An abstract from “Preliminary Notes on the Design of Secure Military Computer Systems”

Published by Juan Mosso on

The military has a heavy responsibility for protection of information in its shared computer systems. The military must insure the security of its computer systems before they are put into operational use. That is, the security must be “certified”, since once military information is lost it is irretrievable and there are no legal remedies for redress.

Most contemporary shared computer systems are not secure because security was not a mandatory requirement of the initial hardware and software design. The military has reasonably effective physical, communication, and personnel security, so that the nub of our computer security problem is the information access controls in the operating system and supporting hardware. We primarily need an effective means for enforcing very simple protection relationships, (e.g., user clearance level must be greater than or equal to the classification level of accessed information); however, we do not require solutions to some of the more complex protection problems such as mutually suspicious processes.

Based on the work of people like Butler Lampson we have espoused three design principles as a basis for adequate security controls:

  1. Complete Mediation — The system must provide complete mediation of information references, i.e., must interpose itself between any reference to sensitive data and accession of that data. All references must be validated by those portions of the system hardware and software responsible for security.
  2. Isolation — These valid operators, a “security kernel,” must be an isolated, tamper-proof component of the system. This kernel must provide a unique, protected identity for each user who generates references, and must protect the reference-validating algorithms.
  3. Simplicity — The security kernel must be simple enough for effective certification. The demonstrably complete logical design should be implemented as a small set of simple primitive operations and system database structures that can be shown to be correct.

These three principles are central to the understanding of the deficiencies of present systems and provide a basis for critical examination of protection mechanisms and a method for insuring a system is secure. It is our firm belief that by applying these principles we can have secure shared systems in the next few years. 

References

Roger R. Schell, Peter J. Downey, and Gerald J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, MCI-73-1, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Jan. 1973).

Categories: FoundationsInformation Security

Related Posts

Analysis Foundations Information Security

Payloading the 5th domain, from hacking to economy, politics, warfare, and people.

A 60-years journey focused in technology evolution and information security, to help us understand some major events and their profound impact on society. Not to persuade us, but to inspire us to think and act.

Information Security Operations Policy Red Teams Research

Red teaming for lifeline infrastructures

From supporting societies’ most basic human needs to enabling its most ambitious endeavors in commerce, science, and technology, lifeline services and critical infrastructures underpin modern civilization’s well-being and development. Without them, it would not be Read more…

Foundations Information Security

An abstract from “Design for MULTICS Security Enhancements”

The results of a 1973 security study of the Multics Computer System are presented detailing requirements for a new access control mechanism that would allow two levels of classified data to be used simultaneously on Read more…