Chapter 8. Multilevel Security

Most high assurance work has been done in the area of kinetic devices and infernal machines that are controlled by stupid robots. As information processing technology becomes more important to society, these concerns spread to areas previously thought inherently harmless, like operating systems.

— Earl Boebert

I brief; you leak; he/she commits a criminal offence by divulging classified information.

— British Civil Service Verb

They constantly try to escape From the darkness outside and within By dreaming of systems so perfect that no one will need to be good

— TS Eliot


I mentioned in the introduction that military database systems, which can hold information at a number of different levels of classification (Confidential, Secret, Top Secret, ...), have to ensure that data can only be read by a principal whose level is at least as high as the data's classification. The policies they implement are known as multilevel secure or alternatively as mandatory access control or MAC.

Multilevel secure systems are important because:

  1. a huge amount of research has been done on them, thanks to military funding for computer science in the USA. So the military model of protection has been worked out in much more detail than any other, and it gives us a lot of examples of the second-order and even third-order effects of implementing a security policy rigorously;

  2. although multilevel concepts were originally developed to support confidentiality in military systems, ...

Get Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.