A cautionary note regarding the data integrity capacity of certain secure systems

The need to provide standard commercial-grade productivity applications as the general purpose user interface to high-assurance data processing environments is compelling, and has resulted in proposals for several different types of “trusted” systems. We characterize some of these systems as a class of architecture. We discuss the general integrity property that systems can only be trusted to manage modifiable data whose integrity is at or below that of their interface components. One effect of this property is that in terms of integrity these hybrid-security systems are only applicable to processing environments where the integrity of data is consistent with that of low-assurance software. Several examples are provided of hybrid-security systems subject to these limitations.

[1]  Simon R. Wiseman,et al.  Private desktops and shared store , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[2]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[3]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[4]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[5]  Cynthia E. Irvine,et al.  High Assurance Multilevel Services For Off-The-Shelf Workstation Applications , 1998 .

[6]  Kenneth Kwok-Hei Yiu,et al.  Starlight: Interactive Link , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[7]  Franco P. Preparata,et al.  Introduction to discrete structures , 1973 .

[8]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[9]  Cynthia E. Irvine,et al.  Analysis of Terminal Server Architectures for Thin Clients in a High Assurance Network , 2000 .

[10]  Mary Ellen Zurko,et al.  A VMM security kernel for the VAX architecture , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Cynthia E. Irvine,et al.  Data Integrity Limitations in Highly Secure Systems , 2001 .

[12]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[13]  Paul A. Karger,et al.  A New Mandatory Security Policy Combining Secrecy and Integrity , 2000 .

[14]  T.F. Lunt,et al.  A near-term design for the SeaView multilevel database system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[15]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[16]  Carleen Maitland,et al.  Trust in cyberspace , 2000 .

[17]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[18]  Roger R. Schell,et al.  Mechanism Sufficiency Validation by Assignment , 1981, 1981 IEEE Symposium on Security and Privacy.

[19]  Edward Amoroso,et al.  Toward an approach to measuring software trust , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Jerome H. Saltzer,et al.  The Multics kernel design project , 1977, SOSP '77.

[21]  Steven B. Lipner,et al.  Non-Discretionery Controls for Commercial Applications , 1982, 1982 IEEE Symposium on Security and Privacy.

[22]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[23]  F. Schneider Trust in Cyberspace , 1998 .

[24]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[25]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[26]  S. Pfleeger,et al.  Introduction to discrete structures , 1985 .

[27]  K. G. Walter,et al.  Primitive Models for Computer Security , 1974 .

[28]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[29]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.