Resume of Roger R. Schell, 1978

Naval Postgraduate School Faculty Resum

Mechanism sufficiency validation by assignment

This paper introduces a mathematical framework for evaluating the relationship between policies and mechanisms. An evaluation approach called the assignment technique is defined. This technique consists of establishing an assignment between the security classes of information established by policy constraints, and the protection domains, established by the properties of the mechanism. The assignment technique provides a theoretical foundation for assessing the sufficiency of an access control mechanism with respect to a well formed protection policy. Although this paper presents preliminary results of research, the proposed framework suggests a promising new approach for evaluating the protection mechanisms of existing and proposed systemsPrepared for Chief of Naval Research.http://archive.org/details/mechanismsuffici00shirN0002381R015374NAApproved for public release; distribution is unlimited

The Naval Postgraduate School secure archival storage system, Part I. Design

There is an increasing need tor systems which Drovide controlled access to multiple levels ot sensitive data and intormaticn. This rencrt comorises the first phase ot the realization ot such a system: the comprehensive design ot a multilevel secure tile storage system. This is the tocus ot an ongoing research oroject, which is currently in the early implementation phases. The design is based uocn security kernel technology as applied to modern multiple microcomputer arrays. This design is intended to interface with other (distributed) Drocessing elements, perhaps torminq the central hub ot a data secure network ot computers. The design would orovide archival shared storage while insuring that each interfacing processor accessed only that information appropriate. The design ohase of the orcject is presented in a series of three research reports (Masters Oegree theses) . These reports, reorinted in their entirety here are: (1) Capt, O'Conneli and Lt. Richardson's definition ot a secure multi-microprocessor family of operating systems; (2) Cant- Coleman's detailed security kernel design tor a member ot this family; and (3) Lt. Parks' hierarchical tile system designed to run under the control ot Capt. Coleman's security kernel.supported in part by the Foundation Research Program of the Naval Postgraduate School with funds provided by the Chief of Naval Researchhttp://archive.org/details/navalpostgraduat00scheNoool480WR00Q5

Resume of Roger R. Schell, 1978

Naval Postgraduate School Faculty Resum

The Naval Postgraduate School secure archival storage system, Part II : Segment and process management implementation

The security kernel technology has provided the technical foundation for highly reliable protection of computerized information. However, the operating system implementations face two significant challenges: providing (1) adequate computational resources for applications tasks, and (2) a clean, straightforward structure whose correctness can be easily reviewed. This paper presents the experience on an ongoing security kernel implementation using the Advanced Micro Devices 4116 single-board computer based on the Z8002 microprocessor. The performance issues of process switching, domain changing, and multiprocessor bus contention are explicitly addressed. The strictly hierarchical (i.e., loop-free) structure provides a series of increasingly capable, separately usable operating system subsets. Security enforcement is structured in two layers: the basic kernel rigorously enforces a non-discretionary (viz., lattice model) policy, while an upper layer provides the access refinements for a discretionary policy. (Author)supported by grants from the Office of Naval Research, Project No. 427-001, monitored by Mr. Joel Trimble, and the Naval Postgraduate School Research Foundationhttp://archive.org/details/navalpostgraduat00coxlN000148lWRl003

Using Proven Reference Monitor Patterns for Security Evaluation

The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed

Multics security evaluation: Vulnerability analysis

A security evaluation of Multics for potential use as

Dynamic Reconfiguration in a Modular Computer System

This thesis presents an orderly design approach for dynamically changing the configuration of constituent physical units in a modular computer system. Dynamic reconfiguration contributes to high system availability by allowing preventive maintenance, development of new operating systems, and changes in system capacity on a noninterference basis. The design presented includes the operating system primitives and hardware architecture for adding and removing any (primary or secondary) storage module and associated processing modules while the system is running. Reconfiguration is externally initiated by a simple request from a human operator and is accomplished automatically without disruption to users of the system. This design allows the modules in an installation to be partitioned into separate non- interfering systems. The viability of the design approach has been demonstrated by employing it for a practical implementation of processor and primary memory dynamic reconfiguration in the Multics system at M.I.T

Subversion as a Threat in Information Warfare

As adversaries develop Information Warfare capabilities, the threat of information system subversion presents a significant risk. System subversion will be defined and characterized as a warfare tool. Through recent security incidents, it is shown that means, motive, and opportunity exist for subversion, that this threat is real, and that it represents a significant vulnerability. Mitigation of the subversion threat touches the most fundamental aspect of the security problem: proving the absence of a malicious artifice. A constructive system engineering technique to mitigate the subversion threat is identified