A Multilevel File System for High Assurance

The designs of applications for multilevel systems cannot merely duplicate those of the untrusted world. When applications are built on a high assurance base they will be constrained by the underlying policy enforcement mechanism_ Consideration must be given to the creation and management of multilevel data structures by untrusted subjects_ Applications should be designed to rely upon the TCB s security policy enforcement services rather than build new access control services beyond the TCB perimeter The results of an analysis of the design of a general purpose le system developed to execute as an untrusted application on a high assurance TCB are presented. The design illustrates a number of solutions to problems resulting from a high assurance environment.Approved for public release; distribution is unlimited

NA

United States policy requires that access to and dissemination of classified information be controlled. Separate networks and workstations for each classification do not meet user requirements. Users also need commercially available office productivity tools. Traditional multilevel systems are costly and are unable support an evolving suite of Commercial Off-The-Shelf (COTS) applications. This thesis presents a design for a Trusted Computing Base Extension (TCBE) that allows COTS workstations to function securely as part of a multilevel network that uses high assurance multilevel servers as the backbone. The TCBE will allow COTS workstations to use commercially available software applications, while providing a Trusted Path to a high assurance multilevel server. The research resulted in a design of a TCBE system that can be employed with COTS workstations, allowing them to function as untrusted clients in the context of a secure multilevel network.http://archive.org/details/designoftrustedc1094532753NAU.S. Marine Corps (U.S.M.C.) author.Approved for public release; distribution is unlimited