A High Assurance Window System Prototype

This paper describes the architecture of a prototype multilevel secure windowing system based on the X Window System. The prototype, known as TX, is designed to meet the class B3 architectural requirements of the Trusted Computer System Evaluation Criteria (TCSEC). The architecture and prototype described here demonstrate that high assurance windowing technology is feasible.The TX architecture is based on the encapsulation of untrusted functionality, such as that contained in an ordinary X server, using a relatively small amount of trusted applications code. The untrusted functionality is then polyinstantiated or replicated once for each active sensitivity level. This leads to a combination of high assurance and complex functionality while reducing the evaluation effort to a tractable level. The architecture of TX is described, and its information flow and visible labeling security policies are discussed. The trade-offs that were made to maintain assurance while achieving other software engineering goals are considered. TX is compared with several other trusted windowing systems.

[1]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[2]  Jeremy Epstein A prototype for Trusted X labeling policies , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[3]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[4]  John McHugh,et al.  A prototype B3 trusted X Window System , 1991, Proceedings Seventh Annual Computer Security Applications Conference.