Multiple Single-Level
Encyclopedia
Multiple Single-Level or Multi-Security Level (MSL) is a method of separating different levels of data by using separate PCs or virtual machines for each level. It aims to give some of the benefits of Multilevel security
without needing special changes to the OS or applications, but at the cost of requiring extra hardware.
The drive to develop MLS operating systems was severely hampered by the dramatic fall in data processing costs in the early 1990s. Before the advent of desktop computing, users with classified processing requirements had to either spend a lot of money for a dedicated computer or use one that hosted an MLS operating system. Throughout the 1990s, however, many offices in the defense and intelligence communities took advantage of falling computing costs to deploy desktop systems classified to operate only at the highest classification level used in their organization. These desktop computers operated in System High
mode and were connected with LAN
s that carried traffic at the same level as the computers.
MSL implementations such as these neatly avoided the complexities of MLS but traded off technical simplicity for inefficient use of space. Because most users in classified environments also needed unclassified systems, users often had at least two computers and sometimes more (one for unclassified processing and one for each classification level processed). In addition, each computer was connected to its own LAN at the appropriate classification level, meaning that multiple dedicated cabling plants were incorporated (at considerable cost in terms of both installation and maintenance).
In order to operate across two or more security levels, then, methods extraneous to the purview of the MSL "operating systems" per se—and, quite obviously, requiring human intervention ("manual review")—must be resorted to. For example, an independent monitor (not in Brinch Hansen's sense of the term) may be provided to support migration of data among multiple MSL peers (e.g., copying a data file from the UNCLASSIFIED peer to the SECRET peer). Although no strict requirements by way of federal legislation specifically address the concern, it would be appropriate for such a monitor to be quite small, purpose-built, and supportive of only a small number of very rigidly defined operations, such as importing and exporting files, configuring output labels, and other maintenance/administration tasks that require handling all the collocated MSL peers as a unit rather than as individual, single-level systems. It may also be appropriate to utilize a hypervisor
software architecture, such as VMware
, to provide a set of peer MSL "OS" in the form of distinct, virtualized environments supported by an underlying OS that is only accessible to administrators cleared for all of the data managed by any of the peers. From the users' perspectives, each peer would present a login
or X display manager session logically indistinguishable from the underlying "maintenance OS" user environment.
(NSA) to begin research into ways in which the MSL concept of dedicated system high systems could be preserved while reducing the physical investment demanded by multiple networks and computers. Periods processing was the first advance in this area, establishing protocols by which agencies could connect a computer to a network at one classification, process information, sanitize the system, and connect it to a different network with another classification. The periods processing model offered the promise of a single computer but did nothing to reduce multiple cabling plants and proved enormously inconvenient to users; accordingly, its adoption was limited.
In the 1990s, the rise of virtualization technology changed the playing field for MSL systems. Suddenly, it was possible to create virtual machine
s (VMs) that behaved as independent computers but ran on a common hardware platform. With virtualization, NSA saw a way to preserve periods processing on a virtual level, no longer requiring the physical system to be sanitized by performing all processing within dedicated, system-high VMs. To make MSL work in a virtual environment, however, it was necessary to find a way to securely control the virtual session manager and ensure that no compromising activity directed at one VM could compromise another.
Both the NetTop and Trusted Multi-Net solutions have been approved for use. In addition, Trusted Computer Solutions has developed a thin-client product, originally based on the NetTop technology concepts through a licensing agreement with NSA. This product is called SecureOffice(r) Trusted Thin Client(tm), and runs on the LSPP configuration of Red Hat Enterprise Linux version 5 (RHEL5).
Three competing companies have implemented MILS separation kernels:
In addition, there have been advances in the development of non-virtualization MSL systems through the use of specialized hardware, resulting in at least one viable solution:
What has been positively achieved by the set-of-MSL-peers abstraction, albeit, is radical restriction of the scope of MAC-cognizant software mechanisms to the small, subjacent MOS. This has been accomplished, however, at the cost of eliminating any practical MLS capabilities—even the most elementary ones, as when a SECRET-cleared user appends an UNCLASSIFIED paragraph, taken from an UNCLASSIFIED file, to his SECRET report. The MSL implementation would obviously require every "reusable" resource (in this example, the UNCLASSIFIED file) to be replicated across every MSL peer that might find it useful—meaning either much secondary storage needlessly expended or intolerable burden on the cleared administrator capable of effecting such replications in response to users' requests therefor. (Of course, since the SECRET user cannot "browse" the system's UNCLASSIFIED offerings other than by logging out and beginning an UNCLASSIFIED system afresh, one evidences yet another severe limitation on functionality and flexibility.) Alternatively, less sensitive file systems could be NFS-mounted read-only so that more trustworthy users could browse, but not modify, their content. Albeit, the MLS OS peer would have no actual means for distinguishing (via a directory listing command, e.g.) that the NFS-mounted resources are at a different level of sensitivity than the local resources, and no strict means for preventing illegal uphill flow of sensitive information other than the brute-force, all-or-nothing mechanism of read-only NFS mounting.
To demonstrate just what a handicap this drastic effectuation of "cross-level file sharing" actually is, consider the case of an MLS system that supports UNCLASSIFIED, SECRET, and TOP SECRET data, and a TOP SECRET-cleared user who logs in to the system at that level. MLS directory structures are built around the containment principle, which, loosely speaking, dictates that higher sensitivity levels reside deeper in the tree: commonly, the level of a directory must match or dominate that of its parent, while the level of a file (more specifically, of any link thereto) must match that of the directory that catalogs it. (This is strictly true of MLS UNIX: alternatives that support different conceptions of directories, directory entries, i-nodes, etc.—such as Multics
, which adds the "branch" abstraction to its directory paradigm—tolerate a broader set of alternative implementations.) Orthogonal mechanisms are provided for publicly shared and spool directories, such as /tmp or C:\TEMP, which are automatically—and invisibly—partitioned by the OS, with users' file access requests automatically "deflected" to the appropriately labeled directory partition. The TOP SECRET user is free to browse the entire system, his only restriction being that—while logged in at that level—he is only allowed to create fresh TOP SECRET files within specific directories or their descendants. In the MSL alternative, where any browsable content must be specifically, laboriously replicated across all applicable levels by a fully cleared administrator—meaning, in this case, that all SECRET data must be replicated to the TOP SECRET MSL peer OS, while all UNCLASSIFIED data must be replicated to both the SECRET and TOP SECRET peers—one can readily perceive that, the more highly cleared the user, the more frustrating his timesharing computing experience will be.
In a classical trusted systems-theoretic sense—relying upon terminology and concepts taken from the Orange Book
, the foundation of trusted computing—a system that supports MSL peers could not achieve a level of assurance beyond (B1). This is because the (B2) criteria require, among other things, both clear identification of a TCB perimeter and the existence of a single, identifiable entity that has the ability and authority to adjudicate access to all data represented throughout all accessible resources of the ADP system. In a very real sense, then, the application of the term "high assurance" as a descriptor of MSL implementations is nonsensical, since the term "high assurance" is properly limited to (B3) and (A1) systems—and, with some laxity albeit, to (B2) systems.
To permit data sharing between computers working at different classification levels, such sites deploy Cross Domain Solutions
(CDS), which are commonly referred to as gatekeepers or guards. Guards, which often leverage MLS technologies themselves, filter traffic flowing between networks; unlike a commercial Internet firewall, however, a guard is built to much more stringent assurance requirements and its filtering is carefully designed to try to prevent any improper leakage of classified information between LANs operating at different security levels.
Data diode technologies are used extensively where data flows are required to be restricted to one direction between levels, with a high level of assurance that data will not flow in the opposite direction. In general, these are subject to the same restrictions that have imposed challenges on other MLS solutions: strict security assessment and the need to provide an electronic equivalent of stated policy for moving information between classifications. (Moving information down in classification level is particularly challenging and typically requires approval from several different people.)
As of late 2005, numerous high-assurance platforms and guard applications have been approved for use in classified environments. N.b. that the term "high-assurance" as employed here is to be evaluated in the context of DCID 6/3 (read "dee skid six three"), a quasi-technical guide to the construction and deployment of various systems for processing classified information, lacking both the precise legal rigidity of the Orange Book
criteria and the underlying mathematical rigor. (The Orange Book is motivated by, and derived from, a logical "chain of reasoning" constructed as follows: [a] a "secure" state is mathematically defined, and a mathematical model is constructed, the operations upon which preserve secure state so that any conceivable sequence of operations starting from a secure state yields a secure state; [b] a mapping of judiciously chosen primitives to sequences of operations upon the model; and [c] a "descriptive top-level specification" that maps actions that can be transacted at the user interface (such as system calls) into sequences of primitives; but stopping short of either [d] formally demonstrating that a live software implementation correctly implements said sequences of actions; or [e] formally arguing that the executable, now "trusted," system is generated by correct, reliable tools [e.g., compilers, librarians, linkers].)
Multilevel security
Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...
without needing special changes to the OS or applications, but at the cost of requiring extra hardware.
The drive to develop MLS operating systems was severely hampered by the dramatic fall in data processing costs in the early 1990s. Before the advent of desktop computing, users with classified processing requirements had to either spend a lot of money for a dedicated computer or use one that hosted an MLS operating system. Throughout the 1990s, however, many offices in the defense and intelligence communities took advantage of falling computing costs to deploy desktop systems classified to operate only at the highest classification level used in their organization. These desktop computers operated in System High
Security modes
Generally, Security modes refer to information systems security modes of operations used in mandatory access control systems. Often, these systems contain information at various levels of security classification...
mode and were connected with LAN
Län
Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010....
s that carried traffic at the same level as the computers.
MSL implementations such as these neatly avoided the complexities of MLS but traded off technical simplicity for inefficient use of space. Because most users in classified environments also needed unclassified systems, users often had at least two computers and sometimes more (one for unclassified processing and one for each classification level processed). In addition, each computer was connected to its own LAN at the appropriate classification level, meaning that multiple dedicated cabling plants were incorporated (at considerable cost in terms of both installation and maintenance).
Limitations of MSL approach vis-à-vis MLS
The obvious shortcoming of MSL (as compared to MLS) is that it does not support immixture of various classification levels in any manner. For example, the notion of concatenating a SECRET data stream (taken from a SECRET file) with a TOP SECRET data stream (read from a TOP SECRET file) and directing the resultant TOP SECRET data stream into a TOP SECRET file is unsupported. In essence, an MSL system can be thought of as a set of parallel (and collocated) computer systems, each restricted to operation at one, and only one, security level. Indeed, the individual MSL operating systems may not even understand the concept of security levels, since they operate as single-level systems. For example, while one of a set of collocated MSL OS may be configured to affix the character string "SECRET" to all output, that OS has no understanding of how the data compares in sensitivity and criticality to the data processed by its peer OS that affixes the string "UNCLASSIFIED" to all of its output.In order to operate across two or more security levels, then, methods extraneous to the purview of the MSL "operating systems" per se—and, quite obviously, requiring human intervention ("manual review")—must be resorted to. For example, an independent monitor (not in Brinch Hansen's sense of the term) may be provided to support migration of data among multiple MSL peers (e.g., copying a data file from the UNCLASSIFIED peer to the SECRET peer). Although no strict requirements by way of federal legislation specifically address the concern, it would be appropriate for such a monitor to be quite small, purpose-built, and supportive of only a small number of very rigidly defined operations, such as importing and exporting files, configuring output labels, and other maintenance/administration tasks that require handling all the collocated MSL peers as a unit rather than as individual, single-level systems. It may also be appropriate to utilize a hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
software architecture, such as VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
, to provide a set of peer MSL "OS" in the form of distinct, virtualized environments supported by an underlying OS that is only accessible to administrators cleared for all of the data managed by any of the peers. From the users' perspectives, each peer would present a login
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
or X display manager session logically indistinguishable from the underlying "maintenance OS" user environment.
Advances in MSL
The cost and complexity involved in maintaining distinct networks for each level of classification led the National Security AgencyNational Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
(NSA) to begin research into ways in which the MSL concept of dedicated system high systems could be preserved while reducing the physical investment demanded by multiple networks and computers. Periods processing was the first advance in this area, establishing protocols by which agencies could connect a computer to a network at one classification, process information, sanitize the system, and connect it to a different network with another classification. The periods processing model offered the promise of a single computer but did nothing to reduce multiple cabling plants and proved enormously inconvenient to users; accordingly, its adoption was limited.
In the 1990s, the rise of virtualization technology changed the playing field for MSL systems. Suddenly, it was possible to create virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s (VMs) that behaved as independent computers but ran on a common hardware platform. With virtualization, NSA saw a way to preserve periods processing on a virtual level, no longer requiring the physical system to be sanitized by performing all processing within dedicated, system-high VMs. To make MSL work in a virtual environment, however, it was necessary to find a way to securely control the virtual session manager and ensure that no compromising activity directed at one VM could compromise another.
MSL solutions
NSA pursued multiple programs aimed at creating viable, secure MSL technologies leveraging virtualization. To date, three major solutions have materialized.- "Multiple Independent Levels of SecurityMultiple Independent Levels of SecurityMultiple Independent Levels of Security/Safety is a high-assurance security architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is...
" or MILS, an architectural concept developed by Dr. John RushbyJohn RushbyJohn Rushby is a British computer scientist now based in the United States.John Rushby was born and brought up in London, where he attended Dartford Grammar School. He studied at the University of Newcastle in the UK, gaining his computer science BSc there in 1971 and his PhD in 1977.From 1974 to...
that combines high-assurance security separation with high-assurance safety separation. Subsequent refinement by NSA and Naval Postgraduate SchoolNaval Postgraduate SchoolThe Naval Postgraduate School is an accredited research university operated by the United States Navy. Located in Monterey, California, it grants master's degrees, Engineer's degrees and doctoral degrees...
in collaboration with Air Force Research LaboratoryAir Force Research LaboratoryThe Air Force Research Laboratory is a scientific research organization operated by the United States Air Force Materiel Command dedicated to leading the discovery, development, and integration of affordable aerospace warfighting technologies; planning and executing the Air Force science and...
, Lockheed MartinLockheed MartinLockheed Martin is an American global aerospace, defense, security, and advanced technology company with worldwide interests. It was formed by the merger of Lockheed Corporation with Martin Marietta in March 1995. It is headquartered in Bethesda, Maryland, in the Washington Metropolitan Area....
, Rockwell CollinsRockwell CollinsRockwell Collins, Inc. is a large United States-based international company headquartered in Cedar Rapids, Iowa, primarily providing aviation and information technology systems and services to governmental agencies and aircraft manufacturers.- History :...
, Objective Interface SystemsObjective Interface SystemsObjective Interface Systems, Inc. is a computer communications software and hardware company. The company's headquarters are in Herndon, Virginia, USA...
, University of IdahoUniversity of IdahoThe University of Idaho is the State of Idaho's flagship and oldest public university, located in the rural city of Moscow in Latah County in the northern portion of the state...
, BoeingBoeingThe Boeing Company is an American multinational aerospace and defense corporation, founded in 1916 by William E. Boeing in Seattle, Washington. Boeing has expanded over the years, merging with McDonnell Douglas in 1997. Boeing Corporate headquarters has been in Chicago, Illinois since 2001...
, RaytheonRaytheonRaytheon Company is a major American defense contractor and industrial corporation with core manufacturing concentrations in weapons and military and commercial electronics. It was previously involved in corporate and special-mission aircraft until early 2007...
, and MITREMITREThe Mitre Corporation is a not-for-profit organization based in Bedford, Massachusetts and McLean, Virginia...
resulted in a Common CriteriaCommon CriteriaThe Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
EAL-6+ Protection ProfileProtection ProfileA Protection Profile is a document used as part of the certification process according to the Common Criteria . As the generic form of a Security Target , it is typically created by a user or user community and provides an implementation independent specification of information assurance security...
for a high-assurance separation kernelSeparation kernelA separation kernel is a type of security kernel used to simulate a distributed environment. The concept was introduced by John Rushby in a 1981 paper...
.
- "NetTopNetTopNetTop is an NSA project to run Multiple Single-Level systems with a Security-Enhanced Linux host running VMware with Windows as a guest operating system.NetTop has .-External links:****...
", developed by NSA in partnership with VMWare, Inc., uses security-enhanced LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
(SELinux) as the base operating system for its technology. The SELinux OS securely holds the virtual session manager, which in turn creates virtual machines to perform processing and support functions.
- The "Trusted Multi-Net", a commercial off-the-shelfCommercial off-the-shelfIn the United States, Commercially available Off-The-Shelf is a Federal Acquisition Regulation term defining a nondevelopmental item of supply that is both commercial and sold in substantial quantities in the commercial marketplace, and that can be procured or utilized under government contract...
(COTS) system based on a thin client model, was developed jointly by an industry coalition including Microsoft Corporation, Citrix SystemsCitrix SystemsCitrix Systems, Inc. is a multinational corporation founded in 1989, that provides server and desktop virtualization, networking, software-as-a-service , and cloud computing technologies, including Xen open source products....
, NYTOR Technologies, VMWare, Inc., and MITRE Corporation to offer users access to classifiedClassified informationClassified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...
and unclassified networks. Its architecture eliminates the need for multiple cabling plants, leveraging encryption to transmit all traffic over a cable approved for the highest level accessed.
Both the NetTop and Trusted Multi-Net solutions have been approved for use. In addition, Trusted Computer Solutions has developed a thin-client product, originally based on the NetTop technology concepts through a licensing agreement with NSA. This product is called SecureOffice(r) Trusted Thin Client(tm), and runs on the LSPP configuration of Red Hat Enterprise Linux version 5 (RHEL5).
Three competing companies have implemented MILS separation kernels:
- Green Hills SoftwareGreen Hills SoftwareGreen Hills Software is a privately owned company that builds operating systems and development tools for embedded systems. The company was founded in 1982 by Dan O'Dowd and Carl Rosenberg...
, - LynuxWorksLynuxWorksLynuxWorks, Inc. is a San Jose, California software company founded in 1988. LynuxWorks produces embedded operating systems and tools for using full virtualization and paravirtualization in embedded systems...
, and - Wind River SystemsWind River SystemsWind River Systems, Inc. is a company providing embedded systems, development tools for embedded systems, middleware, and other types of software. The company was founded in Berkeley, California in 1981 by Jerry Fiddler and David Wilner. On June 4, 2009, Wind River announced that Intel had bought...
.
In addition, there have been advances in the development of non-virtualization MSL systems through the use of specialized hardware, resulting in at least one viable solution:
- The Starlight Technology (now marketed as the Interactive LinkInteractive LinkThe Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons...
System), developed by the Australian Defence Science Technology Organisation (DSTO) and Tenix Pty Ltd, uses specialized hardware to allow users to interact with a "Low" network from a "High" network session within a window, without any data flowing from the "High" to the "Low" network.
Philosophical considerations, ease of use, flexibility
It is interesting to consider the philosophical implications of the MSL "solution path." Rather than providing MLS capabilities within a classical OS, the chosen direction is to build a set of "virtual OS" peers that can be managed, individually and as a collective, by an underlying real OS. If the underlying OS (let us introduce the term maintenance operating system, or MOS) is to have sufficient understanding of MLS semantics to prevent grievous errors, such as copying data from a TOP SECRET MSL peer to an UNCLASSIFIED MSL peer, then the MOS must have the capability to: represent labels; associate labels with entities (here we rigorously avoid the terms "subject" and "object"); compare labels (rigorously avoiding the term "reference monitor"); distinguish between those contexts where labels are meaningful and those where they are not (rigorously avoiding the term "trusted computing base" [TCB]); the list goes on. One readily perceives that the MLS architecture and design issues have not been eliminated, merely deferred to a separate stratum of software that invisibly manages mandatory access control concerns so that superjacent strata need not. This concept is none other than the geminal architectural concept (taken from the Anderson Report) underlying DoD-style trusted systems in the first place.What has been positively achieved by the set-of-MSL-peers abstraction, albeit, is radical restriction of the scope of MAC-cognizant software mechanisms to the small, subjacent MOS. This has been accomplished, however, at the cost of eliminating any practical MLS capabilities—even the most elementary ones, as when a SECRET-cleared user appends an UNCLASSIFIED paragraph, taken from an UNCLASSIFIED file, to his SECRET report. The MSL implementation would obviously require every "reusable" resource (in this example, the UNCLASSIFIED file) to be replicated across every MSL peer that might find it useful—meaning either much secondary storage needlessly expended or intolerable burden on the cleared administrator capable of effecting such replications in response to users' requests therefor. (Of course, since the SECRET user cannot "browse" the system's UNCLASSIFIED offerings other than by logging out and beginning an UNCLASSIFIED system afresh, one evidences yet another severe limitation on functionality and flexibility.) Alternatively, less sensitive file systems could be NFS-mounted read-only so that more trustworthy users could browse, but not modify, their content. Albeit, the MLS OS peer would have no actual means for distinguishing (via a directory listing command, e.g.) that the NFS-mounted resources are at a different level of sensitivity than the local resources, and no strict means for preventing illegal uphill flow of sensitive information other than the brute-force, all-or-nothing mechanism of read-only NFS mounting.
To demonstrate just what a handicap this drastic effectuation of "cross-level file sharing" actually is, consider the case of an MLS system that supports UNCLASSIFIED, SECRET, and TOP SECRET data, and a TOP SECRET-cleared user who logs in to the system at that level. MLS directory structures are built around the containment principle, which, loosely speaking, dictates that higher sensitivity levels reside deeper in the tree: commonly, the level of a directory must match or dominate that of its parent, while the level of a file (more specifically, of any link thereto) must match that of the directory that catalogs it. (This is strictly true of MLS UNIX: alternatives that support different conceptions of directories, directory entries, i-nodes, etc.—such as Multics
Multics
Multics was an influential early time-sharing operating system. The project was started in 1964 in Cambridge, Massachusetts...
, which adds the "branch" abstraction to its directory paradigm—tolerate a broader set of alternative implementations.) Orthogonal mechanisms are provided for publicly shared and spool directories, such as /tmp or C:\TEMP, which are automatically—and invisibly—partitioned by the OS, with users' file access requests automatically "deflected" to the appropriately labeled directory partition. The TOP SECRET user is free to browse the entire system, his only restriction being that—while logged in at that level—he is only allowed to create fresh TOP SECRET files within specific directories or their descendants. In the MSL alternative, where any browsable content must be specifically, laboriously replicated across all applicable levels by a fully cleared administrator—meaning, in this case, that all SECRET data must be replicated to the TOP SECRET MSL peer OS, while all UNCLASSIFIED data must be replicated to both the SECRET and TOP SECRET peers—one can readily perceive that, the more highly cleared the user, the more frustrating his timesharing computing experience will be.
In a classical trusted systems-theoretic sense—relying upon terminology and concepts taken from the Orange Book
Orange Book
Orange Book may refer to:* Trusted Computer System Evaluation Criteria, a computer security standard* The Orange Book: Reclaiming Liberalism, by members of the British Liberal Democrat party...
, the foundation of trusted computing—a system that supports MSL peers could not achieve a level of assurance beyond (B1). This is because the (B2) criteria require, among other things, both clear identification of a TCB perimeter and the existence of a single, identifiable entity that has the ability and authority to adjudicate access to all data represented throughout all accessible resources of the ADP system. In a very real sense, then, the application of the term "high assurance" as a descriptor of MSL implementations is nonsensical, since the term "high assurance" is properly limited to (B3) and (A1) systems—and, with some laxity albeit, to (B2) systems.
Cross-domain solutions
MSL systems, whether virtual or physical in nature, are designed to preserve isolation between different classification levels. Consequently (unlike MLS systems), an MSL environment has no innate capabilities to move data from one level to another.To permit data sharing between computers working at different classification levels, such sites deploy Cross Domain Solutions
Cross Domain Solutions
Cross-Domain Solutions are solutions for information assurance that provides the ability to manually or automatically access or transfer between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible...
(CDS), which are commonly referred to as gatekeepers or guards. Guards, which often leverage MLS technologies themselves, filter traffic flowing between networks; unlike a commercial Internet firewall, however, a guard is built to much more stringent assurance requirements and its filtering is carefully designed to try to prevent any improper leakage of classified information between LANs operating at different security levels.
Data diode technologies are used extensively where data flows are required to be restricted to one direction between levels, with a high level of assurance that data will not flow in the opposite direction. In general, these are subject to the same restrictions that have imposed challenges on other MLS solutions: strict security assessment and the need to provide an electronic equivalent of stated policy for moving information between classifications. (Moving information down in classification level is particularly challenging and typically requires approval from several different people.)
As of late 2005, numerous high-assurance platforms and guard applications have been approved for use in classified environments. N.b. that the term "high-assurance" as employed here is to be evaluated in the context of DCID 6/3 (read "dee skid six three"), a quasi-technical guide to the construction and deployment of various systems for processing classified information, lacking both the precise legal rigidity of the Orange Book
Orange Book
Orange Book may refer to:* Trusted Computer System Evaluation Criteria, a computer security standard* The Orange Book: Reclaiming Liberalism, by members of the British Liberal Democrat party...
criteria and the underlying mathematical rigor. (The Orange Book is motivated by, and derived from, a logical "chain of reasoning" constructed as follows: [a] a "secure" state is mathematically defined, and a mathematical model is constructed, the operations upon which preserve secure state so that any conceivable sequence of operations starting from a secure state yields a secure state; [b] a mapping of judiciously chosen primitives to sequences of operations upon the model; and [c] a "descriptive top-level specification" that maps actions that can be transacted at the user interface (such as system calls) into sequences of primitives; but stopping short of either [d] formally demonstrating that a live software implementation correctly implements said sequences of actions; or [e] formally arguing that the executable, now "trusted," system is generated by correct, reliable tools [e.g., compilers, librarians, linkers].)