Fundamental to the design of the KeyKOS operating system is the Principle of Least Privilege: no person or process may perform any function without explicit permission. Built using the KeyKOS architectural foundation, KeySAFE implements additional specific features, functions, and sharing policy definitions required of a high B-level system.
The first part of this document describes KeySAFE and all components of the KeyKOS/ KeySAFE trusted computer base (TCB). It is assumed that the reader has some familiarity with the KeyKOS architecture and the basic facilities available in KeyKOS. Documents which provide additional background information include:
There are, unfortunately, some conflicts between the established KeyKOS terminology and that of the Orange Book. For example, there is a KeyKOS operating system kernel, which in this implementation is only a part of the TCB security kernel. There is a KeySAFE compartment, which is somewhat different from a Department of Defense security compartment. In KeyKOS literature, the term "object" is used in a very broad sense to refer to a variety of entities and has the same general connotations of objects in object oriented programming. The Orange Book uses the term "object" in a different and much more specific way. To avoid confusion in such cases, "KeyKOS" will always be used as a modifier where a term is used in the KeyKOS sense. Thus, "object" alone will always refer to an Orange Book object. The phrase "KeyKOS object" will be used when the word "object" is used in the KeyKOS sense.
As of the date of this publication, KeyKOS/KeySAFE has officially entered into evaluation by the National Computer Security Center (NCSC) at a high B-level of trustedness. Although a B3 rating is attainable, Key Logic initially intends to pursue a B2 level rating for KeyKOS/KeySAFE.