A multi-level secure message switch with minimal TCB: architectural outline and security analysis

Author

Lipper, E.H. ; Melamed, B. ; Morris, R.J.T. ; Zave, P.

Author_Institution

AT&T Bell Lab., Holmdel, NJ, USA

fYear

1988

fDate

12-16 Dec 1988

Firstpage

242

Lastpage

249

Abstract

The authors describe an architectural outline for a generic secure message switch. They highlight key security issues germane to the structure and functionality of a switch for routing messages of multiple sensitivity levels over communication media with multiple security levels. The design strives to minimize the trusted computing base (TCB) in order to facilitate formal and informal verification of security policies and to retain data integrity. In particular, the security policy was embedded in the type structure of a specification of the design in PAISLey. Special features of PAISLey´s type system then enabled PAISLey´s type checker to prove the security assertions automatically. The authors also discuss general design principles and a variety of security issues including unauthorized traffic analysis, covert channels, and denial of service

Keywords

computer networks; electronic mail; message switching; security of data; PAISLey; communication media; covert channels; data integrity; denial of service; minimal TCB; secure message switch; security analysis; security assertions; sensitivity levels; trusted computing base; type structure; unauthorized traffic analysis; Access control; Communication switching; Communication system security; Computer architecture; Computer crime; Data security; Performance analysis; Resource management; Routing; Switches;

fLanguage

English

Publisher

ieee

Conference_Titel

Aerospace Computer Security Applications Conference, 1988., Fourth

Conference_Location

Orlando, FL

Print_ISBN

0-8186-0895-1

Type

conf

DOI

10.1109/ACSAC.1988.113342

Filename

113342