The Secure. Ada Target. (SAT) machine is designed to meet or exceed the. DoD requirements for multi-level secure systems. This paper describes the require-.
SECURE ADA TARGET:
Honeywell
University
W.E. Boebert Secure Computing Technology Minneapolis, MN
of
W.D. Young Texas (Consultant Austin, TX
to
ISSUES,
SYSTEM DESIGN,
AND VERIFICATION
University
Cent er
of
Honeywell
Honeywell)
R.Y. Kaln Minnesota (Consultant Minneapolis, MN
to
Honeywell)
S.A. Hansohn Secure Computing Technology Minneapolis, MN
Center
ABSTRACT In this paper we survey the design and mechanisms of the SAT design, pointing out how this design not only meets the Al criteria but also permits implementations based on diverse hoat processor architectures. The initial implementation of the SAT design will be based on the Honeywell Level 6 minicomputer system. We present significant issues that have been addressed in developing the SAT design. We describe our position on each of these isauea and briefly discuss our rationale. We detail the operation of the security-related mechanisms in the SAT system design, show our
The Secure Ada Target (SAT) machine is designed to meet or exceed the DoD requirements for multi-level secure systems. This paper describes the requirements on such designs, our approach to meeting these requirements by introducing tagged objects, and a specialized tagged object processor (TOP) that handles all operations involving tagged objects. Basic system security is achieved using a small software kernel and the TOP. The structure of our proofs, such that the system satisfies appropriate security properties, will be outlined. Brief remarks concerning the implementation of user Ada programs on the SAT system conclude the paper.
Our design selection, necessarily
approach to complement provide with reader will requirement taken, and the amount underlying
approach is largely independent of CPU though implementation details depend on the processor selection.
INTRODUCTION The Secure Ada Target (SAT) machine is designed to meet or surpass the requirements for level Al certification as a secure computing system, as defined in the Department of Defense (DoD) Trusted
MILITARY
Previous attempts to-meet military security requirements have used a large core of system software supported by a small amount of specialized hardware. The SAT design reverses this pattern, relying on a small software kernel supported by hardware modifications to traditional system modules (such as memory) and by additional modules (such as a coprocessor handling object descriptors). One could say that the design is based on rethinking the hardware/aoftware interface, rowing security-related mechanisms into hardware as much as possible, while preserving a soft implementation of policy as much as possible. The provision for soft policy implementations allows users to develop applications for the system that meet security criteria different from or in excess of the military policies, while at the same time preserving the prwability of properties concerning the military policy.
The military security requirements assign “degrees” of security to systems based on their properties and the degree of trust placed in the design and implementation of the system. The highest classification is named “Al,” in which proofs are required both to support the fundamental design strategy and to relate that design strategy to the actual implementation. The SAT design should meet and men exceed the Al requirements. All
176 19851EEE
approaches
to military
security
rely
on the
“reference model. “2s3 Under the reference model, active entities are called “subjects,” which are permitted to access passive entities that are called “objects.” Access control is provided
This effort has been supported by US Government Contracts MDA904-82-C-0444 and HDA904-C-S4-C-6011.
.00~
SECURITY REQUIREMENTS
The traditional military secure system based on paper documents handled by trusted individuals does not map directly onto computer systems that can handle information of differing security properties. A basic requirement of all military secure systems is that they provide a mechanism for assigning security classifications to all objects within the system and to all users of the system. These classifications are the basis on which the system permits programs to access objects.
Computer System Evaluation Criteria.l The Al level is the higheat level yet specified; a system must provably meet certain criteria and support other functions, such as labeling human-readable output .
CH2150-1/85/0000/0176$01
fo~l verification, and describe the of system software that we expect to the initial systems. Throughout, the note the influence of the proof on the design decisions that we have should appreciate how we have minimized of policy that has been placed in system mechanism.
through
a mediatmg
monitor”
or
performs
three
It
1.
the
basic
maintaina
information system. specifies
“reference
the
subsystem
compromised
body
“security the be viewed as
modes
of
access
of state”
of
a table
that
permitted
to
the
mediates
to by
objects, ensuring the security state
all
attempted
It
performs
accesses
that are
by
state
operations
(adding
objects, operations
for
entries
the
modify
for
the
the
military
security
policy,
on
whose behalf These attributes
hierarchical secret) and
levels categories
policy prevents direct access intermediaries. designed which those
to
TOP
In these in the
is
permissible
model control
of
It
well
is
model
or of
(such as (such
“need that
disallowed individuala
this list”
form (acl).
known
of
owning object
an
accesa
of
strict
and
inappropriate A significant
is
that
states
this to
file to separate
the output these two
the
or
“access
of
entities logically)
that
Our
“basic”
which
form
“Practical The detailed
iseuea” design
following
secti?n.
the
on which “subject,” a central details
shall
be
in
our
affected issuee the
“core”
influence of the
thinking
is
“object,” and role. Therefore, we must first decide
defined
the
and
implemented
system.
the
is defined to be an instruction executed in a particular security discussed next). A subject executes
of a single the system. user,
user, who is an Certain security
therefore, of
any
limit
subject
interpretation however,
as
the
of
this
we
shall
individual attributes
security
acting
the
that
on
its
behalf.
constraint
A
causes
discuss
below.
of a subject level and a
define access
the constraints policies. In
of the user on whose must be part of the
order to policies).
enforce To
executing labeling
discretionary theee baeic domain
and
mustl set of
to
other
include categories, imposed
by
addition, the behalf the subject is security context (in
access properties
aseist
in
the
miscellaneous
control we have
added
enforcement semantic
properties. The next “object.” oriented” considered security
result-
to
design issue concerns the nature of an Our design is based on the “objectphilosophy, under which many things are to be abstract objects. These include levels, devices, subjects, types, domains,
The mandatory policy and value-holding spaces. dictates that a value-holding object poseess a hierarchical level and a set of categories. In addition, an acl defining which users are
to
the under
constrained
in
what
ways
is
a required
attribute
(to meet the discretionary acceas restrictions) each object in the system. Finally, we have object type to assist in the enforcement of
human-
If
security context a hierarchical
identity executing
of
the
implement encrypt
sensitivity, would view
device. disparate
we
which together the mandatory
labeling and requirements.
readable output be labeled appropriately to reflect the information contained within the output document. One could meet this requirement by writing a procedure that both labels the output and pasaes attempts
issues
concepts,”
model,
least
The both
in
circumstances. requirement
typee.
ISSUES
design
notions of state” play can develop
problems,
specify be
semantic properties such that flow desired can be permitted circumstances and denied under
Al
the
(at
narrow
control,
this as permitting access by a user of low trust To circumvent information of high sensitivity. this and other problems, system designers have included “trusted agents,” which must be proved obey certain information controlled
reference
these
of
are
enforcement
declare
the
attributea
individuals The computer
now has lower implementation
their
through
does not permit one to For example, one cannot stream policy
To
Issues
on behalf accessing
of
and The
object can that should
control
on
SAT syetem.
in
In SAT a subject sequence being context (to be
is being on
access
particular (“groups”).
based
“design approach. design.
be
processes.
forms
unclassified as crypto).
know”
might other
clean up the system obiect tv pee and execution domain defines allowable
key
the
how
the
information
ing ciphertext since a strict
to
to
that
mandatory policy useful systems. sensitive
program are based
the
of
presented
baaed, “security before
(which preserved.
information compromise or indirect attacks using Discretionary policies
the individual accesses to
allowed classea
the
of
security
of access are controlled by two policies: “mandatory” and “discretionary” access controls. The former restricts acceas based on the relationships between the security attributea the accessed object and the security attributes the user executed.
objects
present
design
lead us to SAT system the detailed
newly-created
stated properties a “policy”) are
on
Now we
to
permitted succeed.
example), and ensures that preserve the security state
sense that some together define In
that
integrity
actions
DESIGN
Basic 3.
the
problem and we introduced An execution
operation
subjects
only those allowed to
file’s by
each
by each subject. This conceptual model cannot be literally followed a practical implementation of the however.
It
intermediate
solve this structure, domains.
functions.
a distinguiahed
the
the This
called
kernel.”
called This can
object tabular develop system, 2.
subsystem “security
one functions,
177
other
miscellaneous
semantic
of added
The
third
notion
model is Generally
inherent
the “security the security
comprises attribute.
all
in
the
state” state
subject To these
reference
During
monitor
must
of the system. of the system
attributes we have
“read”
or
read
and
define state
model contains rules a particular subject may have Therefore, access to an object.
“write”
access
must
these in terms of to which a subject
be
clearly
defined.
changes in the has unconstrained
(the register set, for example). object has the effect of changing subject that is under the influence
of
the
system
In
a
object
based
on
the
monitor
and
other
practical functions
security
hardware.
Interactions
between
system’s
security
subject’s
view
traditional sees the
an state
In
of
the
implementations an efficient
executing are
subject
influenced
system
state.
and
the
addresses
and
The NST for a subject all objects addressable NST entry allows the state of contains accesses can control sense of
information subject. find the
the single object it describes, a set of access rights permitted by the subject to that object. the composition of its NST which objects can be accessed,
subject
ATO is not because the not by rights
but by a check time that LNST
system
of
the
is
executed.
security
one
which
between
support should
practical operations.
operations call the
are Tagged
issue
be
concerns
the
placement
SAT the kernel implemented in a coprocessor Object Processor (TOP).
support
of
In
for
kernel
operations
that we There is
from
“core”
CPO software, including interrupt and code. In general, any interrupt that handling will invoke a simple handler
trap-handling requires TOP that just
captures
to
status the
and
transfers
condition of
can
control
be
analyzed
modifications
support
Modifications include module, expansions of handle
tag
values),
the the
these
addition logical
modifications
between the bus and changes to processor GOT-holding disks.
the
TOP,
and
handled. TOP operations the processor’s instruction
appropriate modifications of the modules. Our initial implementation on a Honeywell Lwel 6 minicomputer
and for A subject (in the but not in
are set; additions.
modifications to in SAT systems. processor subject to
component will be system. of the megabus to
the value-holding microcode, and
the
based
TOP (to interfaces
modules, the addition
of
TOP DESIGN The
TOP prwides
the system performing the TOP’s to illustrate
a capability in allowed access within the TO,
at
the monitor
system
The third practical issue concerns existing system component for use Our design permits the use of many architectures and many bus structures,
about A single actual
state
A second the kernel
microcode
the sense of what access rights are contained in the NST entriez) through the executinn of the operation Load NST (LNST). One LNST operand describes the object to be loaded; it is a distinguished type of BAT object, which we call a “tagged object” (TO). the traditional sense, righta are determined
the
functionality,
mechanism.
appropriately extensions
objects. contains by the system to
of
extensions,
hardware
where
of these must be presented in order to make any Different schemes to reduce the object access. bandwidth implied by this scheme have been proposed; in SAT. each subject has a Name Space Table (NST), which defines the mapping between virtual
the system. among other of the object, location of the
issue concerns of the reference
aspects
Kernel
minimal
of system.
by the In a
4 the design, a set of capabilities;
capability-based system through
in
implemented in software, with the support of the hardware kernel. Since the Ada orientation of SAT are is application-dependent, Ada-oriented features supported in system software, assisted by the basic
particular, how much of the reference monitor should be inherent in the basic system design and how much should be flexible (to permit adaptation In addition, we must to particular applications). define all interactions between executing subjects The latter issue and the reference monitor itself. practical to realize
NST entry. directory, The GOT
hardware and software. Consistent with good design practices, we wish to implement policy in software and mechanisms in hardware. Howwer, kernel functions must be supported in any instance of the SAT system, and therefore can be relegated to
concept,
basic design concept concerns the of the reference monitor itself.
leads us to consider the design concepts
monitor the
Issues
The fundamental division of the
A read of an the state of the of the contents
reference
reference determine
itself.
Practical
system access
Concepts system
to
be accorded the new is held in a master Object Table (GOT).
application-specific
the most structure
the
state
We
of the object. A write, correspondingly, changes the value of an object based on the contents of the register set. Load and store instructions provide obvious examples of read and write accesses, Other access modes are defined in respectively. SAT to support domain constructs. Design
LNST,
contains an entry for wery object The GOT entry for an object contains, information, the security attributes its acl, its type, and the physical
monitor whether
write
execution
proper rights to The system state called the Global
and all object added domain
attributes. The reference determining
the consult
the
178
most
of
the
hardware
support
to
kernel by managing system resources and operations on TOS. Before we discuss details, we will first rwiew a scenario how TOS are used in SAT.
A Basic To
Scenario
their
illustrate
the
the system’s creation of
role
of
security an object
the
TOP
in
maintaining
state, our scenario and the actions that
subject
performs
to
gain
access
to
Then we knowledge
describe of the
how the objectts object to other
that
shows a
the
memory
object.
creator subjects,
permitting them to access the contents object. These scenarios are described the TOP operations performed to effect
can pass thereby
by
of the in terms of the actions.
hierarchical the
system security and assigned a
classification
executing
subject’s
addition, it of a parameter the new object user on whose acting and no initialization completes
and
is
context.
In
security
a TO to
is
a destination
specified
as
a parameter
After the GOT entry
CGEN has been and a new TO,
memory of
the
the
The
and set the
since
there
is
no
completed, but the
of the TOP, the system’s
User-Visible
TOP operations from arbitrary
we describe
these
administrators. grouped into
the
TOP
it
1. 2.
Object Existence TO Copying
3. 4.
Subject System Status
5.
(to which contains
constraints
corresponding
between
the
and attached). length,
rights for each object contained address space of the executing separates a virtual addresa in a
its NST
processor
memory modules are the physical location,
segment
number
is used therefore
to
Entries
in
and
an
the
NMU are
offset.
loaded
contents virtual
will
object. subset In the
entry.
In
only
is (NMU), the
The
from
controls lists. permit images--
megabus The MMU and acceas
segment
MMU into
memory-resident of waiting
data processes,
a central state.
role
in
those that subjects;
can
Other
TOP
users, system are
State Modifications Security State Modifications Query Operations
structure arranged
containing according
In addition to CGEN, there is a TOP DGEN. These two
in
which
the they
to
access Create
sharing
access of this this
restrictions
memory objects. discretionary
can be imposed using access To simplify the SAT prototype, discretionary access controls they apply only to containers.
processor cannot
a portion of Image (CIMG)
describing a contiguous and returns a TO for
can control propagation implementation
on portions of memory objects,
TO Coming. The permits a subject
number
and NST.
a memory
manner
imposed complete
can
be
For access control we do on
second class of TOP operations to copy TOS within memory.
has not be copied
that
to the new TO. is the
been modified to handle by loading them into a
not
Since TOS,
processor register and then storing the contents of In addition, our TOP that register in memory. design does not include any user-visible state, and Therefore, in particular, no TO-holding registers. TO copying must appear to be a memory-to-memory
image
of the NST; upon process swap the MMU is loaded with a pointer to the new memory map for the new process, and residual entries are invalidated. The new memory map state is acquired from a processorknown queues
scenario, and
operations control the lifetime of objects known to the system. Using CGEN and TO copying, a subject can create an object and then propagate a TO describing that entire object to other subjects; in this manner memory sharing can be implemented. In some applications, the creator of an object might
into
are
in the virtual subject. The a fixed manner
index the memory map table, to select one entry in the the
the
Operations
Obiect Existence Operations. which creates a new object, operation for object deletion,
is a new subject
First, new object
6 host system, memory access by a memory management unit
positioned
subvert
the
location
there executing
Once the NST contains an object, be accessed if the processor-generated the
processor
can
access set
to be enforced
The user-visible TOP functions following categories:
A programmer by controlling prototype SAT
selects
the
that
from privileged officer and
a new GOT entry of a memory object
the Level controlled
that
TOP operations.
are accessible the system security
creates subset
address
in
way
include unprivileged
restricted imposed.
type
rights
TOP Operations
User-visible be invoked operations such as
access
LNST being
which play security
wish to pass only the right an object. The TOP operation
and
security
TOP upon policy
the basic instruction
its virtual address space by executing the LNST operation. The TOP, while executing LNST, examines the security state of the system to set the accesa rights to enforce the mandatory and discretionary controls imposed by the system state and the policy being enforced. In addition, access controls domain
system
CGEN operation.
still cannot access the new object. executing subject has to enter the
by
the
by the security
we understand to the detailed
functions enforcing
on the value The acl of
invoked. After CGEN operation,
table, were with
system,
Now that we turn
from
is set to permit owner access to behalf the executing subject is access to other users. An the
the
here set
priorities.
can generate a virtual address system’s security policy.
a
a category
assigned a type based of the CGEN operation.
procedure execution of
returns
state,
map
that table consistent
To create an object, the subject executes the TOP operation Create GOT Entry (CGEN). One parameter of this operation is a TO describing the type of the object to be created. Let us consider a memory object for our example. The CGEN operation creates a new object, allocating memory space to hold its contents, and returns a TO describing the new object. To maintain the new GOT entry is created
execution
state therefore includes the state of this data structure. Since the MMU will not allow any access not specifically permitted by the contents of the
move. Tagged latter
to
179
The two TO copying operations are Copy Object (CTO) and Block Move (BLNV). The permits copy~ng a block of contiguous memory
locations
that
may
operation
for
copying
used if the implementation from Subiect
TOa.
a block
block contains copies the
a temporary
this
contain
State claaa
(The of
processor
memory
TOS, memory
since its contents
Modifications.
affect
the
subject not
can
principal earlier.
acquire
globally
require
System creation, tagged
view
operation in A companion
(and and
ISLO
memory
therefore cannot
(Instantiate
space,
which
not
shared,
by
state.
In
using
the
user
who
output
table
categories The final
associated privileged
and
to
the
modify
attributes
The
TOP-Processor
The
the
SAT TOP ia
of
configured
on
the
6 architecture.
Level
the
an
accesa
existing
a
object,
that system process.
as
system
bus
but
security
a coprocessor
(called the TOP instructions
by a combination of in the TOP processor
by
the
need
fourth
Interface
connected
intercepted interpret the desired
an
without The
with a designated object. TOP operation allows a subject
When a TOP operation issues memory read
owns
labels
structures.
operation allows a subject to TOS corresponding to the security
implemented and programs
Subject-Local
addition,
generate
only in controlled ways such cannot be compromised in the
into the addition,
does
be
of
this claas operation, In
to
auxiliary
privileged list of
and
Security State Modifications. Object object destruction, image creation, object copying all change the system’s
security
for
in
subject’s
temporary
known
a GOT entry)
the operation Object).
to
TOP operations
executing
LVDT, loads a virtual device description subject’s virtual device table (VDT). is
be
CPU register.)
the system. One is LNST, diacusaed
a
required
cannot
the operand operation
megabus) are
in
processor microcode (see below).
is encountered, the processor requests to memory addresses The TOP can then TOP module. specifications on behalf
of
the
and perform executing
object can change the associated acl or pasa ownership of the object to another subject. To change an acl, the owner executes SDAC (Set Discretionary Access Controls), which adda an entry
subject. The TOP is informed of subject changea and tracks the subject security context This information is used to ascertain accordingly. the appropriateness of each requested operation.
to the Certain
The
acl for a designated parameter combinations
(owned) have For acl.
object. the effect example,
removing entries from the owner can aet an entry that supercedea an entry, or he can set an entry that denies acceas to a specified user; this effectively removes the designated user from the acl. To
pasa
ownership,
subjects would object,
must be
both
be
aware
disastrous a protocol
for and
been designed so The two operations GOWN (Give Associated
the of
sending the
and
change.
there to supporting
of the
existing all
OWNerahip) with each
and TWN (Take subject are two
this TOP
support these operationa. One list contains TOa of those objects for which GOWN has been executed but TOWN haa not yet occurred. The second list containa TOS for those objects that have been given to the subject, but for which the subject has not taken ownership (by executing TC%JN). (The obvious synchronization problems do not occur in our system,
since
there
is
operationa
are
Privileged
TOP Operations
A number certain
of
special
This signaling
This
TOP,
that
are
In
whose
functions
prwided
required
in
to
support
ia privileged TO matching.
allows security
operation
and
a bua
signaled can
be
cycle
whereupon subject.
TOP may of
bus
the It
fail,
in
system must be to the system’s
in the dispatch.
protocol TOP will
which
transactions
the interrupt caused to access a non-existent
interface
processor is also case
WI1l
by
does
the
timeout
a bus cycle resource.
shut down, integrity.
cause
will
not
In
since the Note
specify
interrupts
which or
the
SAT prototype,
TOP functions
will
be
implemented in associated disk TOP microprocessor megabus through
software on a microprocessor with an system (which holds the GOT). The will be interfaced to the a etandard Level 6 megabua
interface card application-dependent
designed
to logic
connect to the
arbitrary megabus.
Since the GOT containa the complete system state in a disk system, accesaing the GOT may become a performance bottleneck. All GOT transactions have been carefully designed and the implementation of dwice and memory mappings structured to minimize the number of GOT writes. Furthermore, caching recently-used GOT entries in
to prevent The third
a subject lwel of
to read a specified
the
one
next
TOP initiates
be
realistic
five of these operations TWO (Trusted Write Override), violate the mandatory access permitting information second, SAMS, tests two TOa to they refer to the identical
operation through
this
the
TOP Implementation
indivisible.)
TOP operations
privileged operation TO designating the object.
one
effectively
ayatems. We discuss here. The first, permits writes that controls, thereby downgrading. The determine whether object. cwert
only
the timer
caae, the is critical
operations process
TOP operation
interrupt, to another
that
and signal attempting
OWNership). lists that
may
If
the second part of a eplit memory read Execution of the current subject then with the next instruction. If the TOP will take a long time, the TOP initiatea
processor’s
are
a TOP operation
waya. the
to
possible
for an have
that ownership cannot be lost. used to transfer ownership
of
three quickly,
a processor be dispatched
it
be no owner mechaniema
of
analogoua transaction. proceeds operation
receiving Since
completion
in one executed
out
associated studies we will
a
are
180
with the TOP proceeaor. indicate that this etrategy baae the respond/dispatch
the
we consider M
If simulation ia worthwhile, decision on both
the complexity of the operation whether the necessary security present in the GOT cache.
being state
requested information
devices
and is 3.
PROOFS OF SECURITT
of
that
labels
be
Once
formatted,
malicious exportable
PROPERTIES
criterial design
degree
of
require specification
assurance
that
To
satisfy
implemented .“ a combination design, formal
the
derived the resulting
TCB
this
of structured verification
informal reasoning comprehensive, and SAT
“analysis and
is
Proper
Ideally,
we use
such
a convincing, demonstration
a demonstration
the
rigorously
conducted
skeptical
and
into the concepts comprehensible to of all
Proverties
to
security
could only by others.
of
that
that
can
prwides
being reasoned about. humans and must demonstrate
security “simple
policy security
are the property”
LaPadula.3 read accesa
at
or
permitted security
higher
only levels.
Discretionary exercised represent request
to
security
levels;
subjects
at
equal
“need-to-know”
or
individual
is
or
justified.
and whether by
are
prior
help
manage
us
to
The
formatting
programa translate
2.
that have internal
levels
to
Once
formatted
devicee,
must
be
output
ror must
performed
been verified representations
as
a
and
domains
relations data of
an
between a certain
domains property
types type
and read is
specification.
the
rely
about
even
from check, All
a of
to
when
we
computer work
in
Gypsy is expressive
into a complete for specifying
implementation
in
tools
to generate, are done in 6 an
The
problem
arises
prior
and not proofs
proof’s
the concern effort.
simple
considerable complexity. the applicability of to
the
automated that
Environment. purpose; it is
incorporated adequate
because and
the
and
much
both
5 system. carried out
both
on
systems a manner
that
complete is being
complexity
reason
as
obvious
answers
we
the
Verification for this
well
made
be faulted comprehensible
of in
we
our the well formal
verification and verifying
Gypsy
proofs
that
Smith’ has to design
in
the
security
domain.
a
Formal through
imposed
of
reasoning several
level defines security and
mandated type operations
interpret layers theorems
human-readable is clearly the following
only to
a particular be
abstraction description that the real-world
by
correctly of security
ClaSS displayed
about layers
the SAT system of abstraction.
a set of intuitive an implementation
of
proceeds The highest
notions about a system that
embodies those notions in such a direct perspicuous manner as to leave no doubt security. A mechanical proof is provided, merely to give additional validation of essentially and obviously a tautology. of
and about ita but what ia We then
and refine these notions through several abstraction and reprove the security at each level. At the lowest level of much system detail and the theorems This statement design
level
of
ia are
abstraction
of security of the SAT
visible lengthy
and and
the
demonstrates
is relevant to the system. Intermediate
levels and mappings between neighboring levels are prwided to ahow that the clean, intuitivelysatisfying definition of security and the detailed, system-specific definitions are equivalent.
form.
only
work,
programs of demonstrated
security-relevant.
human-readable
of
machine proofs of the verification
We differ
complex. 1.
the
These
in general, appear on format of such markings Equally clearly, concerns
be
we believe
As with
language environment
on data based on the format of that data. It arises as a security concern, because the format of For example, the data may be security-relevant. “exportable labela,” which are markings of security
format-related
that
Gypsy suited
is
are
restriction
of the SAT.system not directly requirements is in the area Type enforcement restricts
levels, must, output. The device-dependent.
objects
proving the security on automated tools
cannot
use the tools to chain of reasoning.
lower
controls
of
encompasses verification
systems.
of
access
of information own judgment of item of information
judgments may not overrule any by mandatory security policy. A feature by the Al enforcement.
it
attempt
constraints to subjects
write
to
by certain enforcement
levels
incomprehensible about the scope
general and type
of the property”
Mandatory acceas to an object only
For
all
reasoning SAT system
mandatory
SAT analogues and the “*-
by the custodians the custodian’a for a particular
particular
the
from
ensures these properties. that the system enforces
has led the proofs to proofs are not humanly
manner
comprising
Bell and restrict equal
that the
be
that
Proved
properties
types
set example,
attempts at relied heavily
because
the
protected
Ar.preaches
Prior have
insight It must
discourse of the reasoning of the problem area.
be
be
a
withstand
new
of
be written This type
at
Proof
be
sense:
The properties to be proved fall into categories of mandatory, discretionary, enforcement constraints. basic
should
mathematical argument
analysis
the universe encompasses
of
traditional
must
that may seek to alter and therefore effectively
to procedures demonstrates
installation-defined and domains.
layered and
proven
in
exportable
output.
assignment
to types The proof
security.
a proof
The
high
requirement,
leading to comprehensible
output
the
the
suppressed.
from
correctly
top-down techniques,
lest
or
programs labels
declassify The Al formal
class,
garbled
of on
181
Our
proof
structure
differs
in that we reprove abstraction. Some proven
theorems
our prior
only
from
some
theorems security
at
the
at
previoue
each proofs
highest
work
lwel have
lwels
level that
of
are simple suffice to
relevant elaboration
properties process.
properties need not
be
enough convince
are preserved in Howwer, since
are reproven verified to Rather, the
the proof. mediate lwels
that informal the cereful
mauages
conceptual
makes the proof more accessible. not necessary to demonstrate
complexity
only the design specification higher lwels of abstraction
The is binding. exist for rwiewers
and the
as
Our
approach
the
proof
to into
We observe classes of applicationproof military using
of of
the the
system proof.
the
problem
a base
proof
of
a specific
and The
the proof.
base
is
a set
system,
is
To illustrate Domaina,”
the which
*-property mechanism
for data is sufficient
in
or
order
to
use of addenda, are privileged to of
base
abstract in terms The
a proof provided.
in
(by any
the suspension security lwel.
potentially
of
grants
Security the Thus,
global
Property)
clarity single
of
Our formal refinement,
At
of
the
a
abstraction,
the
security are clearly
of
The
must
a sound
with
the design
at
the
formal
is
this level of Nevertheless,
in the at this
lwel,
actual
proof. level
of for Only
a
of
the
finite
nature
introduced model are
of
and
the
SAT constructs.
top-level
machine It
The single model level is factored this level of abstraction.
principal The
where
and
new
design
mediated
notion
at
this
first
each
1$2
level
defines
the
securityall of the
of the security on the security
operations
two
major
in
great
state state.
is the
the
and The
GOT.
internal
classes
of
detail. software
in
an
SAT
applications software, whose operation by the reference monitor, and kernel
extensions, which extend base hardware to produce meets the full and detailed The
are
of the security state and the of the actual security-relevant It accordingly deals with concrete
and are
defines
that introduces
specification
operations.
write
to
At
specification
instructions therefore
visible representations all visible operations
“Trusted the This
cases
formal
actual relevant.
and
the stepwise levels of concepts.
of
configuratiou-
Systels:
set
appeal visible
of the abstract operations at
set
of
first reference hardware, will an Ada Target.
same
levels reasons)
properties tautologous.
and object sets is of the access matrix
operation into three
Abstraction
of
four
interpretation, and the
interpretation
identified
muet
There
of lower
at historical
SAT system provided at this level clearly satisfy our requirement
the subject components
access.
structure consists at successively
become
abstraction.
installation of a trusted domain, an addendum to the baeic proof must be submitted that demonstrates that the domain cannot misuse the degree of trust granted it. This demonstration will, in general, show that the amount of information that “flows down” is harmless and that the flow may be audited. Levels
at
proofs
model lwel, system security of an extended access matrix
and intuitive operation is
*-property) any data at this concept of “trust” Prior
the
visible
the Gypsy verification system is We feel that the definition of security
and of the abstraction
objects
Simple
and
(for
the specification,
to
the
of
become
presented
model,
representation mechanization
(by
is called
exceptions to the mandatory security properties may be required. A trusted domain executing at the highest security lwel in the system can be defined read
sequences
representations
proof
model.8 abstraction
about
consider violate
specific types. to handle all
of abstraction, more complex.
At the defined
divide
what have
We of The
specification.
contain two generic and The base
constrains
finiteness,
lower levels accordingly
top-level
addenda.
addanda
as
and
abstraction, abstract
managing
to
of
arguments are both
applicationproof
addenda
of
generic functionality that can be constructed In order to prwide
These contain features that
security-relwant dependent. In
scope
and
that useful secure systems secuFity-relwant features: or configuration-specific.
be dweloped. detailed system
aPPear complete
of
proof
reasons about the secure systems the SAT technology.
complete
a means
such
operations,
The and
at each lwel of abstraction are functionally equivalent (although we beliwe that to be the case); if the theorems are equivalent then a secure design is specified at each lwel of abstraction. From the point of view of a system constructor,
certifiers complexity
system functionality. monitor at each level
of
Note that it the descriptions
that
concerns
security
at all lwels, mappings guarantee the soundness introduction of inter-
concept is encapsulates
abstraction and prove theorems about it. theorems that are proven correspond to the intuitive notion of security given in the prior Theorems at higher levels of abstraction section. become almost tautologies, since the reference monitor is defined to be secure. Implementation
reasoning reader that the the
the significant monitor, which
all security-relevant define a reference
of
abstraction and then mapped this system functionality between levels of abstraction of system description. We contend that mapping the theorems down prwides a more rigorous and Mappings between the convincing proof structure. levels should
of abstraction, of the reference
kernel
monitor be those
the functionality a reference monitor DoD requirements.
of
hence
is the that
extensions,
and
to be built required for
on the SAT operation as
the
The will then be systm secure applications
initial set of users for SAT developers who wish to produce and more elaborate reference
monitors
language.
in
the
Ada
This
choice
of
initial in
reference
order
to the possible.
to
monitor
provide
characteristics
a secure,
dwelopment
was
Ada-based
community
as
rapidly
made
A small
amount
capability
includes
those
as
trusted
5.
6. Consistent
with
timeliness,
the
set of kernel extensions will In general, kernel extension
be extremely software is
simple. subdivided
into
the
three
this
goal
clasaes,
based
~;;u;;rification.
(It
$ “ in to selectively information classes are
the
of
sense
violate down” in
on
should used
degree
be
here,
of
recalled is
The
trust
e.g., ‘l’he
support”
software
functions
that
that
must
be
verified downgrader
described
above
SUMMARY
privilege
the *-property, security level.)
and/or
trusted
“RSL
RSL
firat
that
the
The
of
“write three
SAT system
is
DoD level
Al
important requirement,
system in
direction
of
forwardness,
designed
to
requirements,
meet
and
exceed
which mandate This proof
properties. turn, drives
the
the
proof
design
in
of
the
great
simplicity
and
straight-
which
we beliwe
the
SAT design
achieves. 1.
Software that is neither trusted nor verified. Such software performs common resource management tasks, and its behavior is mediated in the same fashion as applications software. An example of this class of software is the Ada Run-Time Support Library (RSL), which prwides a virtual the Ada
machine language.
congenial
Software Certain
that kernel
exhibit
security-relevant
to
the
semantica
REFERENCES
1.
August
of 2.
2.
is verified extensions
but not must be
AFB,
to
but
name
and
Both modules security-critical information
a security perform
functions do not
yet flows
level
between
to
a subject.
that involve
are
security
Software example
that is both trusted of such software are
support the downgrading toola must selectively and be verified to do visible A secure interface,
a
levels.
of principle simplifies such The
1.
2.
3.
set
of
software
as the first consist of the
A set of facilities Security Officer import information, security-relevant A very
basic
file
sharing running
to
the from
be
submitted monitor elements.
Dennis
R.
R.
7.
M.K. Smith, An Example Rept, 122,
Horn,
Lipton,
and
Proofs 22,
of
(5),
“Programming
Computations,” 1%6, pp. 143-155. A.
Perlis,
Theorems
May
1979,
“Social
and pp.
Programs,” 271-2S0.
“Model
and
Using Bell Institute of 19S3.
Texas
Design
Proofs
and LaPadula,” for Computing at
Austin,
in
Gypsy:
Tech. Science,
Austin,
Texas,
on 8.
secure downloading the Ada host
permits
Van
Good, R.M. Cohen, C.G. IIosch, L.W. Hunter, “Report on the Language Gypsy, and D.F. Hare, ,, Tech. Rept. ICSCA-CMp-lOj Version 2.0, Institute for Computing Science, University of Texas at Austin, Austin, Texas, September 197S.
Unlveraity November
for built
ACM,
D.I.
E.C.
Multiprogrammed 9, (3), March
and
6.
of
and
for ACM,
DeMillo,
Commun.
An
W.E. Boebert, R.Y. Kain, Extended Matrix Model of Internal Note, Honeywell Center, December SIGSOFT).
for uae by the Systems select audit profiles, and manipulate data bases that
Hansom
1972.
J.B.
to
system
October
4.
user. user a proof
SAT functionality and verification
reference following
A set of facilities for of Ada object programs
controlled programs 4.
that the basic development
Technology FSD/AFSC,
D.E. Bell and L.J. LaPadula, “Secure Computer system: Unified Exposition and Multics Interpretations,” Tech. Rept. MTR-2997, MITRE Corp., Bedford, Masaachusetta, July 1975.
software.
complete
evaluation SAT will
the
Security
ESD-TR-73-51,
3.
5.
of information. Such violate the *-property so only in ways that are authorized Emacs-like for SAT as
“Computer
Study,”
Massachusetts,
Semantica Commun.
and verified. the tools that
to and cleared by an downgrader, with an will be dweloped
19S3.
Anderson,
Processes 3.
Computer CSC-STD-001-S3,
these
properties may not involve the benign violation Examples of this claas of of the *-property. software are labelers, which must be shown to properly format exported labels, and login responders, which must be shown to properly consult a table of passwords before assigning user
J.P.
15,
Planning
trusted. verified
properties,
Department of Defense, “Trusted Systems Evaluation Criteria,”
the
of information between Ada at different security levels
A set of predefine packages that provide an Ada-1anguage interface to the special features of the hardware, such as the TOP operationa
183
1984
(to
and W.D. Young, “The Computer Security,” Systems and Research appear
in
ACM
