Design Experiences from the Multilevel Secure MCF Operating System

The multilevel secure Military Computer Family Operating System program will provide a new high-water mark for multilevel security design and definition. The operating sys-tem will be the first verified Ada* program, and will be a fielded multilevel secure operating system. The operating system is being built for a new machine that has significant architectural features for security. This paper reveals some of the experiences and problems encountered by the RCA team during the concept definition phase of the program, and describes some of the obvious and not-so-obvious pitfalls of designing a product multilevel secure operating system. Many of the problems have been mitigated by advances in the definitions and criteria for multilevel security, and one of the goals of this paper is to help eliminate or mitigate the problems for the next system to be built.