The Operating System Protection Profile (OSPP)

The Operating System Protection Profile (OSPP), Version 2.0 defines the security functionality expected in a general purpose operating system capable of operating in a networked environment. Unlike many other protection profiles, OSPP is structured into a default base along with a set of optional extended packages. This structure was chosen to maximize adaptability for different operational environments and for different operational requirements, since general purpose operating systems may provide a wide range of functionality.

General purpose operating systems often operate in environments that provide centralized services which can be used by a large number of systems within an organization. It is expected that a modern general purpose operating system will provide the capability to use centralized services for the implementation of security functionality – for example, authentication servers, directory servers, certification services, or audit log servers. While most modern general purpose operating systems implement functions such as centralized security services, they may also be able to act as the server for those services. Candidates for an extended package must therefore have the capability to act as a server for a centralized security service. Cooperating with another trusted IT system to provide a security service is not restricted to the use of centralized services, but can also be accomplished in a peer-to-peer relationship. One example is the authentication of a human user that is based on a token that the user needs to present. (This could be a smartcard, for example.) In this scenario, the user authenticates to the smartcard using his or her PIN, and then the smartcard authenticates the user to the operating system by presenting the user's certificate and assuring the operating system that it has the private key associated with the public key in the certificate.

Operating systems conformant to this protection profile are assumed to operate in an environment in which the platform on which they execute (hardware, devices and firmware) is protected from physical attacks and manipulation. In addition, it is assumed that all management activities are performed by knowledgeable and trustworthy users. (See Security Objectives for the IT Environment.)

In z/VM, the OSPP requirements are met through the following specific mechanisms:

  • Discretionary Access Control (DAC)

    A method of restricting access to data objects based upon the identity of users or groups to which the users belong. DAC protects system objects from unauthorized access by any user. Normally, permission to access an object is granted by the owner of the object; occasionally, it can be granted by someone else, such as a privileged administrator.

  • Auditability of Security-Relevant Events

    The recording of facts that describe a security-relevant event taking place in a computing system. In general, a security-relevant event is one that occurs in a computing system that, for better or for worse, affects the safety and integrity of the system's processes and data.

    The facts recorded that describe such an event include the time and date of the event, the name of the event, the name of the system objects affected by the event, the name of the user who caused the event to occur, and additional information about the event.

    In general, the security-relevant events in z/VM are:
    • CP commands
    • DIAGNOSE functions
    • Communication among virtual machines.
  • Object Reuse

    A practice that prevents any newly-assigned storage object from making available to its new owner any data that belonged to its former owner. This includes any encrypted data.

    Object reuse also requires the elimination of any residual user authorization access to a previously existing object. This ensures that if another, new object occurs in the system later under the same name, the subjects having access to the old object will not have access to the new one.

  • Identification and Authentication

    A method of enforcing individual accountability by providing a way to authenticate a user's identity uniquely and unambiguously. Thus, any security-relevant action users might take can be attributed to them.

In addition to the OSPP base, z/VM 6.4 uses the following two extended packages: