An abstract from “Secure Computer System: Unified Exposition and Multics Interpretation”

Published by Juan Mosso on

For the past several years ESD has been involved in various projects relating to secure computer systems design and operation. One of the continuing efforts, started in 1972 at MITRE, has been secure computer system modeling. The effort initially produced a mathematical framework and a model [1, 2] and subsequently developed refinements and extensions to the model [3] which reflected a computer system architecture similar to that of Multics [4]. Recently a large effort has been proceeding to produce a design for a secure Multics based on the mathematical model given in [l, 2, 3]. Any attempt to use the model, whose documentation existed in three separate reports until this document was produced, would have been hampered by the lack of a single, consistent reference. Another problem for designers is the difficulty of relating the abstract entities of the model to the real entities of the Multics system. These two problems are solved by this document.

All significant material to date on the mathematical model has been collected in one place in the Appendix of this report. A number of minor changes have been incorporated, most of them notational or stylistic, in order to provide a uniform, consistent, and easy-to-read reference. A substantive difference between the model of the Appendix and that of the references [2, 3] is the set of rules: the specific rules presented in Appendix have been adapted to the evolving Multics security kernel design. Because the model is by nature abstract and, therefore, not understandable in one easy reading, Section II gives a prose description of the model. In order to relate the mathematical model to the Multics design, Section III exhibits correspondences from Multics and security kernel entities to model entities. Section IV discusses further considerations–topics which lie outside the scope of the current model but which are important issues for security kernel design. As background for the remainder of this document, we briefly establish a general framework of related efforts in the rest of this section.

Work on secure computer systems, in one aspect or another, has been reported fairly continuously since the mid 1960s. Three periods are discernible: early history, transitional history, and current events. The work by Weissmann [5] on the ADEPT-50 system stands out in the early history period. Not only was a fairly formal structuring of solution to a security problem provided, but ADEPT-50 was actually built and operated. In this early period the work of Lampson [6] is most representative of attempts to attack security problems rigorously through a formal medium of expression. In Lampson’s work, the problem of access control is formulated very abstractly for the first time, using the concepts of “subjects,” “object,” and “access matrix.” The early period, which ended in 1972, understandably did not provide a complete and demonstrable mathematical formulation of a solution. The transitional period (1972 – 1974) is characterized by markedly increased interest in computer security issues as evidenced by the Anderson panel [7]. One of the principal results of this panel was the characterization of a solution to the problem of secure computing (using the concept of a “reference monitor”) together with the reasoned dictum that comprehensive and rigorous modeling is intrinsic to a solution to the problem. This period also saw the development of the first demonstrated mathematical models [l, 2, 13] as well as ancillary mathematical results which characterized the nature of the correctness proof demonstration [2, 8]. A second modeling effort, also sponsored by the Electronic Systems Division of the United States Air Force and performed at Case-Western Reserve University, was also undertaken in this period [9]. In this model, the flow of information between repositories was investigated, initially in a static environment (that is, one in which neither creation nor deletion of agents or repositories is allowed) and subsequently in a dynamic environment. Many other papers appeared during this period. An implementation of a system based on a mathematical model was carried out at
MITRE by W. L. Schiller [10].

An extension and refinement of the first model was developed [3] to tailor the model to the exigencies of a proposed Multics implementation of the model; included in this extension was a concept promulgated at Case-Western Reserve concerning compatibility between the Multics directory structure and the classifications of the individual files. A great number of other computer security issues were investigated and characterized [11, 12, 13, 14, 15] during this time. Current work succeeding the work reported above is a project sponsored by ESD and ARPA. In this project, the Air Force, the MITRE Corporation, and Honeywell are working cooperatively to develop a design for a security kernel for the Honeywell Multics (HIS level 68) computer system. Other significant efforts include work at UCLA [16], and the Stanford Research Institute [17]. This report summarizes, both narratively and formally, the particular version of the mathematical model that is relevant to the development of a Multics security kernel. The report not only presents the model in convenient and readable form, but also explicitly relates the model to the emerging Multics kernel design to help bridge the gap between the mathematical notions of the model and their counterparts in the Multics security kernel.

References


David E. Bell and Leonard La Padula, Secure Computer System: Unified Exposition and Multics Interpretation, ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975) [DTIC AD-A023588].

https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/early-cs-papers-1970-1985.pdf

Related Papers

David E. Bell and Leonard J. LaPadula, “Secure Computer Systems: Mathematical Foundations,” ESD-TR-73-278, Vol. I, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA (Nov. 1973).

Leonard J. LaPadula and David E. Bell, “Secure Computer Systems: A Mathematical Model,” ESD-TR-73-278, Vol. II, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA (Nov. 1973).

David E. Bell, “Secure Computer Systems: A Refinement of the Mathematical Model,” ESD-TR-73-278, Vol. III, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA (Apr. 1974).


0 Comments

Leave a Reply

Avatar placeholder