A System Architecture to Support a Verifiably Secure Multilevel Security System

Technology that allows significant sharing of computer resources carries with it an increased responsibility to protect these resources from un-authorized, malicioua, irresponsible, or unintended use or disclosure. The years have seen a progression of increasingly sensitive information made available in increasingly less supervised modes to a variety of users. Commercial users routinely store valuable financial information and conduct cashless transactions electronically. University professors maintain class grading forms and examinations on departmental computers. Government agencies keep extensive databases of sensitive information regarding employees, foreign nationals, U.S. citizens. The military and intelligence communities continue to press for more powerful techniques to enhance their information gathering and processing capabilities. In spite of the clear need for guarantees of security, all practical schemes to protect information stored or manipulated by such systems are either seriously flawed or reduce ultimately to a collection of physical security protocols (ace [1] for an overview of the state of the art).