KasperskyOS Community Edition 1.0
English
Security patterns for development under KasperskyOS  >  Defer to Kernel pattern  >  Defer to Kernel example

Defer to Kernel example

The Defer to Kernel example demonstrates the use of Defer to Kernel and Policy Decision Point patterns.

The Defer to Kernel example contains three user entities: PictureManager, ValidPictureClient and NonValidPictureClient.

In this example, the ValidPictureClient and NonValidPictureClient entities query the PictureManager entity to receive information.

Only the ValidPictureClient entity is allowed to interact with the PictureManager entity.

The KasperskyOS kernel guarantees isolation of entities.

Control of interaction between entities in KasperskyOS is delegated to the Kaspersky Security Module. The subsystem analyzes each sent request and response and decides whether to allow or deny delivery based on the defined security policy.

A security policy in the Defer to Kernel example has the following characteristics:

  • The ValidPictureClient entity is explicitly allowed to interact with the PictureManager entity.
  • The NonValidPictureClient entity is explicitly not allowed to interact with the PictureManager entity. This means that this interaction is denied (based on the Default Deny principle).

Dynamically created IPC channels

The example also demonstrates the capability to dynamically create IPC channels between entities. IPC channels are dynamically created by using a name server, which is a special kernel service provided by the NameServer entity. The capability to dynamically create IPC channels allows you to change the topology of interaction between entities on the fly.

Any entity that is allowed to interact with NameServer via IPC can register its own interfaces in the name server. Another entity can request the registered interfaces from the name server, and then connect to the relevant interface.

The security module is used to control interactions via IPC (even those that were created dynamically).

Example files

The code of the example and build scripts are available at the following path:

/opt/KasperskyOS-Community-Edition-<version>/examples/defer_to_kernel

Building and running example

See the Building and running examples section.

Article ID: defer_to_kernel_example, Last review: Feb 16, 2022
Page top