This Article 
 Bibliographic References 
 Add to: 
A Model for Multilevel Security in Computer Networks
June 1990 (vol. 16 no. 6)
pp. 647-659

A model is presented that precisely describes the mechanism that enforces the security policy and requirements for a multilevel secure network. The mechanism attempts to ensure secure flow of information between entities assigned to different security classes in different computer systems connected to the network. The mechanism also controls the access to the network devices by the subjects (users and processes executed on behalf of the users) with different security clearances. The model integrates the notions of nondiscretionary access control and information flow control to provide a trusted network base that imposes appropriate restrictions on the flow of information among the various devices. Utilizing simple set-theoretic concepts, a procedure is given to verify the security of a network that implements the model.

[1] C.E. Landwehr, "Formal Models of Computer Security,"ACM Computer Surveys SIGOPS, Sept. 1981, pp. 247-278.
[2] M. D. Abrams and A. B. Jeng, "Network security Protocol Reference Model and the trusted computer system evaluation criteria,"IEEE Network Mag., vol. 1, pp. 24-33, 1987.
[3] D. K. Branstad, "Considerations for security in the OSI architecture,"IEEE Network Mag., vol. 1, pp. 34-39, 1987.
[4] B. W. Lampson, "Protection," inProc. 5th Princeton Symp. Information Science and System, 1971, pp. 437-443.
[5] G. S. Graham and P. J. Denning, "Protection--Principle and practice," inProc. AFIPS Spring Joint Computer Conf., vol. 40, 1972, pp. 417-429.
[6] C. Weissman, "Security controls in the ADEPT-50 time system," inProc. AFIPS Fall Joint Computer Conf., vol. 35, 1969, pp. 119-133.
[7] D. E. Bell and L. J. Lapadula, "Secure computer systems: Mathematical foundations," Hanscom AFB, Bedford, MA, Rep. FSD-TR- 73-278, vol. 1, ESD/AFSC, 1973.
[8] D. E. Bell and L. J. Lapadula, "Secure computer systems: A mathematical model," Hanscom AFB, Bedford, MA, Rep. ESD-TR-73-278, vol. 2, ESD/AFSC, 1973.
[9] D. E. Bell, "Secure computer systems A refinement of the mathematical model," Hanscom AFB, Bedford, MA, Rep. ESD-TR-73- 278, vol. 3, ESD/AFSC, 1973.
[10] D. E. Bell and L. J. Lapadula, "Secure computer systems: Unified exposition and Multic interpretation," Mitre Corp., Bedford, MA, Rep. MTR-2997, 1975.
[11] G. J. Popek and C. Kline, "A verifiable protection system,"ACM SIGPLAN Notices (Proc. Int. Conf. Reliable Software), vol. 10, no. 6, pp. 294-304, 1975.
[12] G. J. Popek and D. A. Farber, "A model for verification of data security in operating systems,"Commun. ACM, vol. 21, no. 9, pp. 737-749, Sept. 1978.
[13] G. J. Popek, M. Kampe, C. S. Kline, A. Stoughton, M. Urban, and E. J. Walton, "UCLA secure UNIX," inProc. AFIPS Nat. Computer Conf., vol. 48, 1979, pp. 355-364.
[14] B. J. Walker, R. A. Kemmerer, and G. J. Popek, "Specification and verification of the UCLA Unix security kernel,"Commun. ACM, vol. 23, no. 2, pp. 118-131, Feb. 1980.
[15] M. Bishop and L. Snyder, "The transfer of information and authority in a protection system,"ACM Operat. Syst. Rev. (Proc. 7th Symp. Operating Systems Principles), vol. 13, no. 4, pp. 45-54, 1979.
[16] A. Jones, R. Lipton, and L. Snyder, "A linear time algorithm for deciding security," inProc. 17th Annu. Symp. Foundations of Computer Science, 1976, pp. 33-41.
[17] R. J. Lipton and L. Snyder, "A linear time algorithm for deciding subject security,"J. ACM, vol. 24, no. 3, pp. 455-464, July 1977.
[18] L. Snyder, "Formal models of capability-based protection systems,"IEEE Trans. Comput., vol. C-30, no. 3, pp. 172-181, 1981.
[19] J. S. Fenton, "Memoryless subsystems,"Comput. J., vol. 17, no. 2, pp. 143-147, 1974.
[20] D. E. Denning, "Secure information flow in computer systems," Ph.D. dissertation, Purdue Univ., West Lafayette, IN, 1975.
[21] D. E. Denning, "A lattice model of secure information flow,"Commun. ACM, vol. 19, no. 5, pp. 236-242, 1976.
[22] G. R. Andrews and R. P. Reitman, "An axiomatic approach to information flow in parallel programs,"ACM Trans. Program. Lang. Syst., vol. 2, no. 1, pp. 56-76, Jan. 1980.
[23] A. Stoughton, "Access Flow: Protection model which integrates access control and information flow," inProc. IEEE Symp. Security and Privacy, 1981, pp. 9-18.
[24] J. H. Salzer and M. D. Schroeder, "The protection of information in computer systems,"Proc. IEEE, vol. 63, pp. 1278-1308, 1975.
[25] G. J. Popek and C. S. Kline, "Encryption and secure computer networks,"Comput. Surveys, vol. 11, pp. 331-356, 1979.
[26] D. E. Denning and P. J. Denning, "Data security,"ACM Comput. Surveys, vol. 11, no. 3, pp. 227-249, Sept. 1979.
[27] D.E. Denning,Cryptography and Data Security, Addison-Wesley Publishing Co., Reading, Mass., 1982.
[28] Data Encryption Standard, Nat. Bureau Standards, Federal Information Processing Standard 46, 1977.
[29] W. Diffie and M. Hellman, "New directions in cryptography,"IEEE Trans. Inform. Theory, vol. IT-22, pp. 644-654, 1976.
[30] R.L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,"Comm. ACM, Vol. 21, No. 2, Feb. 1978, pp. 120-126.
[31] R. C. Merkle and M. Hellman, "Hiding information and signatures in trapdoor kanpsacks,"IEEE Trans. Inform. Theory, vol. IT-24, pp. 525-530, 1978.
[32] W. F. Ehrsam, S. M. Matyas, C. H. Meyer, and W. L. Tuchman, "A cryptographic key management scheme for implementing the data encryption standard,"IBM Syst. J., vol. 17, no. 2, pp. 106-125, 1978.
[33] S. M. Matyas and C. H. Meyer, "Generation, distribution, and installation of cryptographic keys,"IBM Syst. J., vol. 17, no. 2, pp. 126-137, 1978.
[34] Roger Needham and Michael Schroeder, "Using Encryption for Authentication in Large Networks of Computers,"Comm. ACM, Vol. 21, No. 12, Dec. 1978, pp. 993- 999.
[35] American National Standard for Financial Institution Key Management--Wholesale, Amer. Nat. Standards Inst., Standard ANSI X9.17, 1985.
[36] K. S. Shankar, "The total computer security problem: An overview,"Computer, vol. 10, no. 6, pp. 50-62, 1977.
[37] D. P. Sidhu and M. Gasser, "A multilevel securelocal area network," inProc. IEEE Symp. Security and Privacy, 1982, pp. 137- 143.
[38] R. W. Shirey, "Security in local area network," inProc. IEEE Computer Networking Symp., 1982, pp. 28-34.
[39] S. C. Balin, "Distribution of access control in a local area network," inProc. IEEE Computer Network Symp., 1982, pp. 118-130.
[40] J. Rushby and B. Randall, "A distributed secure system,"Computer, vol. 16, no. 7, pp. 5-67, 1983.
[41] V. L. Voydock and S. T. Kent, "Security mechanism in high-level network protocols,"Comput. Surveys, vol. 15, pp. 135-171, 1983.
[42] C. Landwehr, C. Heitmeyer, and J. McLean, "A Security Model for Military Message Systems,"ACM Trans. Computer Systems, Vol. 2, No. 3, Aug. 1984, pp. 198-222.
[43] Dep. Defense Trusted Computer System Evaluation Criteria, U.S. Dep. Defense, Rep. DOD 5200.28-STD, 1985.
[44] J. P. Anderson, "A unification of computer and network security concepts," inProc. IEEE Symp. Security and Privacy, 1985.
[45] S. T. Walker, "Network security overview," inProc. IEEE Symp. Security and Privacy, 1985.
[46] D. M. Nessett, "Factors affecting distributed system security," inProc. IEEE Symp. Security and Privacy, 1986.
[47] D. McCullough, "Specifications for multi-level security and a hookup property," inProc. 1987 IEEE Symp. Security, and Privacy, 1987, pp. 161-166.
[48] D. Estrin, "Nondiscretionary controls for inter-organization networks," inProc. 1985 IEEE Symp. Security and Privacy, 1985, pp. 56-61.
[49] D. Estrin and G. Tsudik, "Visa scheme for inter-organization network," inProc. 1987 IEEE Symp. Security and Privacy, 1987, pp. 174-183.
[50] W. P. Lu, "Security of communication in computer networks," Ph.D. dissertation, Univ. Arizona, Tucson, Aug. 1986.
[51] S. R. Ames, M. Gasser, and R. R. Schell, "Security kernel design and implementation: An introduction,"Computer, vol. 16, no. 7, pp. 14-22, 1983.
[52] J. A. Goguen and J. Meseguer, "Security policy and security models," inProc. IEEE Symp. Security and Privacy, 1982, pp. 11- 20.
[53] R. A. Kemmerer, "Shared resource matrix methodology: An approach to identifying storage and timing channels,"ACM Trans. Comput. Syst., vol. 1, no. 3, pp. 256-277, Aug. 1983.

Index Terms:
multilevel security; computer networks; security policy; multilevel secure network; entities; security classes; computer systems; network devices; subjects; security clearances; nondiscretionary access control; information flow control; trusted network base; set-theoretic concepts; computer networks; security of data.
W.-P. Lu, M.K. Sundareshan, "A Model for Multilevel Security in Computer Networks," IEEE Transactions on Software Engineering, vol. 16, no. 6, pp. 647-659, June 1990, doi:10.1109/32.55093
Usage of this product signifies your acceptance of the Terms of Use.