authentication routines in the EISL offer support for securely loading, verifying, and linking to partner software modules. The process of bilateral authentication begins in the MDS registry, where each program can find the credentials as well as the object code of all other CDSA modules.
Verification of other modules can be done prior to loading, or, if a module is already loaded, it can be verified in memory. Verification prior to loading prevents activating file viruses in infected modules. Verification in memory prevents stealth viral attacks where the file is healthy, but the loaded code is infected.
Once verified, programs can use the verified in-memory representation of the credentials to perform validity checks of addresses to provide secure linkage to modules. The addresses of both the callers and the procedures to be called can be verified using the Secure Linkage Check facility.