2 Multilevel Security
Cynthia E. Irvine
Naval Postgraduate School, Monterey, California
Multilevel security (MLS) refers to policies and techniques where the sensitivity of the information is immutably bound to an equivalence class. (One can think of equivalence classes as subsets of a set where there is no overlap or intersection among the subsets. For example, pens could be subdivided into red pens, blue pens, black pens, green pens, and so on. Information might be subdivided into CRITICAL and NONCRITICAL information or PUBLIC or PROPRIETARY information.) The active entities that access the information are also statically associated with equivalence classes. On the basis of the relationships between the equivalence classes, rules determine whether and with what rights an active entity can access the information. The mandatory policies associated with MLS can apply to integrity as well as confidentiality. Specific models and mechanisms have been developed to support MLS in computer systems. Requirements for multilevel secure systems span the private sector, the government, and the military.
Most organizations maintain information that is either protected or openly available. In government, information often is categorized as either classified or unclassified. Within the context of classified information, various levels of information sensitivity may be established based upon the damage caused should that information become accessible to adversaries. The more grievous the damage resulting from unauthorized access, the more sensitive the information. For example, the recipe for Uncle Joe's secret sauce may be considered critical to the continued well being of a producer of barbeque sauce: it must neither be revealed to competitors, nor should be corrupted by changing the proportions of the ingredients. Physical documents containing sensitive information are protected through a variety of physical and procedural controls. Computer systems introduce new challenges.
Throughout the 1960s, as multiprocessing computer systems evolved, it became evident that the separation provided by the resource management mechanisms of typical operating systems was insufficient to prevent highly sensitive information from becoming accessible to unauthorized individuals. These controls were so inadequate that instead of utilizing the power of multiprocessing, classified information processing was conducted separately. At times, this meant that those with classified tasks had to wait until after hours, when the system could be dedicated to processing the sensitive information. Following the completion of the classified tasks, the system was purged of all sensitive information and restored to unclassified activity. This is what is called periods processing . If the amount of classified processing merited the additional expense, a dedicated system might be allocated to sensitive tasks.
Both these approaches were insufficient to meet the requirements of organizations that depended upon rapid access to information for military command and control. Periods processing could result in unacceptable delays and dedicated systems incurred both the expense of additional equipment and a high cost of ownership in terms of system maintenance and support personnel. If simultaneous processing at several classification levels, such as CONFIDENTIAL , SECRET , and TOP SECRET , was required, then the resources for either periods processing or dedicated systems could be inadequate. In addition, these approaches could be wasteful if the computing resources allocated to particular classification levels were underutilized.
In organizations where access to a broad spectrum of information is required for making informed decisions, the temporal and spatial separation of information with vario