Scomp: A Solution to the Multilevel Security Problem

The Honeywell Secure Communications Processor supports a variety of specialized applications that require the processing of information with multilevel security attributes. A commercial hardware product, the Scomp system is a unique implementation of a hardware/soft-ware general-purpose operating system based on the security kernel concept. Scomp hardware supports a Multics-like, hardware-enforced ring mechanism, virtual memory, virtual I/O processing, page-fault recovery support, and performance mechanisms to aid in the implementation of an efficient operating system. The Scomp trusted operating program, or STOP, is a security kernel based , general-purpose operating system that provides a multilevel hierarchical file system, inter-process communication, security administrator functions , and operator commands. The idea for the Scomp system originated in a joint Honeywell-Air Force program called Project Guardian, which was an attempt to further enhance the security of Honeywell's Multics system.' A secure front-end processor was needed that would use the security kernel approach to control communications access to Multics. Multics was designed to provide program and data sharing while simultaneously protecting against both program and data misuse. The system emphasizes information availability, applications implementation, database facilities, decentralized administrative control, simplified system operation, productivity, and growth. The Multics system uses the combination of hardware and software mechanisms to provide a dynamic multiuser environment. The Multics security mechanisms, considered far more advanced than those available in most large commercial systems, use access control lists, a hardware-enforced ring structure supporting eight rings, and the Access Isolation Mechanism that allows the definition of privilege independent of other controls. Access control provided by these mechanisms is interpreted by software but enforced by hardware on each reference to information. The hardware implementation includes a demand-paged virtual memory capability that is invisible to the user programs. Although Project Guardian was never completed, the use of Multics features to provide multilevel security was pursued in a revised Scomp effort, a joint project of Honeywell Information Systems and the Department of Defense (specifically, the Naval Electronics Systems Command, or Navelex). In this implementation, the Scomp is a trusted minicomputer operating system using software verification techniques.* Originally the plan was to use the traditional approach to building a trusted operating system: Namely, to build a security kernel and an emulator ofan existing operating system to run on top of the kernel. This approach was taken by UCLA2 and Mitre in their early development programs and by Ford for KSOS-11.3 One conclusion drawn from these efforts was …