Embed Size (px)
Citation preview
systems
Security for the US Department of Defense Research into a secure fronted processor
Abstract: Mui’tilevel security in computer
systems has been researched by the US Air
Force. The result was Stomp, a secure
frontend processor. Honeywell later
collaborated with the US Department of
Defense and is the first manufacturer to gain
an Al certificate for its system. So far
commercial demand in the lJK has been
limited, but se8curity could become a standard
feature on many Honeywell products.
Keywords: da,ra processing, computer
security, ternGals.
Stephen Arkell is a technical journalist.
by STEPHEN ARKELL
A secure system these days means more than guard dog patrols and foot thick concrete walls. It
means preventing unauthorized
access to data not only by unauthor- ized persons but also by employees
who have a legitimate right to use the system, but may not have the right to access certain data. With online, time- sharing systems now widespread, that danger is a distinct possibility.
Needless to say, it was the military which first turned to the problem of
multilevel security, the buzzword used to describe locking up different levels of data resident on the same
host.
Weak security in the US Air Force
As far back as the early 197Os, the US Air Force set up a number of teams with the specific directive to crack the force’s own databases. The teams, made up of computer experts, pene- trated every system they tried. Not surprisingly, the USAF became ‘very
concerned’. A working party was set up to look into computer security and a report was produced recommending the implementation of what was termed a ‘reference monitor’ on a little known system called Multics.
Multics, a forerunner of Unix, had been specifically designed as a multi- level operating system by Bell Labs, General Electric and Honeywell. Later development was taken over solely by Honeywell. The mid-1970s saw Honeywell and the USAF work- ing on a joint project to develop the
combined reference monitor and Mul- tics concept. The idea behind the reference monitor was to put all the
relevant references about authorized relationships between users and data onto a single ‘security kernel’.
After two years the project had used up its $5M funding. An attempt to gain funding from the US army and navy failed, and the project was can- celled.
New development work
However, it had not been a complete waste of time. One significant item which came out of the study was Stomp, which was originally con- ceived as a secure frontend processor for Multics. Development work be- gan on Stomp with minimal funding in the late 1970s.
A major problem for developers of secure systems in the past has been degradation, that is making a system secure without taking up so much of the computer’s power that it becomes pointlessly inefficient. In Stomp,
which went on to become a collabora- tive project between Honeywell and the US Department of Defense (DOD), the ‘security kernel’ was kept to a minimum to allow the computer more power to get on with its day to day business. The concept of ‘trusted software’ was also born with Stomp. This is software which is ‘trusted’ to bypass the securi1.y kernel at particu- lar user security levels.
By now, the US DOD had come up with a series of classifications to iden- tify different levels of secure comput-
~0127 no 6 iuly/august 1985 001 l-684X/85~06002~02$03.00 0 1985 Butterworth & Co (Publishers) Ltd. 23
ing. These are laid down in the ‘orange book’, or ‘Trusted Computer
Systems Evaluation Criteria’ to give it its full title. Standards laid down by the DOD range from D, Cl and C2 to Al - the most secure multilevel system yet devised.
Honeywell’s Al certificate
At the end of last year, Honeywell,
which had been continuously working on Stomp since the late 197Os, be- came the first manufacturer to gain an Al certificate for its system. Stephen Darvill, UK manager of Honeywell’s newly-formed secure systems divi- sion, does not expect any other system to obtain an Al licence in the near
future, although he admits the possi- bility that even more secure systems
may de developed over the years. ‘To get the rating we had to pro-
duce a mathematical representation of our security kernel,’ says Darvill. ‘Once the system was running we then had to prove mathematically again that it was running in accord- ance with the model.’ Just about every process, user, peripheral and file is checked against the reference
monitor in an Al system. In effect that means that if a user is cleared to access, say, ‘confidential’ information
he/she will not be able to access a ‘top secret’ file of database. Nor will he/ she even be allowed to use a VDU or printer which has been checked into the system above his/her level of security.
The Al grading also divides infor- mation and processes into compart- ments. This prevents users from
accessing information on other pro- jects even at their own security level.
Darvill believes that Stomp has got
around the problem of degradation. The reference monitor is imple- mented in both hardware and soft- ware on a Honeywell DPS 6 minicom- puter. ‘We tried to do it in software alone at first,’ explains Darvill. ‘But we had a degradation of around 20% of the power of the machine.’
The solution now implemented in- volves only a minimal degradation of
computing capacity, roughly the equivalent of dropping from a DPS 676 to a DPS 654. As 95% of the
information kept on an administrative system is likely not to be classified anyway, it is important that the com- puter should function like any other DP department machine.
As yet the UK military has not
issued a set of rules specifying multi- level security. Darvill expects that when they are produced they are likely to be very similar to the US DOD ratings. ‘In the absence of any- thing else, the DOD standard is the de facto NATO standard. Although these are basically DP machines, they will be used for intelligence gathering on troop locations, strengths and readiness, so the information on them has to be locked up very carefully. A lot of lives hang on that information.’
Unix-based shell
Honeywell is promoting Stomp as a Unix-based engine, although parts of the Unix shell have had to be left out because they break the security rules.
Users then write their own applica- tions on top with the trusted software process written on top of the applica- tion. ‘We hope to add secure office automation, an ADA compiler and secure X.25 protocols to link into OS1
later this year,’ says Darvill. Stomp has also been used to fool the hackers in the US after a highly publicised break-in at government laboratories in Los Alamos. Stomp now runs at the establishment as a secure frontend processor.
Acceptance from NATO is also growing with the use of Stomp for Saclant, the South Atlantic NATO command. Stomp is being used there as an intermediate processor between the user and the database. Overall command will be able to access all the information on the database, whereas an air commander will only be able to look at his specific area of command.
‘It will be the first NATO multi- level secure system to top secret classification,’ says Darvill.
What about commercial DP appli- cations for Stomp? So far there has been no demand in the commercial world, despite Stomp’s obvious ad- vantages, especially for the banks and finance houses. Darvill thinks this is due to a lack of perception. ‘The banks do not see they have a problem with multilevel security.’
With spies these days breeding like rabbits, Darvill does believe there will be a lot of interest from government departments. ‘They are crying out for multilevel security,’ he says. This is an area where the less stringent Mul-
tics system, cleared to B2 level, has already come into its own.
Multics is currently being used on mainframes in five UK universities by
both examiners and students. Stu- dents have access to the same system that holds details of possible exam questions and their results. The sys- tem is also installed at RAE Farn- borough in the UK. In a B2 system, access security levels are determined from the point a user enters his
password. No subsequent checks are made.
Further research
Stomp is currently state-of-the-art in multilevel secure systems. But deve- lopment work has not stopped. ‘We are working on even more secure systems,’ says Darvill. ‘We could get to the stage where we see not only mathematically verified design, but also verified implementation of the reference monitor.’
Darvill also predicts security as a standard feature on many Honeywell products within the next ten years. ‘We’ll certainly see that from Honey- well, and other companies like Bur- roughs and Sperry are also working on it.’ 0
Honeywell Information Systems Ltd, Honey- well House, Great West Rd, Brentford, Middlesex.
24 data processing
