Appro ved Relea'se 2005 06 09 ILLEGI a rm Em 4f 37 My I 3 Euler ii 13 21 ew zuCOMPUTER SECURITY IECENICAL PANEL submitted to DEFENSE SECURITY BOARD STEERING GROUP TASK FORCE ON COMPUTER SECURITY July 15 1968 May be downgraded to SECRET upon-removal of appendix NSA OSD reviews completed ILLEGI Copy of copies - Approved For Release 2005 06 09 Release 2005 06 09 SECTION 1 FOR OFFICIAL USE ONLY- I INTRODUCTION RECOMEDEATIONS AND SUM-TRY The Background of Report 1 2 Recommendations 1 3 Summary of the Report 101SECTION 2 CONFIDENTIAL TECHNICAL POLICY INTERACTIONS 2SECTION 3 SECRET AUTOMATION OF THE MULTILEVEL SECURITY CLASSIFICATION AND CONTROL SYSTEM 3 1 Introduction 3 2 Security 3 3 Examples General Discussion SECTION A UNCLASSIFIED PRIVACY SYSTEMS Introduction 1 1 2 AuthenticatiOn h 3 Protection Lah- Certificetion '12 h 5 Summary 'Approved For Release 2005 06 09 xvi Approved Fer Relea e 2005 06 09 CIA-RDP71R00510A000200130003-7 SECTION 5 SECRET seems SYSTEMS 5 1 Introduction 5 2 Potential Threats and Countermeas res Techniques for Protecting a System File Security 5 5 5 8 Research Recommendations APPENDIX TOP SECRET DETAILER DISCOSSION AND RECOMMENDATIONS FOR RESEARCH Machine Environment Assummed 2 Method of Operation Establishment ICIOOUCCOO I I 07 Secondary Storage Device 9 Control and Flow of Keying Information Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 tr - w - Approved For ReleaSe 2005 06 09 CIA-RDPT1R00510A000200130003-7 '9 The ollowinr is a list of members of the Technical Panel Edward L Glaser - Chairma- Case chnern Reserve University Arthur A Bushkin - Secretary Massachusetts Institute of TechnolOgy James P Anderson Anderson and Company Edward H Bensley The Corporation Charles R Blair Associated Universities Inc Harold M Jayne Executive Office of the President - 3l_ 86_36 ex officio Chairman Policy Panel ational Security Agency STAT Lawrence G Roberts Advanced Research Projects Agency Jerome H Seltzer Massachusetts Institute of Technology Willis H Ware ex'officio - Chairman Task Force The RAND Corporation Aphrove'd For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 i fdf 'a Section 1 Introduction Recommendations and Summary The Background of the Report In late 1967 a Task Force was established under ARPA at the behest of he purpose of this Task Force was to determine the problems of creatin secure time sharing systems As a part of this Task Force the technical panel was established This panel met quite frequently during late 1967 and into 1968 search Division of the Institute of Defense Analysis at Princeton New Jersey from March 28 30 1968 1 2 Recommendations This work culminated in a workshOp being held at the communications Re The following report is the output of this workshop The bulk of this report will be concerned with various technical facilities that can and must be included in order to make a time sharing system secure The purpose of this set of recommendations is to indicate those research It should be further em hasized that no attempt has been made to delineate either the cost of i areas that must be pursued in order to guarantee this security the various research tasks or to indicate within this report who should be tasked with the various areas of research Rather the Specific research programs are delineated within other sections of this report and should be self evident as to the cognizant agency The following are the four primary research areas that should be pursued The first two can be considered to be short term while the second two are long tern 1 Security structure language The design of the security structure language should be completed and its implement algorithm defined This package to be submitted for review and approval at the earliest possible date see section 3 I 2 Consistency cheeks A rapid early analysis should be made of the possibility of incorporation hardware consistency checks in equipment supplied by major manufacturers today see section 4 3 Systems certification A research program should be delineated for the problem of determining the feasibility of more automated hence exhaustive certification of the integrated hardware software system with due regard to its operational environment see sections 4 and 5 4 research A program for the necessary esearch to be initiated as soon as possible in order to facilitate the early availability of secure time sharing systems see section 5 and the Appendix Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 3 was dry of the report ihe remainder of this report is divided into four sections plus a aopendix Section 2 of this report is concerned primarily with the interaction between the technical and doctrinal problems It deals with certain iacilities that are expected to be present in order to make the system operate properly from the doctrinal standpoint Section 3 concerns itself with a definition of a security structure language and is aimed primarily at a View of the systemffrom the standpoint of the security officer What is contained in this section pan best be described as a generalization for what must be implemented in order to facilitate he present structure of the security system of the United States Government Section 4 primarily concerns itself with state of the art techniques with regard to the implementation of secure time sharing systems As will be pointed out in this section true secure time sharing systems are currently beyond the state of the art but this section does concern itself with an attempt at making privacy systems and gives guide lines to facilitate the de sign of in the near term Section 5 concerns itself with the longer term secure time sharing systems and discusses in some detail the two techniques that are currently known by which time sharing systems can be made to be secure The appendix gives greater detailed discussion on the area of the re search It was felt advisable to separate out this kind of detail from the rest of body of the report in order to keep the security level of the entire report somewhat lower than what otherwise would be necessary 1 4 Acknowledgments It is impossible to list all of the contributors to this report however it is fitting here to give particular thanks to the members of the technical panel the guests of the panel at our various meetings and particularly at the meeting at Princeton and further to the personnel of the Communications Research of the Institute of Defense Analysis for acting as hosts and giving us such fine accommodations during the extremely intensive three days of workshop Finally it would be very remiss not to give particular thanks to the various secretaries of the members of this panel who have giVen unstintingly of their time and services to make this report possible Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 A - Approved kn Ar Li L1 L A lib 7 35 on Our- - 2 2 1 Purpose Although much of the material in this section is covered in other sections of this report its treatment here is from the stand point of the procedural problems involved rather than the technical feasibility The reader desiring a cursive view of the technical problems may glean much of L the information by a parusal of this section only However the reader I I I should remember this is primarily a procedural view of the technical problems and therefore is an overview More detailed coverage is contained in the following sections of this report and the appendix Authentication It is suggested that multi access resource sharing systems have significant advantages To achieve these advantages it is necessary to have one or more computer complexes many remote terminals and an even larger number of individuals who have controlled access to the system the processing which the system can accomplish and the information stored within it The objective of security in the System is to assure that no classified information is disclosed to any individual not formally authorized to receive it Since it is to be expected that not all individuals users at any one remote terminal will require access to the same material it is necessary to employ a means by which the user can be uniquely identified to the computer system to assure that he only gains access to the information for which he is authorized A password syStem using one-time material which is supplied individually to each user will serve this purpose This farm a A ear is -- - ppro r wegag ryg pgf z fgg ommoozom30003 7 4 Y Mn - l Tarzwr uvApprovhszopRel ase 10A000200130003-7 password authenticates the user to the system and is the key which unlocks the system to him up to the predetermined access limits An authentication must always be required at log on and may also be required upon demand by the system while the user has control of the terminal in order to assure the system that the original user is still in control This re authentication procedure may be invoked on the basis of the amount of time elapsed since the last authentication and or upon the completion of a specified number of transactions as determined by the system design ' The clearance of a remote terminal in a switched communications system will not necessarily be obvious to the central facility This will require that a means be provided for authenticating a specific terminal to the control facility to assure that only information authorized to be handled by that terminal is-actually delivered to it by the central facility Also the user must know that the distant central facility he has reached via switched communications system is indeed the terminal authorized to receive the information he is about to transmit ' If the communication links from the remote terminals to the central facility are secured by utilizing unique keys for each link then identification of the key will authentically establish the identification of the terminal to the central facility and further authentication may or may not be necessary If the remote terminal is a part of a multi holder a unilateral authentication using one-time passwords is required The can be accomplished by an appropriate challenge reply pair being exchanged between the central facility and the remote terminal At the remote terminal appropriate 2 Approved For Release 2005 06 09 gwepr rgtumerAxW awy v git-3 i Q 2 er g 3f Approved For Release 2005 06 09 CIA-RD IV i u i a Ali P oo passwords will be issued '0 the user by individual responsible for the I 0 security control of the terminal The user must give unused passwords protection equivalent to the highest level information that could be accessed with them It will be necessary for computers to transmit information to other computers in some systems The provision of the preceding paragraph apply for establishing the authenticity of the computers one to the- other over either point to point or switched communications systems In some systems a user operating at a remote terminal which is assigned to one computer facility may want to access information and or run a job on another computer facility This is permissable and may be done by the uder authenticating himself to his own computer by the previously described techniques The first computer then passes to the second computer over their authenticated communications link the information required by the second computer to permit it to determine the degree of access permitted to the user 2 2 2 Communications Link Protection It has been stated elsewhere that all communications links passing classified information will be secured by appropriate equipment Assume that a communication link between two terminals has been established and the equipment is in The link may or may not also have traffic flow security depending upon its security requirements It is recognized that in any case information will not actually be passing over the link at all times This is true on either a half duplex or full duplex link In the case where the 3 2005 06 09 CIA-RDP71R00510A000200130003-7 - I I 3 4 4 gin - s in rm - 1-1 he 3 514 1b I 7731 - 1 - DP71 R005 0A000200130003-7 2 2 11 i 4 Approved equipment is steppin- dependently of the plain text input information 0 of spoofing For example a user could log on to Ho 3 dange 1 there may be a the system properly accomplish all the identification'and authentication procedures and then apuse During this pause no enciphered plain text is being transmitted over the link In this situation it could be possible to tamper with the link and introduce bogus plain text which will be deciphered by the receiving terminal and treated as authentic plain text information The consequences of this action could range from mere harassment to extremely serious Files could be erased programs changed etc depending upon the rights and privileges established by the bona fide transmitting terminal This threat can be circumvented by proper chice and or applicatiOn of the equipment to the system and must be accomplished as a part of the initial system design In the case of a half-duplex link operating in a switched communications net where the same key is held by all terminals and used for the transmit and receive function there may be a threat to the system due to physical capture of one termina User and terminal authentication procedures discussed elsewhere will protect against the threat of the Captured terminal gaining access to the computer and causing system damage However it would be possible for the captured terminal to tap the communi- cations link between two other terminals in the same net and thereby receive any classified information passed over the link by either of the other terminals This threat exists in any secure communi Spoofing intelligent deception Appmve j 0a000200130003 7 t H ins -L q 72 4 ij4- in aufi h Approved a 4 2 - a- cations system where there are many holders of the same key It can only be countered by keeping the number of holders of the same key to a minimum and the ideal situation is to have no nets of more than two holders could be located at the computer facility which stored all the individual independent keys of eaCh terminal upon demand Equi ment with this capability does not now exist but is within the current State of the art and can be provided possibly by modification of uioment now in develo ment'butcertainl b_ new develooment - U1 77 9 Approved Fo 0A300200130003-7 t I -- mn wr rww -aApproved Fan alea'r'se sow osmium app 1R0 - 1 - sw- r r if I i 1 - h 2 3 Software Controls 2 3 1 Access Control dentity of the user has been verified and his console H Give- that the 0 identified the software system can look up the user clearance and that of the terminal console in system directories The system now has the user clearance the terminal clearance and the clearance of any other devices accessible to the user's program such as tapes drives readers printers and other consoles 2 3 1 1 Limitina Input and Output Software traps should detect any inputs which are identified as having a classification greater that either the user clearance or the terminal clearance Input faults should cause a security violation alarm Similarly outputs to any device which are classified greater than the terminal clearance or greater than the user clearance should be omitted and the fault logged 2 3 1 2 Limiting Job Classification The actual job run centrally in the' computer should not be allowed to access information Programs and-data files which has a classifiCation greater that the user clearance l This limitation is dictated by the judgment that it is almost impossible to guarantee that a_job cannot somehow downgrade information so as to permit it to be output However exceptions are possible an execute only program which has been certified to always digest information so as to produce an output of lower classification than the source data 1 System access to acCounting and control files are excluded from this restriction 6 Approved 059000200130003-7 g337- 5-4 i 5 1 1 in sin- 1 Id' F s a If it its Approved Foaa'etlgr se QbQEIuWi dW simian 1 000200130003 7 The job clearance is not linited however by the terminal clear TOP SECRET cleared person might run a TOP SECRET job using a secess- terrinal if there were no SECRET 1 0 to the console He might printer Such occurrences might be com D cl D 2 id 52non for remote initiated batcn Operations and no deception need be sus pected since tne user is cleared for the job 2 3 l h ccess Control Matrix The previous a case control limitations can oe repres nted bv a control trix The matrix should be read in the 1 In ut Classification Jon Clearance Jon Classification IV User 2 2 Device 2 Independent 2 Except for certified execute only programs 2 3 l 5 Denial of Access - The User who interacts directly with the sys- tem must not be allowed access to information related to the Character of the control systems and or files when access is denied under authentication rocedures For example responses during authentication that provide such information include the following lou do not have the required clearance to access file or You have not requested file correctly or The classification of file is A record of authentication failures will be included in the system log and alarms will be provided to assure that the security of the system is maintained Approved A5 - - g 1 1 31 V s-1 Js 2 51 Pin 33 eff-ts 1 Approved melee manage 1 6 Classification Clearance Comparison - Section 3 contains a 0 D 15 25 a la-guage which informally describes the structure and rules of clearances special accesses compartments classification etc Using a language of tiis form the definitions needed for a particular I installation can then be compiled creating a data structure tilizing this data structure compare and combine routines can make the somewhat complex determinations of whether a particular clearance grants access to a classification and what high water mark classification results from accessing information at several different evels of classification 2 3 2 Restricted Operations The threat to the security of the system is reduced in those cases where the allOWable functions of specific terminal or devices are limited by the system These properties can be used after adequate certification to support operations and procedures not otherwise available to unrestricted devices An example of a restricted operation may be a terminal limited by the system to the execution of One certified program that performs some limited set of well defined operations and provides output-to another device In this example the terminal operator could execute the program without clearance for the data being processed Another example could be to limit a terminal to a specific set of input functions only in this case the operator could again operate at a lower clearance level than the files being referrenced 45 r Approvedfbr Raises 1 i f a-uq If 3 a a 3 an 1 Approved For-Ragga zodsmegoeg 3 5 I i 2 393 Output Classification Jo To ssist the user if 9 protect sensitive information when a file is created the computer will define the maximum composite classification of the file to the user This high water mark will be determined algorithmically by consideration of the classifications of all files referenced programs utilized and inputs utilized In case of a perman ent file the user will be notified of this high water mark clasSification He will then be required to state that he certifies this classification upgrades it or downgrades it If a downgrading a less stringent classife ication is certified the system should audit this transaction for peri odic review Poseibly downgrading authorization should be limited to those users with write access to a file The reason for requiring the user to confirm or modify the computer determined classification rather than specify his own is that the user may not realize the totality of all file classifications referenced and most likely has not reviewed the totality of the resultant file Any analogy with documents handling rules is dangerous since files are often large and non textual for which the user must determine the content by program testing and or scanning V a wn pi 7 1314- 2 an a Hkn 4-21 2 w Approved ForuReJeasle goes ogo CIA-R0911R09510A000200130003-7 if-mi Sal-3 9 1 f cv y - m rr Approved Fo pR iga ei Q 13g16 3 b i i i hor g HA0002001 30003-7 - 2 Write Controls 5 Write access to files must be a function of the specific files and the user The write capabilityr is not related to security specifically but is primarily a management function to provide file protection from undesirable changes The system must provide for these controls in the file structure The same controls should also apply to deletion of files The application of such controls increases the integrity of files Approved For Release CIA-RDP71R00510A000200130003tut I 7 p 13 r- was - a A a VT v'xl 1 3113 112 any remix-1 3 Haw gm I spa-sew 00510A000200130003-7 I J Approved For Release GET This EbCfiDmS J jw age that woulu permit iortal oeiidieiOh th structure of the U 5 security system for pontroi or Classl lCL v- T 1 L lOliabiCA it is asinii to cravey l lul l resales - tin eroe uheer eiscussioh Lee as such is ieite inrorhal 4 geogle aireeox ceiee iLmiliar Wieh b u b Cdfle SJSbim more detailed or this work will be tee eo to do the actual implementition ihe basic multiienel security trooiem consists of arsweiihe ehe followihg question Can an individual with a particular clearance rave access to a quantum of classified ihrormntion in a 3 van physieai environxent While this problem eLists independent of com$uter systems he introduction of n automated decision-process requires a very formal icetiOh of the decision roles This SectiOL addresses it eif Becouse of the complexity of the overall scLeme or controlling iesreiiatiOh is the full range of the security control apparatus necessary oivulxe vrthermore as a matter of precautior it would be undesirable C unnecessarilv to programmihw ersohhel the details of security control methods iherefore our epproacn has been to conceive a scheme in which Appro 'ed For Release 2005 06 09 5 Approved For Relea 2 1g T w Lb y-lvAw- egiy scgoctu-c o the sccacttj Will be descrlaepIOul gli $ oo'DOcuel of a nominal clcegancc level th nT However qr i - - I cc -une erg are nOt available I 1 security information '3 E propose of security control which level of SECRET ace Our sccome is such as to permit a local tGVel b0 LASETL sucn 0 keep in a multi eccess remote terminal computer ystem the following informationtain paramete relevant LOI eacn rtle a ALSLOL Certc n caramotors relatlve to the informatioc contained in that 1leBor CQCL to toe cvetec a ilSE o - certaln parameters relevant Ame tb3 LS o tceSc ano now re use is leveLocec 1 -n - 1- a C ca e 333Mugci0u8 an as oliov for tne purposes of this eaterso wnatefcr part 0 tne LOtal control system coat may be 0 to a given iLstallatton SCCUIALJ officer or other responsible erty at that insr llatioa TUSL know the complete Lhe neci to kcow control on access will be ve ified by eXplicit reference to a mare caech organ zstion check 0 2 Approved For Relegs g R00510A000200130003-7 A 3'4 Few 5mApproved For Release verification of the clearance status of the user requesting access to a given file A clearance is associated with either a user or a terminal ' a classification is associated with go file of - information The word accesses when ueed below as part of the security structure lang age is defined to be semantically equivalent to permits access to information labelled as is taken to mean the normal The phrade National Clearance defense clearances of TOP SECRET SECRET CONFIDENTIAL and UNCLEARED which are hierarchical in that order The National Ckaarance status of an individual will be taken as the major parameter in controlling his access If an individual is authorized to have access to information of Type A at one or more National Clearance levels then it is assumed that he is in principle granted access to Type A information up through the level of his National Clearance This is intended to rule out the following case which we believe is common in present manual practice an individual with a National Clearance of TGP SECRET is authorized access to say information is granted access only to the SECRET level men 113 5 5 62 Earn Approved For a 1' Approved For Release 2005 06 09 R00510A000200130003-7 E71134 'mi I 1a liar 11 Lam I We regard this as an illegal_use of the clearance control structure and for the purposes of the computer records an individual granted say a Natibnal TOP SECRET Clearance and access to information of Type A is automatically assumed to be cleared for all Type A information through the TOP SECRET level Any exceptions to this assumption must be explicitly stated on an individual basis Thus it can be said that the National Clearance factors or distributes over all special information types The phrase Type can refer to a special clearance system a com partment or special grouping which itself may be within a special clearance system or any major or minor segment of any clearance system that may have to be specified 7 As a consequence of the above the-computer algorithm which matches parameters of the user against the parameters of the file to be accessed will compare the user s National Clearance and the file's National Classification first If a user is to be granted access to a given file then his NatiOnal Clearance level must equal or exceed the National Classification level of the file Note that this is a necessary but not sufficient condition for access Additional control such as code words special access compartments special groupings etc will be regarded as controlling access to specific information types within the framework of the National Clearance structure Approved For R00510A000200130003-7 21 tr 1 9 1 ism- 31 2 a maze u 5 er Jung 5 3 Approved For Release 2005 D6f09 1 8 An' Access Control Label is regarded as an additional means of access control and will require verification against the user's status Examples of such labels are No Foreign Dissemination except Intelligence Elements Not Releasable outside the An Informational Label is regarded as not controlling access to the information but rather giwing guidance to the user on how the information may be further disSeminated further controlled utilized etc Examples of such labels are Limited Distribution Special Handling Required 10 All names code words etc at a given installation are asSumed to be unique up SYSTEM CATALOGS The computer system will maintain a-catalog of all terminals which may be connected to it and for each terminal will maintain the following information l The highest level of National Calssification of information ithat may be transmitted to or from the console 2 Special code words group names or other names which modify the National Clearance leuel of the console to receive other classes of information 3 Physical location including building location room number and the cognizant agency Approved For -- 2 s 5 - has Approved For Rel ate- 22 34 31 as Ematl b 4 The electrical address 5 The permanent identification number 6 A_list of the user authorized to use the console 7 Person responsible and his telephone number I The computer system will maintain a catalog of all users authorized tojhave access to it and for each user will maintain the following I idforma ion 1 His National Clearance level and its date of expiration and granting agency 2 I Special code words special groupings or other words which I extend his access to other classes of information and the date of expiration of each such special name 3 His agency affiliation 4 His citizenship 5 His agency assignment s 6 His permanent identification number- Social Security or other 7 Special need to know designators other than those explicitly given by items 1 and 3 above The computer system will maintain the following information for each of its files Approved For 3-3 ll Alarm Approved For Relea E R00510A000200130003-7 1 The National Classification of the file Special names such as code words compartment names handling caveats etc that serve to control access to the file 3 A need-to-know list including one or more of the following - as may be required Universal need to-know everyone authorized access A name list A group designator need-to-know Specific exclusions from need-to-knoy by such things as groups names explicit lists of names 4 Access control labels InfonnatiOnal labels 6 Background information on'the file This is subject to policy decisions Examples of information which might be desired are i Its date of creation Its downgrading group and any downgrading actions applied to it Name of individual who created the file and his agency Predecessor files if any from which the file was created I Approved For Release 2005 06 69 5 A roved For Release 200 I0 I09 I - pp 7 3 2 SECURITY STRUCTURE Not only will the computer system maintain a catalog of information- for each user each file and each terminal but it also must be aware of the structure 0f the security control apparatus This paper defines a special language in terms of which the security structure can be stated and for which software will have to be written for each machine and or software system that is placed into operation The security structure language described below formally_defines a set of relations between entities These entities include special accesses code words etc The structure below can be though of as defining a set of decision rules which the computer system can then consult when it wishes to'mahe a decision concerning security parameters It is immaterial as to how these decision rules are actually stored in a computer and this is for the present left to the individual software system designers - To define either a major or minor element of the security structure we propose the following syntax The traditional notation and format of a programming language is used The default condition of definition is mutual independence in that unless otherwise indicated two defined entities will be assumed mutually independent - imam mus Define Name I Clearances 2 3 Required Labels A Structure 5 Approved For Release 2005 06 09 8 CIA-RDP71R00510A000200130003-7 Approved ForRelease 2005 06 09 CIA-RDP71R00510A000200130003-7 NOTES 1 2 3 4 5 Approved For Relea z Access Rules Relational 7 END Name is the word which acts as'a label to identify the security element to be defined The names of the clearance s which exist within this security element Any commonly occurring synonyms or abbreviations of names of clearances -labels etc Any required labels which must be associated with the information toxvhich access is controlled by the security element being defined There is a special reason for these labels which will become clear in an example below but it is assumed that all of the clearances of the security element being defined are penmitted access to information labelled by one or more of the required labels Of course the other access criteria must also be satisfied Structure information is regarded as being totally internal to the security element being defined Within goal-um 9 5 in - 0051032109 den R00510A000200130003-7 1 View 5655 35x1 g 3 pr a Approved For Releasez BOBib m game functional operator called Imply the Structure part of the syntax there is only one This is interpreted to mean that access authorized by a given clearance implies the automatica access unless otherwise limited - authorized by other clearances lower in the hierarchy If an individual has a TOP SECRET clearance implies in the sense_that an individual cleared_ TOP SECRET has access to information to which tan-individual lcleared SECRET also has access I Under Access Rules there is only one operator called' vf AccesseS which has been previously defined as permits if access to information labelled as These rules explicitly I 3 state the relation between the names of the clearances in the security element being defined and the labels on the informatiOn'to which this security clearance permits access In many cases the same word is used to specify a clearance and as a label to-indicate classification of 7 7 F'the security element being defined and other parts of the The Relational information establishes any links between Isecurity-structure thus -it is regarded as external to che element being operators are allowed 2 the Imply and 2 Requires The Imply means Approved Retegse qan I 9 lthe access granted_by the sedurity element being defined I ll 1 110 07 Approved For Release 2005 06 09 - - aha automatically denies or authorizes access unless A otherwise limited to stated other categories of informationf Requires provides for the case in which in Vaccess to information labelled by the security element being defined requires the simultaneous existence of a particular other clearance or access authorization Boolean expressions are allowed for both operators i 3 3 Examples Several examples are giVen to illustrate the use of the security structure language syntax The suhSection may be safely skipped by the casual readerdefine an element of the security System whose name is National Clearances which contains the clearances SECREJ aha UNCLEARED for which no special ascess labels are 10needed _which has the hierarchical structure that a TOP SECRET clearance '3 mplies a SECRET clearance implies a CONFIDENTIAL clearance implies in'shich access is in-three er the four cases controlled 0 according to the rule that a partieular clearance may access information labelled with a SECRET Clearance authorizes access 'to information lahellea as it would be dOne as followslz' fuse enamels a men 51 3 xten 9 izan an- -3 t 2005 33 09 I Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 y me 42 5 in f ma a - Define National Clearances Clearances TOP SECRET SECRET CONF IDENT IAL UNCIEARED Synonyins TOP CONFIDENTIALUNCIEARED-UR Required Labels None Structure ITS implies -S 1 3 - - 8 implies I 2 0 implies UR Access I TS accesses TS accesses accesses accesses IReletioneli None 33 InmlI Approved Release war-ewe WEN Approved For R00510A000200130003-7 as a asnow consider the base of information as discussed earlier and define a class of information called which is to be regarded as a further restriction on access under the'l National Classification System Define 1 Clearances Nane Required Labels Handle via special channels wa Access Rules II accesses Relational came requires TS 031 3 END - This example illustrates the_use of a label as an access control has been assumed that information is to be transmitted via special channels However _there may be administrative traffic which will not have the classification label but access to which must be confined to people Thus TOP SECRET or SECRET information carrying the special_handling label assumed in this example can be identified as information and access controlled accordingly In effect a required label-can be regarded when necessary as a pseudouclearance accessed by any of the clearances listed in the definition The notation OR identifies the Eoolean operation of disjunction 13 emu 1mm - 3mm as fl Approved For' 0A0002001 30003-7 Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 5 33 12 5 J k 4 Of course it would have been sufficient just to put S-since TS implies 3 Let us define next a special class of information called Restricted Data which is assumed to exist within the National Classification structure Define Restricted Data Clearances RESTRICTED DATA Synonyms Restricted Data RD Required Labels None_ Structure None Access Rules RD accesses RD Relational -J RD requires TS OR END Here we note that there is only one way to identify information that belongs to this element and that is through the use of the label RESTRICTED DATA Yet the access rule is necessary to specify the fact that TD is both a clearance and a classification label Note again the use of OR in the relational statement the Boolean operators OR AND and should all be allowed wherever needed in the syntax '14 Approved Fer Rehea n g i Approved For Release 2005 06 09 A Fear-now define a hypothetical clearance called DATATEL having three clearance levels within it referred to as II and I DATATEL information of clearance level carries the code word II carries the cede word and I carries the code word CHARLIE Define DATATEL I Clearances 2 II I 'Synonyms _None Required Labels Handle via DATATEL channels enlyj Structure implies II implies 1Accese accesses ABLE II accessee BAKER zaccesses Relational requires TS f93'5 i - IIW requires i Hf I _requires 0' END Let us now define a compartment or infcmatioh within the structure whose name 15 APPLE and for which tbe'lebel ALICE is used to identify information contained in thie special grouping ' Thie is an alternate notation to that used in the first example ' As in the first example i could also be II gimplies I d Clwofg dos1 a - l 5 Approved For ma R00510A000200130003-7 Define APPLE Clearances APPLE Synonyms None Required Labels Handle via APPLE channels only Structure None Access Rules APPLE accesses ALICE a Relational APPLE requires i g in This illustrates a variation possible in this syntan It has been assumed that APPLE information is not labelled as such but is to fearry the additional label ALICE The APPLE definition relates to the earlier DATATEL definition relates to ABLE and also to TOP SECRET Thus the system can correctly determine that the proper label for APPLE information is TOP SECRET ABLE ALICE A required label of ALICE need not_be given since the access rule contains the information We now observe something else about required labels APPLE information would have two required labels in this case two The examples haVe contained Only handling rules as required labels In general it is suggested that information not be given twice in a definition For example the compiler can acquire the ALICE label from the access rule If other kinds of information must be specified as required labels then some rules about the format of information in the required label block will have to be developed 16' i raw g - 1 7 Aging I Approved For Release R0051 OIA00 02001 30003-7 HI 9w 1 Approved For Releasi- Qonalma R00510A000200130003-7 handling requirements and logical rules have yet to be established to handle such situatiOns Let use define an example in which it is assumed that at the SECRET level there are two categories of information called AGILE and BANANA accessing information labelled respectively as ANN and BETTY Further assume that an individual cannot be concurrently authorized access to AGILE and BANANA information To have access to both assume that an individual must be cleared EDP SECRET in which case 'he will be said to have access to CHERRY information labelled CHICO as well as all AGILE and BANANA information The specification of these three security elements will then be as follows Define I AGILE Clearances Synonyms None Required Labels Handle via AGILE channels only 'Structure None Access Rules AGILE accesses ANN Relational AGILE requires 8 AND NOT BANANA CHERRY implies AGILE AND BANANA END 17 R00510A000200130003-7 I mm Approved For 6h Approved For Release Define Clearances SynOnyms Required'Labels Structure Access Rules Relational END Define Clearances Required Labels 'Structure -Access Rules Relational END BANANA BANANA None Handle via BANANA channels only None BANANA accesses BETTY BANANA requires AND NOT AGILE CHERRY implies AGILE AND BANANA CHERRY CHERRY None Handle via CHERRY channels only 'fNone' CHERRY accesses CHICO CHERRY requires TS CHERRY implies AGILE AND BANANA 18 If Approved For Release Approved For Release 2 R00510A000200130003-7 Note that in these examples Boolean operators have been used in the Imply statements With reference to the definition of for example the relational rules state that AGILE access requires SECRET National Clearance and not the concurrent access to BANANA information and that CHERRY access implies automatic access to both AGILE and BANANA While access control to the AGILE compartment would not normally require the statement that simultaneous access to AGILE and BANANA requires CHERRY access nonetheless this relation is given as part of the AGILE and BANANA definitions to facilitate the automatic assignment by the computer system of access controls to new files which a user may create from old files Thus should a user merge AGILE and BANANA information to create a new file the merging algorithm in checking for access controls to be applied to this new file would in consulting the definition of AGILE and the definition of BANANA discover that the simultaneous presence of both require a CHERRY access control on the new file Then in consulting the definition of the CHERRY element the merge alforithm would discover that CHERRY requires TOP SECRET and hence would label the new file as TOP SECRET CHICO Note in this particular_ekample that the label On a file and the clearance required to access it are different In otheracases the same word might be both a label and a clearance Approved For Releas a R00510A000200130003-7 3 4 General Discussion In general it is believed that the file merge algorithm probably' should assign to a new file the highest National Classification of the set of National Classifications attached to the information from which the new file was assembled and further that it should concatenate any special names to be applied to the new file subject to any exclusion rules which may exist among them The algorithm which compares the parameters of a user requesting access to some file with the parameters carried in the header of that file is visualized as first checking the National Clearance and National Classification involved then any special compartment names special group names or other names then any restriction which the required label may impose on access then any special access designators which may exist but which are not explicitly identified as a label and finally verifying access by a name check It is believed that the mechanism which has been outlined above will suffice for the description of all parts of the security control system In a document at this classification level it is not possible to include the examples which demonstrate that it does work in all places but it has been checked that it is adequate for all those systems about which sufficient knowledge is available on the other hand exhaustive knowledge of all details of the entire security control structure is not claimed and it is possible that pathological cases exist which cannot be described in the language 20 I Jay I Approved _For Releag gmogc l -RQPH R00510A000200130003-7 un I i i 03915 Approved For Release R00510A000200130003-7 It should be noted that the actual dynamics of the system have yet to be formally specified That is the programming algorithms for all relevant decisions are not yet formally specified That is the programming algorithms for all relevant decisions are not yet formally defined since this is the basis for future work For example it appdars that the access algorithm would examine the Requires statement in ghe Relational section prior to the Imply statement while the merge algorithm would proceed in the reverse order The latter_must be the case in order to avoid tricking the system into thinking it had discovered a logical inconsistency because a CHERRY cleared person had accessed both AGILE and BANANA information the clearances for which cannot be mutually coexistent Security is not the only issue which concerns access control to files 'While the present section deals only with the security aspect related problems are mentioned here'because the software procedures will have to be designed to deal with all aspects of the prob1em One related problem is that of file management Even though a given user may have the clearance which authorizes him access to a particular file in the interests of controlling who takes various actions on the file the file management system may not grant him access or may limit what he can do with the file This can be looked on as a form of need-to know and can in principle be dealt with by keeping several need-to know lists with each file For example authority 21 I I jaw Approved For Release 1 R0051 0A00 02001 30003-7 all i Approved For Release fm1 00510A000200130003-7 might be granted for 1 Reading only of the file 2 Changing existing specified fields 3 Adding new entities or new fields i 4 Purging the file by deleting old entities or fields I 5 Creating a new file from the given file I This need not beseveral lists but could in reality be one list in which I each name carried authority codes with it On this point thefile management problem and the security problem intersect File creation is a second problem not discussed in this work Many cohditions might have to be accounted for some of which are I l A file might be duplicated which implies that the complete header information of the original file would also be copied 2 Cencatenating two files-with elimination of no entities which implies that the two headers will be joined according to some merge replacement algorithm A file may be partially copied which implies that probably only part of the header information from the original file is relevant to the new file It might be necessary to add new header'information to the second file On the basis of such things as A roved For Release 20 I W0510A00020013000357 Approved For Release b 0 Whether the new file was created by a program that has been cataloged and certified or Was created by a program that is experimental or in debug or Was created by a program that was finished but uncertified A A file may be duplicated by simply renaming Partial copying could result in lowering of the classified level of the filerand thus the header information will have to be modified It may prove possible to design logic which will handle such downgrading automatically but certainly many cases will have to be determined by the security officer This section does not discuss in detail the various ways in which the catalog of terminals _and file header must be manipulated For the record the following not necessarily complete list is given l- -A user clearance and the terminal clearance at which he is presently working must be properly conjoined to establish the present job clearance 2 Job clearances and file calssifications must be compared to control access 23 - Approved For a aacee 1 J Approved For Release 2005 06 09 R00510A000200130003-7 3 File header information particularly of internally created files must be utilized to properly label printed or displayed information This includes not only national classification but also special compartment or group names informational labels and other required labels File header information in conjunction with other logic must be used in the automatic assignment of classifications and the automatic generation of headers for new files At present no provision for classifying the deck of cards or whatever containing the description of the security structure for a given installation has been included This is because this information can have a classification outside of the structure it defines Rather this information is considered to be so sensitive that its access must be controlled on a specific name authorization only Thus when this information is resident in the computer system its access must be controlled by a special purpose mechanism not part of the regular file system In general this attitude is adopted toward all of the critically sensitive portions of the software system 21 - Approved For Approved For Release 2mg - l The central computer system all remote terminals and communication lines are physically secured according to already established regulations and precedents for providing such physical security 2 All personnel who have access to terminals or the central I facility have a Security clearance acceptable to the t' responsible officer These procedures should apply at any time that there are information storing devices which may contain classified material physically connected and accessible to the operating system 'Provision may be made for switching off removing or purging such storage devices It is then possible for the computer system to be Operated without the above assumptions in force providing that all classified information is physically inaccessible during such operation For a system which proposes to provide privacy it is presumed that the certification that it actually does will be done by the official who is responsible for the security of all of the information which is available thrOugh the system This section is intended as a guide which may be used by that official in making his judgement and by a supplier of-a computer system hoping to achieve certification _It is recognized that no currently available computer system in fact meets all the suggested guidelines To the extent various features are not avail Approved For Release Approved For Release 4 A PRIVACY SYSTEMS 4 1 Introduction The purpose of this section is to provide guidance to groups which need to install a time shared computer system to process classified information but based on state-of-the art understanding of measures to provide information protection It is apparent that the general problem df providing security for classified information stored in a time shared computer system is currently unsolved However in View of the evident interest in providing time sharing capability for-the processing of classified information there is a need to suggest such considerations and guidelines_as may be practicable at the present state of the-art These guidelines are provided so that one may determine to what extent a proposed system may be adequate for a particular application which does not require full multilevel security procedures The following guidelines take the point of view that currently available system construction techniques are potentially capable of providing what is technically termed privacv A system providing privacy by definition provides safeguards against releasing classified information to individuals who are cleared for the information but have no need to know ' In such a system security is presumed provided by mechanisms eaternal to the computer system itself For example the following two procedures might be used I - Approved For Release 2005 06 09 Approved For Release Zoogl l g' IA-RDP71R00510A000200130003-7 able management controls and manual features may be substituted if the resultent restricted operation can be accepted Such lack of achievement should not necessarily prevent certification but it should indicate to the certifying officer the risk he is taking if he accepts theisystem The comments in this section apply to a generic class of computer referred to as time shared which have all of the following properties I 1 They are based on a general purpose digital computer f 2 They store information programs and data on a long term 1 basis for the users of the system The system takes on I the responsibility for reliability of storage as well as insuring that stored information is not compromised 3 The system provides simultaneous access for several users using techniques commonly referred to as multiprogramming ' time-sharing or multiplexing which distribute common' resources central processor and primary and secondary memory among the several users according to instantaneous demand In addition the System may be accessible from a distance byva typewriter or other terminals connected to the system by communication -lines Such systems may supply differing services to users which present progressively more difficult environments in which to realize a privacy system l A system which permits the user to execute only programs Approved For Release 20051063109 Approved For Release R00510A000200130003-7 provided as part of the system 2 A system which interprets a user-provided program - A system which permits direct execution of only programs generated by a system-provided compiler 4 A system which permits direct execution of any user- provided program If We concentrate our attention on the fourth and most difficult form of service although the line between 3 and 4 above is often difficult to draw because the current need for time-shared privacy systems appears to extend to such service To afford privacy such a system must provide an authentication mechanism by which users of the system may be appropriately identified and a protection mechanism by which identified users are given access only to information to which they are entitled Furthermore the system must be constructed in such a way that imely certification by competent authority is feasible I I 4 2 Authentication Authentication is the means by which the computer system is assured that the individual at a terminal is who-he represents himself to be User authentication is usually provided on existing systems through a pass-word This technique can provide adequate protection for privacy purposes if Approved For Release - it Approved For Release R00510A00020013QOO3-7 a The pass-words are given protection comparable to that required for the most sensitive information available to that user i I 2 They are changed periodically to minimize potential loss comparable to changing safe combinations 4 3 They are n93 user-generated to prevent penetration by educated guessing More elaborate schemes such as one time passtords or challenge- I - I dependent pass-words may not be necessary to achieve the objectives of ivacyo However installations handling sensitive material or attempting to approximate secure environments should require them - 4 3 Protection To provide protection of information stared in the system certain hardware features can be described as essential for a system which allows execution of user-specified machine language instructions These same hardware features can also help simplify certification of systems which do not allow machine-language programs although supervisor procedures' can in some cases can be provided as a substitute 5 Approved For Release Approved For Release 2005 06 09 3 i the execution state of a processor should include one or more variables the protection state variables which determine the interpretation of instructions executed by the processor For example a processor might have a master EOde slave mode protection state variable in which certain instructions are illegal except in master mode Modification of the protection state variables can only be performed under circumstances in which control of the process is simultaneously transferred to a procedure qualified to operate in the new protection state For example an interrupt may switch the protectiOn state to master mode and simultaneously transfer control to a supervisor provided interrupt handler When the handler completes its operation it may explicitly restore the old perfection state as well as the program formerly in control The ability of a proceSSOr to access locations in primary memory should be controlled on a permissiOn basis which may depend on the protection state of the processor Iin slave mode a memory permission register might allow access only to primary memory locations belonging to the user in control Approved For- Release Approved For Release 5 The correct operation of certain instruction should depend on the protection state of the processor For example instructions which indicate input or-output' operations on a shared storage device disk or drum would execute properly only when in master mode Any 4 attempt to use such privileged instructions in slave mode should cause interruption of the program containingl athe instruction Note that it may be acceptable if the user can execute input output instructions directed to devices assigned i3 exclusively to him I u 7 All possible operation codes with allpossibleitags orl5 7' modifiers whether legal or not must produce hno n ifcxy' responses by'the Computer The system software should utilize these hardware features to1 limit access to data to authorized users In particular - 10 Any Violation of memory bounds or attempted execution- of privileged instructions should cause monitor action to log entries and a reasonable time delay before the ruser'may continue time delay should be long enough-to-discourage methodical probing LPro ii ' vision should be nade_for the security officer to deny agcess 1 7' 1' i mgm't lApprove-d Fo Release 2005 0610 Approved For Release zom The monitor should be organized in such a way that it is not necessary to suspend security procedures in order for users to debug their programs I VProcedures should be available for clearing from the system or making inaccessible all classified information during 1aotions which must he run without the normal protection '13 The_monitor should insure that sensitive data does not remain as accessible'residue'in'primary memory or on secondary l'l storage deuices I I I soThe monitor system should include procedures for an orderly T__i shutdown'of the system when desired L I ITLogs should be hept of the highestklevel of HI afi of information which has-ever heeniStored on a device so 'that disposal and decontaimination policy requirements canisii be metdata bases and tables should be interlocked when r rfjiupdated in such a gay that access to_a table is orchibited whenever other tables are not consistent hith it For example 5r w adding or deleting a user of the sisteh may require modifying wseveral tablesf 'Interlocking techniques should be'used which 3 1Tinsure'thatan attempt by the user say fto log in during his was ideleltionApp roued 71 R0051romoozoo 1 30003-7 - i -l A we- Approved For Release zoW'i 8 Supervisor data bases should have consistency checks in them which are routinely checked whenever the data base is referenced For example a string pointer list might include both forward and back pointers 9 Procedures should be provided to adequately protect duplicate' 2 copies of stored files as well as the originals For hr example if files are copied dnto magnetic tapes for backup the tapes must be guarded as carefully as- hel on line information storing devices I I In addition to ensure that hardware add supervisor information protection features are operating correctly the design of the systemn i - Should include provision for automatic periodic'teetingyof'protection 4 features 'For example periodic teets might_iuclude uh IniA' el 5 Verifying sensitive portions of the monitor eog the I security tables agai st master copies for possible change I Generating unauthorized addresses or privileged instructionSf I in user-mode to insure that protection hardware is working 3e Verification that less frequently used features which the 9 'ldsupervieor depe ds on iustructions or A f clock Approved For Release 2005 06 09 CIA-RDP71R00510A000200130003-7 4 Verification that supervisor data base consistency checkinngeatures are working correctly This verification can_be done by temporarily damaging the consistency check data and'exercising the appropriate supervisor procedure to see if it notices the damage Periodic comparison of counters kept by the supervisor with counters maintained by the hardware of the number -Hof read or write requests issued to information storing devices ' 0 Error detecting and correcting techniques may be useful E in assuring correct operation of devices used to speed up the processor such as associative memories ahead registers I In any case provision be made for the supervisor program to verify their or example one should have the ability fvto_turn speed up hardware on and off by privileged instruction _ 'and to store contents of related registers to verify correct operationgit 2005106169 Approved For Release DP71R00510A000200130003-7 We I- a LLJJ Since it is common on a time shared system for the programs of the supervisor to be maintained on the system itself certain special pre- cautions must be taken regarding these programs in both their source and executable form 1 It should be possible to separate the authority to modify 3 the supervisor actually in use from the authority to debug a propoSed modification In other words the authority to obtain a copy of a supervisor procedure modify it and it under special operating conditions may be vested in a number of system programmers the authority to install -such a Checked out modification as part of the working system - routinely offered to user may be vested in a single person The source program of the system should be protected against changes by unauthorized programmers since a later ' authorized change if installed would also introduce the unauthorized one One procedure to insure that unauthorized changes do not occur is to allow access to modify the system master copy of a source program only to a person authorized to modify the actual running system A system programmer would debug proposed changes on a copy of the master not the original quhen he is satisfied with his changes he 11 u 1 Approyed For Release-200506109 Approved For Release turns a list of changes over to the person responsible for introduction of changes into the working system I These changes are edited into a new copy of the master source program which is then compiled tested _and then introduced on the new master 4 4 Certification In the process of certification the combination hardware software systems is to be subjected to inspection and test by expert technical personnel to determine the degree to which it conforms to the requirements of appropriate regulations and policies The extent and duration of the inspection and testing is left to the discretionof competent authority I and will depend heavily on the manner in which the hardware and software is constructed In order to keep the certification period to an acceptably short period of time it is advisable to follow certain practices in constructing_the 7 NH term hardware reliability features bnsuch as memory parity checking hardware etc should be ii provided so thetwthe other safeguards of the system can be assured to be operating correctly this regard undulyil YIchomplex-hardware design will Complicate the certification iprocess as it will caSt doubts both on its reliability and the integrity of the hardware protection mechanisms therefore Renee icosgg gllxesop abosd i Approved For Release R00510A000200130003-7 1 1 The use of complicated schemes which make the operation of instructions potentially erroneously dependent on the operation of adjacent instructions should be avoided Features such as loch ahead or pipe line organization require very careful analysis to determine if they are free from this class of fault '1 2 It is advantageous to use a standard addressing mechanism so that the memory protection mechanisms-are independent of machine instruction operation code decoding Il 3 organization of hardware logic provides 3 hardware interlocks against unexpected delays caused for example by component drift or misadjustment Such organization therefore can ease certification Other hardware features which would enhance'the certifi- system include 2 1 Program readable hardware configuration status -switches thus insuring that the software is aware of the hardware configuration in which it resides If it possible to-set up illegal or inconsistent configurations there must be available a program which can detect such illegal or inconsistent settings ' In particular a test to insure that all maintenance switches are in their nornal operating positions should be provided - Approved For Release 2005106 i Approved For Release 73 2 2 Provisions to control unauthorized or accidental changes to configuration and peripheral control switches A key lock on a control panel cover is an example 2 3 Program readable clocks which provide date and timev of day for use in controlling audits and recording file dreation instants As the monitor will in the large part be produced by uncleared personnel it will be necessary for the certifiers to assure themselves that no trapdoors intentional or Iunintentional for unauthorized access will have been introduced into the system This certification may require examination cf the operating system code on a line byuline basis by certification authority Therefore 3 1 Use of esoteric coding techniques is to be discouraged Use of higher order programming languages where possible is important Since the compilers for such languages are potentially-capable of introducing such trapdoors into their object code the compilers must themselves be certified and should be written in their own higher Order language if possibleo 3 3 'The monitor should he_constructed in a modular fashion such that errors occurring in one module do not affect Ithe internal operations of another As much of the monitor as possible should operate under the memory protection scheme Approved For_ Reese- a3 Approved For Release as opposed to supervisor mode It is advantageous to 'segregate portions of the monitor which need not deal with security matters '3 4 'Data should be separated from the instructions of the program as to simplify protection the instructions with hardware facilities and insuring that fresh internal storage'areas are used when the program is reused Good documentation of both the hardware and software is essentials 1 I 4 5 Summary 1 A general solution to the problem of either security or privacy in time-shared computer systems is not currently within the stateuof-the-art - 2 Selective certification of such systems for specific privacy I applications in the near future Seems possible i The features that suchv systems-should_possessgcan be identified systems possessing such features are currently in operation 1 I i 3 A critical problem in the near-term utilizatiOn of such systems is the potentially excessive time required to achieve their certification for particular privacy applioationsesiThissection attempts to indicate featureslthese systems might offer to reduce this time to acceptable 1- 4- - M 15 App-keyed 'Fdr l ejeaee 9 Approved For R00510A000200130003-7 - 5 5 1 Introduction By Secure Systems we mean systems that permit uncleared users using unsecured lines to snare a time shared facility with cleared users running classifiee problems We further assume that the time-shared facility exists in a physically secure environment and incorporates all of the applicable methods discussed in previous sections The enucial differen e between the security and the privacy problem is the existence of uncleared users and 2 unsecured'lines Even with the facility existing in a secured environment the exposure of the system to uncleared personnel whether or not operating with invisible secured lines poses a set of reguirements on the system that cannot be solved by administrative of policy actions The open aspect of the makes it more vunerable to various threats discussed below 1 4 7 f1 Mm r an N _9 km- 2mm A 5 15mm Approved For Release I'm - Approved For R00510A000200130003-7 5 2 Potential Threats and Countermeasures lhe following table indicates advertent and inadvertent threats to a system which can be broadly placed in three categories 1 Recovery of_Ihformation 2 Denial of Use of System 3 Intelligent Deception and can occur through Programming 2 Hardware Software error 3 Physical Access A The table also indicates some countermeausres to some of these threats although it is not complete Points of VulnerabilityjAttack A User - Programmatic Attack - Countermeasures 1 Recovery of info by a Misrepresentation Authentication - User b Illegal read write core Memory bounds c Illegal access files Access controls see section 3 d Tampering with operating systens Access controls see section A 2 Overload to deny use of system 0 User limitations 3 Local User input' -- Manual checks 'Audit trails Alarms on violation My Ire-w Pam - if c' 5 - v 7- hugaxzrew m Anmm a Approved For Release Approved For Releasemf lm gim eo I i 55 mm tar-1 52 fa B Terminal - Physical Accessz achine Errors Threats Countermeasures Alteration of input Terminal authentication Access controls see section h Line Threats CountermeasUres l Intercept Securing line Tapping to manipulate systems User terminal authentication other checks against User PrOg attacks 3 System Denial I Line isolation went-3r Line isolation k Third Party Line isolation D Secured Facility Threats A Countermeasures System Personnel Qp Prog Maint Program File change Access Control see section h b Pregram-error Certification c Unauthroized call out Audit trail 2 Hardware a 'Mag retention Cipher only b Tampering c Logic faults 'Diagnostics any rm I We ml Nun-J wish-1 am We mm Approved For Release Approved For R00510A000200130003-7 As examination of the table reveals the points of vulnerability of an open system are many and assume the proper working of nearly all of the operating system and the hardware mechanisms provided to assist an operating system to isolate users from itself and each other Further the problem s of certifying a time-aha ed system taken in the sense of both the software operating system and the har ware of the computer are very complex indeed Even if a system Were certifieda a continuing problem would be tare-affirm the certification The present state of Operating system design is not so advanced that the operating system will remain static for an extended period of time consequently it is probable that continuous certification tould be required such that at least each change to the certified system would have to be certified 5 3 Techniques for Protecting a System In the face of the threats posed by having a partly open system only three courses of action are available d l v Close the system Render the material unclassified 3 Certify the system to permit running with'r both cleared and_unclearedusersy running classified and-unclassified programs I Clearly the simplest course of action is l above However there exists within the Government and among DOD contractors a sufficient number of cases where a single system should serve both cleared and uncleared users ClOsing a system is not necessarily the least expensive method_of attacking the problemnew it if Em in at nit-t2 5% dawns- me main-nu g Appljoved Fof'ReI ase 2005 06 99 -i I Approved For 1 List-jg Si 1 t r' Aside from actual declassification which is not pertainent to this discussion the only method for transforming classified material so it may be'treated as unclassified is through As a consequence iuse of techniques is one method of-making a time-Shared system secure even one having uncleared user using unsecured lines It should be noted however that the principle threat countered by use of tion techniques is recovery of information Other co trols already discussed are required to yrevent intelligent deception or denial of service Use of eneryption techniques-may have an additional benefit - that of reducing '19s roblem 60 more manageable proportions - gm my Mk nee-Ms um m3 Wi a si rm a Approved ForRelease 000200130003-7 4i Approved For R005-10A000200130003-7 0 9 3 1 Techniqnes Three types of for use in securing the operation of time-shared system have been identified VThey are 1 1 Line I 2 Primary Computer Oper tion 3 File The firstJ is presentlr employed to secure transmission paths carrying classified information _Internal and file techniques are not now in current use 5 3 1 1 Line Obiective - To prevent intercept of information being'pessed over the line and to make it more difficu1t to introduce data into the system that could result in either felse information or manipulation o the system intelligent deception L I Method' Employ whicn will provide point to-point the information being transmittedt Security minimum size power reqniretants letc i i I Conclision Although there exists today commnnications devices which provide the reqnired security protectiong'equipments which will possess the deSire physical oharacteriStics will not_ generally availeble until the early edditionel s ecial research require- 1 - wements have been 421 1733 me 395' amazement if in amw tmn ns ii e me nv-g agil lr Ap'pfoved Fok- Release i o - 200130003J7 Approved For Release '4 - 1 5 3 1 2 Primary Objective - To prevent compromise through unauthorized access to data Iresiaing in primary Storage The objective of primary is to operate a time-shared system ats and programs-residing in primary storage in form ' for the' urpose of-enecuting programs is done as the data instructions pass from the primary storage to the CPU logic As data is returned to primary storage it is again This is illustrated ianigure 5 1 Incorporation or this technique will prevent compromise through_unauthorized access_to data residing in primary storage Methods - The eneryption-system envisioned is independent in operation A as a function Of the user other yariables that may be required are derived from classification of program or date user address space etel Other oryptovariable sets required for oper- ation of a program for common programs and other system pregrams f are derivad or stored with the generated from the users identification Tnese iast only as long as'tne-user is active if the user returns after any timeoff the system a new set of generated for hie associated with common and system'prograns are of the primary device cnanges f3g 733 - i I We 4 12saw Rec-51 0Aoqozq01 3900 312 A A Hi I Ffor 9 Machine Room Area Safe Control Uhder Room Area Mon - z I 51 - - i i a 7' DATA CONTROL x DEVICE - 'Approved For DP71R00510A000200130003-7 i The detailed requirements of an Internal Primary Device call hereafter the IED for use as outlined above should be developed from detailed system design studies of the nature of such devoces With- riout having performed such a study some of the general requirements of such a device can still be enumerated l for the IED must be derived from the program execution parameters The offered each user of a time-shared system must be unique to that user The IED must operate at memory transmission rates Inter posing the IED between a CPU and the primary storage must not slow the system due to the operation of the IED 3 The IED line devices and the Secondary Storage Device SSED must operate together in transmitting information to and from primary storage such'that the infor- mation never appears en clairg This requires that all of the encipherment devices used to secure-a time-shared system operi ate as transencipherment devices h IED encipherment requires a that is at least on the order-of several hours and must be suitable for use with a very large number of short probably fixed length units of information The short term characteristic is a reflection of the nature of a timershared system 1 transencipherment The application of a pair of possibly different transforms in such a way as to convert ciphertext enciphered under one transform to ciphertext enciphered under the such that no immediate plaintext results w I - Approved For Release 20051064359 Approved For Separate are required for each address Space accessible to a given user In modern machines address Spaces are accessed through base register relative addressing The general rule applies that each active base register has at least its own associated with it If the IED technique is applied to provide an additional measure of file security see section more than one set of may be associated with a base register I 4 I The IED must be able to switch between memory cycles This requirement stems from the nature of base register addressing found in modern machines The number of potential sets of associated with a given job in execution exceeds two and maybe less than 6h If the IED technique is used in connection with file security many more are required perhap5' several thousands in an_extreme case The IED in generating must be able to accept an- optional user-supplied keying vairable that can provide an effective super-encipherment of a particular address Space The keying mechanism must be such that the user-supplied keying variable carries through the transencipherment proceSs and at a later time permit reading of that information-with a different set of short-term only when the user-supplied key is present This provision permits users to establish some or all of their address Space as compartmented and not readable even by file handling programs or other system programs Approved For Release -- e I- 8 Only the operating system not the user must be able to change 'Approved For Rel the contents of the base registers and the corresponding variables The IED must be designed in such a way that re-assign- ment of the CPU to another user provides automatic secure safe storage of the associated previous user Because such re-assignment will be frequent in a time-shared environment the IED should have sufficient storage for all of the ables for all of the active users of a system 7 i Active users A user whose processes programs are known to a system and are in some state of execution x - Approved For Release 2005 06 09 gun a REEBPM R00510A000200130003-7 I - 5 3 113 Secondary Storage Approved For Rele Objective - To prevent compromise through physical access to memory devices and to provide file isolation Method - The secondary storage device is a transencipher- meat mechanism connecting directly to externally files A number of options for are possible with the device the simplest being a record address to provide keying'variability The secondary storage will operate on data in units natural to the secondary storage device - In Order to provide transencipherment the associated with the users address space containing the data to be read or written must be supplied from the key store and the device address supplied from the file handling program JThe requirements of the SSED are different from the IED in a number of particulars enumerated below I l The SSED is'a long term device with a measured in months 2 The SSED must act as a transencipherment device converting from-information in externally form to internally form with no intervening plaintext 3 Keying information for the must be derived from the file s identified as part of the users program This assumes that there is at least one file containing the file directory from which all other files are identified It is fUrther assumed that the system file is addressable only by certified file handling programs gagingApproved For Release a Approved For Release 2 - The SSED must be able to treat information in units natural to the s ecific secondary'storagedevice For the range of- current devices this may bary from 80 to several thousand characters App'roved Fer-Release 2005 06 09 - - -13 1 Approved For File Security Objectives - To provide multi-level security to files - Method A users requests for data from files is mediated by a file handling component of the operating system Among its services are the collection of file records and placement of them in a device-sized space physical record before writing them onto secondary storage On input it accepts physical records from secondary storage and logical records to a user on demand With the services of an internal deviCe it is possible to provide security to files in a manner that will permit if desired a single logical file containing records of various classifications in the widest sense of the word to be accessed by authorized users fro only those records to which their clearance permits 5 4 1 Assumptions for the Internal Encipherment Service for File Security The Internal Encipherment device IED previously described made pro- ivision for a user-controlled private and secure section of the memory by 'utilizing a user-supplied parameter directly as a of the In order to be applied to file security it is necessary for the to have access to as many user-supplied as there are unique classifications of the data Furthermore it is necessary that the device have long-term properties as well as or in lieu of the short-term proper- ties described for the IED previously Specifically the transform key must have the properties isecaar Approved For_ Release I ml- MP71R00510A0002001300Q3-7 Lm Approved For Rele' 5 - c' a where is read transformed by the emtologic transformation T _with SK UK It is further essumed that each record of the file contains a header describing the classification and access- control category for the record and that header may be read by the file handling program is enciphered' only by a file key or an internal system kejD The file handling program passes records to a user program with both an internal key and the user private key SECRET Approved For Release Approved for Relegg DP71R00510A000200130003-7 The file security capabilities are depicted in the following symbolicI stepsuws VUPDB I 3 UPWS ms h UPDB SB 7 subsequent referencing of a file - 5 s13' Dx 1 initial creation of a file Data DX is read from an external device with a null file key gg_gl igg into system buffer SB storage keyed with a local system key 2 Records are moved to a uSers work space UWS being with an internal key SK and store-keyed with a user key UK 3 Record classification is determined by the user and the record moved from the users work space to a user buffer area that is user-private Fetches are keyed with the user key UK and stores keyed with the user key and a user private key appropriate to the classification UKP h The user buffer area is moved to the system buffer by the System file handling program Because the system file handling program cannot-have the user ID fetches are only keyed with the user key portion of the variables UK while stores are keyed with the internal key At this point the record is superenciphered with the users private key The system buffer storage is Written onto an external device via a transencipherment device The data is fetch-keyed with the internal key for the file handling program SK and write-keyed with the file key F2 I Approved For Release - 3 27m Approved For A subsequent authorized reference to the file operates in a similar manner 1 The physical records of the file are read into the system buffer Data is read-keyed with the file key and store keyed with a possibly new internal key I I 2 The classification data in plain form is examined by the file handg'ng programs and those records matching the users access authroization are $oved to a user private work space UPWS Data is fetch-keyed by an internal key and store-keyed by only the user key portion of the for that user 13 The user references the data in the record using the private key por h0n applicable to the data in the records I For files with a large number of individual classifications it is necessary for the user to have the key s corresponding to all of the records to which he is entitled 'This implies that the storage be large enough to accomodate all of the user-supplied keys for the_various records I Since the original conception of the IED had a one-to one correSpondence between base registers and storage positions it may be necessary to address because each user-supplied key corresponding to a different record classification would have to be applied to the same users address Space Thus we have a single address space the record and multiple user-supplied applied to it The principle purpose of using encipherment techniques applied to files is to reduce the scope of certification of a system by localizing the points in a system that require certification Thus if unauthorized attempts at I Ix I 71 3% '34 I - Approved For Release 20051061119 Approved For access to file records succeeded nothing is lost since the data is super- enciphered Users with only limited access to a file cannot read data they are not entitled to even if through error or attack they gain access to the data 9 Approved For Release gxlyu QEDPH R00510A000200130003-7 Approved For -- 0 '5 5 CERTIFICATION Objective - To protect against unauthroized recovery of classified information denial of system usage and intelligent deception Method - Certify that the systems hardware software provides effective countermeasures authentication memory bounds passwords etc and sufficient alarms in case of their failure or attempted defeats These countermeasures are those identified by applicable governing standards Countermeasures required of a multi-level system are similar to those identi- fied for the closed system in order to protect information on the_need-to-know basis though their probability of effectiveness may necessarily be higher An audit trail would provide a means of assessing possible compromist situae tions Requirements Software The entire machine listing must be wrungeout to verify 5 that those countermeasures accomplished by the software package are adequate i and effective as defined by governing standards and criteria Hardware The components involved in the execution of required countermeasures must be analyzed and the probability of failures resulting in compromise of information must be determined System Adequate operational tests must be performed both to exercise those countermeasures required and to attest that these cannot be defeated Operational testing of these countermeasures must be performed with sufficient periodicity to certify that security effectiveness once established is maintained 'sataat - - Approved For Release Approved For Rel P71R00510A000200130003-7 233% 39ml Conclusion While reliability studies can be performed on the system hardware to certify its security effectiveness the software packages associ- ated with multi-level time-shared systems present a formidable task that to date has not been totally accomplished With regard to the software not only the security and countermeasures routines but the entire listing and tables must be certified to assure that theSe routines are not only sufficient but also appropriately exercised and that there is no threat of their being by-passedsy'Additionally any certification must be continual A black box analyzer certifier might be deve10ped in order to auto- mate and accelerate the analysis process but at best such an approach could serve only to certify a Specific system _' Pm mT amiss 1 1 - - Approved For Release 2005 06 03 Approved For I 5 6 Research Recommendations 4 It i - The conceptual framework for system security outlined above poses a - number of questions that cannot be answered from available information Broadly Speaking the questions are 1 What is a suitable form for an internal device _for time-shared systems How does the form change as the characteristics of the system vary What are the techniques applicable to internal devices and transencipherment equipment 3 To what extent is the problem of software certification reduced by incorporation of encipherment devices in the internal operation of computer systems h Since certification at some level is required even with the use of IED's what technology can be applied to auto- mate or assist in the problem of certifying systems with or without the use of I It is recommended that a research program be initiated to attempt to answer some of these questions _Component of such a program are outlined below 5 6 1 Structure of Internal Encipherment Devices The objective of this element of a research program is to develop the systems requirements of internal encipherment and transencipherment devices by describing functionally these devices and how they would operate in a time-shared system 1 In addition to functionaldesigns of IED's their requirements can be described as well I 7 - Approved For Release l3 Approved For Releas R0051 0A0002001 30003-7 5 6 2 Techniques Specifically what are suitable techniques for use in IEDFs and transencipherment devices If the IED's follow the outline presented -it would be necessary for them to be long term with respect to user-private keys and short term with respect to system-supplied keys Furthemore the requirement that they operate on information in transit between primary storage and the CPU indicates they should be fast enough not to cause any appreciable delay in Operation of the system FUrthermore the IED concept treats programs and data as a large number of identical length messages Since the content of these messages may be assumed in many instances a wealth of material is available for analysis of the IED Thus the IED and the other internal security devices may require development and testing of new techniques in order to achieve a suitable level of security just as devices 5 6 3 Systems Sturcture and Certification Techniques This entire area deserves considerable effort on a broad front Broadly specking the problem is what are the points of security vulner- ability of a system and what is the behavior of the system under all circumstances surrounding attack on those points Our present state of capability for specifying systems is either too gross or too detailed to permit much in the way of automated assistence in certifying systems We need first a rigorous way of specifying both the hardware and the program of an operating system at least This specification must be at some level above the logic equations specifying the system although it should - be possible to descend to the logic level for any or all portions of a Fin-W lmApproved For Release - - 11 - an $4335 7 101 agmm%m wd k mm Approved For I39 A g-v o system for detailed analysis Coupled with rigorous specifications of a system must be methods of expanding the specification and ways of observing the detailed behavior of parts of a system under different assumptions of programs data and configuration - Ecually difficult in g y certific tion is enumerating unacceptable behavior A considerable amount of research is required before these problems can be coped with in any reasonable way An 4 332m - 459 3% mm m wry- 2 gm r - '3 if mmega 5731 Aporoved For Relesse 20051061933- 1                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu