STATEMATE: A Working Environment for the Development of Complex Reactive Systems
IEEE Transactions on Software Engineering
A pump for rapid, reliable, secure communication
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
IEEE Transactions on Software Engineering
A framework for MLS interoperability
HASE '96 Proceedings of the 1996 High-Assurance Systems Engineering Workshop
An architecture for multilevel secure interoperability
ACSAC '97 Proceedings of the 13th Annual Computer Security Applications Conference
Parsimonious downgrading and decision trees applied to the inference problem
Proceedings of the 1998 workshop on New security paradigms
Survivability: Protecting Your Critical Systems
IEEE Internet Computing
Mathematical Models of Computer Security
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Application security support in the operating system kernel
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
MYSEA: the monterey security architecture
Proceedings of the 2009 ACM workshop on Scalable trusted computing
Automatic Analysis of the NRL Pump
Electronic Notes in Theoretical Computer Science (ENTCS)
Component-oriented verification of noninterference
Journal of Systems Architecture: the EUROMICRO Journal
Hi-index | 4.10 |
In the past 20 years, only a handful of high-assurance, multilevel, secure computers have been built, and even these are rarely used in operational environments. Such systems suffer a host of disadvantages: They cost too much, lack user-friendly features and development environments, take too much time to evaluate and certify, and do not scale well for secure distributed computing. This lack of satisfactory security solutions is disturbing in light of the trend toward open and distributed computing, which increases a system's vulnerability to attack. The authors propose basing security solutions instead on a multiple single-level security architecture, which uses commercial (nonsecure) products for general-purpose computing and special- purpose high-assurance devices to separate data at different security levels. A multiple single-level architecture is a viable and practical solution to distributed multilevel secure computing. The keystone of this architecture is a trusted device that "pumps" data from a low security level to a higher one. The authors describe the software design and assurance argument strategy for this device, the Network NRL Pump, which can be used in any multilevel secure distributed architecture.