Security guards: issues and approaches

The issue of security, which is considered to be the final hurdle to be overcome in achieving interoperability of US Army computer systems, is discussed. In particular, the problem of transferring data across security boundaries is examined. The primary concern is to defend against unauthorized disclosure of high-side (e.g. top secret) data to low-side (e.g. secret) users. This might be caused by high-side errors, by malicious high-side software, or by active penetration from the low side. Other concerns include defending against modification or destruction of high-side data as well as denial of service to high-side users. Typical current solutions are described. The use of a security guard (also known as a security filter), i.e. a device or set of controls that mediates data transfers across security boundaries, to prevent leakage and penetration is examined. Lessons from past failures with guards and experience with an operational guard are discussed. Although military applications are addressed, the security issues raised are also thought to apply in the commercial sector.<>