Multilevel Security

Richard E. Smith, University of St. Thomas

Introduction

MLS Problem

Multiuser Operating Modes

Bell–La Padula Model

Compartments

MLS and System Privileges

Limitations in MLS Mechanisms

Assurance Problem

System Design Strategies

Verifying System Correctness

Covert Channels

Evaluation, Certification, and Accreditation

Empty Shelf

Multilevel Networking

Labeled Networks

Multiple Independent Levels of Security (MILS)

Sensor-to-Shooter

Nondefense Applications Similar to MLS

Conclusion

Glossary

Cross References

References

INTRODUCTION

Many businesses and organizations need to protect secret information, and most can tolerate some leakage. Organizations that use multilevel security (MLS) systems tolerate no leakage at all. Businesses may face legal or financial risks if they fail to protect business secrets, but they can generally recover afterward by paying to repair the damage. At worst, the business goes bankrupt. Managers who take risks with business secrets might lose their jobs if secrets are leaked, but they are more likely to lose their jobs to failed projects or overrun budgets. This places a limit on the amount of money a business will invest in data secrecy.

The defense community, which includes the military services, intelligence organizations, related government agencies, and their supporting enterprises, cannot easily recover from certain information leaks. Stealth systems are not stealthy if the targets know what to look for, and surveillance systems do ...