Roger R. Schell

The SeaView security model

A formal security policy model that uses basic view concepts for a secure multilevel relational database system is described. The model is formulated in two layers, one corresponding to a security kernel of reference monitor that enforces mandatory security, and the other defining multilevel relations and formalizing policies for labeling new and derived data, data consistency, discretionary security, and transaction consistency. This includes the policies for sanitization, aggregation, and downgrading. The model also defines application-independent properties for entity integrity, referential integrity, and polyinstantiation integrity.<<ETX>>

Multics security evaluation: vulnerability analysis

A security evaluation of Multics for potential use as a two-level (Secret/Top Secret) system in the Air Force Data Services Center (AFDSC) is presented. An overview is provided of the present implementation of the Multics Security controls. The report then details the results of a penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration exercise of Multics on the new HIS 6180 computer are presented. The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open use multi-level system. However, the Multics security design principles are significantly better than other contemporary systems. Thus, Multics as implemented today, can be used in a benign Secret/Top Secret environment. In addition, Multics forms a base from which a certifiably secure open use multi-level system can be developed.

Views for Multilevel Database Security

Because views on relational database systems mathematically define arbitrary sets of stored and derived data, they have been proposed as a way of handling context- and contenbdependent classification, dynamic classification, inference, aggregation, and sanitization in multilevel database systems. This paper describes basic view concepts for a multilevelsecure relational database model that addresses the above issues. The model treats stored and derived data uniformly within the database schema. All data in the database is classified according to views called classification constraints, which specify security levels for related data. In addition, views called aggregation constraints specifies classifications for aggregates that are classified higher than the constituent elements. All data accesses are confined to a third set of views called access views, which higher than their declared filter out all data classified view level.

A near-term design for the SeaView multilevel database system

The SeaView formal security policy model admits a range of designs for a multilevel secure relational database system. The requirement for a near-term implementation suggests that the design should utilize existing technology to the extent possible. Thus the design uses an existing database management system ported to an existing TCB (trusted computing base) environment. A preprocessor translates key constructs of the SeaView multilevel relational data model to those of the standard relational model used by the commercial database system. The underlying reference monitor enforces mandatory and basic discretionary controls with A1 assurance. By combining single-level data into a multilevel view, it is possible to use a commercial database system and classify data at the relation level to implement the SeaView model, with element-level classification.<<ETX>>

Mechanism Sufficiency Validation by Assignment

This paper introduces a mathematical framework for evaluating the relationship between policies and mechanisms. An evaluation approach called the assigmnent technique is defined. This technique consists of establishing an assignment between the security classes of information established by policy constraints, and the protection domains, established by the properties of the mechanism. The assignment technique provides a theoretical foundation for assessing the sufficiency of an access control mechanism with respect to a well formed protection policy. Although this paper presents preliminary results of research, the propsed framework suggests a promising new approach for evaluating the protection mechanisms of existing and proposed systems.

Reviewd articles: Element-level classification with A1 assurance

We describe our approach to multilevel database security and show that we can support element-level labeling in a Class A1 database system without the need to verify the entire database system, or even most of it. We achieve both the high degree of assurance required for Class A1 and the flexibility of element-level labeling by layering the TCB, where the lowest TCB layer is a reference monitor enforcing mandatory security; and by decomposing multilevel relations into single-level relations that are managed by the reference monitor. This decomposition means that multilevel relations are actually views over single-level base relations, which suggests that our multilevel relational system could be implemented on a standard (untrusted) relational system running on a reference monitor.

Toward a multilevel relational data language

An implementation-dependent multilevel query language called MSQL (multilevel structured query language) for defining and manipulating (multilevel relations) is defined. The MSQL language includes an access class data type, integrity constraints, primary keys, and provision for specification of classification domains for attributes of multilevel relations. The near-term SeaView design includes an MSQL preprocessor that translates MSQL queries into a set of standard SQL queries on the single-level base relations.<<ETX>>

Information security: science, pseudoscience, and flying pigs

The state of the science of information security is astonishingly rich with solutions and tools to incrementally and selectively solve hard problems. In contrast, the state of the actual application of science, and the general knowledge and understanding of existing science, is lamentably poor. Still we face a dramatically growing dependence on information technology, e.g., the Internet, that attracts a steadily emerging threat of well-planned, coordinated hostile attacks. A series of hard-won scientific advances gives us the ability to field systems having verifiable protection, and an understanding of how to powerfully leverage verifiable protection to meet pressing system security needs. Yet, we as a community lack the discipline, tenacity and will to do the hard work to effectively deploy such systems. Instead, we pursue pseudoscience and flying pigs. In summary, the state of science in computer and network security is strong, but it suffers unconscionable neglect.

Platform Security: What is Lacking?

The greatest limitation is that customers, OEMs and VARs lack an ability to effectively know the weakest link in a platform. Without open standards for platform security, customers cannot make reasonable risk decisions. A ‘trust me’ platform is not a trusted platform. Trust requires measurable security properties upon which protections can be built for a range of threats — from the most benign environment to planned, hostile attacks.

A high-assurance, virtual guard architecture

Although one senior security professional has emphasized that “it is unconscionable to use overly weak components” in a multilevel security (MLS) context, the majority of current transfer guards do exactly that. Basic guard technology is well-developed and has a long history, but most guards are built on low-assurance systems vulnerable to software subversion, and the lack of assurance limits the range of transfers. This paper describes a virtual guard architecture that leverages mature MLS technology previously certified and deployed across domains from TS/SCI to Unclassified. The architecture permits a single guard system to simultaneously and securely support many different transfer functions between many different domain pairs. Not only does this architecture substantially address software subversion, support adaptable information transfer policies, and have the potential to dramatically reduce (re)certification effort, the virtualized guard execution environment also promises to significantly enhance efficient and scalable use of resources.