Issue No. 04 - April (1998 vol. 31)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/2.666843
In the past 20 years, only a handful of high-assurance, multilevel, secure computers have been built, and even these are rarely used in operational environments. Such systems suffer a host of disadvantages: They cost too much, lack user-friendly features and development environments, take too much time to evaluate and certify, and do not scale well for secure distributed computing. This lack of satisfactory security solutions is disturbing in light of the trend toward open and distributed computing, which increases a system?s vulnerability to attack. The authors propose basing security solutions instead on a multiple single-level security architecture, which uses commercial (nonsecure) products for general-purpose computing and special- purpose high-assurance devices to separate data at different security levels. A multiple single-level architecture is a viable and practical solution to distributed multilevel secure computing. The keystone of this architecture is a trusted device that "pumps" data from a low security level to a higher one. The authors describe the software design and assurance argument strategy for this device, the Network NRL Pump, which can be used in any multilevel secure distributed architecture.
I. S. Moskowitz, A. P. Moore and M. H. Kang, "Design and Assurance Strategy for the NRL Pump," in Computer, vol. 31, no. , pp. 56-64, 1998.