While many multilevel security systems exist on paper and in the laboratory, the Honeywell Secure Communications Processor is the first of its kind to be offered commercially. Scomp: A Solution to the Multilevel Security Problem Lester J. Fraim, Honeywell Information Systems The Honeywell Secure Communications Processor ring structure supporting eight rings, and the Access supports a variety of specialized applications that require Isolation Mechanism that allows the definition of privi- the processing of information with multilevel security lege independent of other controls. Access control pro- attributes. A commercial hardware product, the Scomp vided by these mechanisms is interpreted by software but system is a unique implementation of a hardware/soft- enforced by hardware on each reference to information. ware general-purpose operating system based on the The hardware implementation includes a demand-paged security kernel concept. Scomp hardware supports a virtual memory capability that is invisible to the user Multics-like, hardware-enforced ring mechanism, virtual programs. memory, virtual I/O processing, page-fault recovery Although Project Guardian was never completed, the support, and performance mechanisms to aid in the use of Multics features to provide multilevel security was implementation of an efficient operating system. The pursued in a revised Scomp effort, a joint project of Scomp trusted operating program, or STOP, is a secur- Honeywell Information Systems and the Department of ity-kernel-based, general-purpose operating system that Defense (specifically, the Naval Electronics Systems provides a multilevel hierarchical file system, inter- Command, or Navelex). In this implementation, the process communication, security administrator func- Scomp is a trusted minicomputer operating system using tions, and operator commands. software verification techniques.* The idea for the Scomp system originated in a joint Originally the plan was to use the traditional approach Honeywell-Air Force program called Project Guardian, to building a trusted operating system: Namely, to build which was an attempt to further enhance the security of a security kernel and an emulator of an existing operating Honeywell's Multics system.' A secure front-end pro- system to run on top of the kernel. This approach was cessor was needed that would use the security kernel ap- taken by UCLA2 and Mitre in their early development proach to control communications access to Multics. programs and by Ford for KSOS-11.3 One conclusion Multics was designed to provide program and data drawn from these efforts was that an operating system sharing while simultaneously protecting against both emulator was many times slower than the emulated sys- program and data misuse. The system emphasizes infor- tem.4 This performance reduction can be attributed to a mation availability, applications implementation, data- variety of factors, including the incompatibility of the base facilities, decentralized administrative control, security kernel with the emulated system, the hardware simplified system operation, productivity, and growth. capabilities of the system, and the code generated by the The Multics system uses the combination of hardware implementation language. and to a software mechanisms provide dynamic multi- 'In August 1982, HoneyweU requested that the newly formed Depart- user environment. ment of Defense Computer Evaluation Center formally evaluate the The Multics security mechanisms, considered far more Scomp. This evaluation, which still is continuing, is using the "Draft Trusted Computer System Evaluation Criteria" (dated January 27, 1983) advanced than those available in most large commercial to determine whether the Scomp is a Class Al system. The evaluation is systems, use access control lists, a hardware-enforced expected to be complete in late summer 1983. 26 0018-9162/83/07(D-0026S01.00 © 1983 IEEE COM PUTER Authorized licensed use limited to: Penn State University. Downloaded on December 18, 2009 at 16:06 from IEEE Xplore. Restrictions apply. The planned interface for the Scomp system was a Bell with different security levels. These resources can be two Labs Unix emulator, the same type of emulator used by networks, two systems, or a system with users at a level KSOS-I 1. The goal was to provide a compatible interface lower than that of the systems. on both systems, thereby using the vast amount of soft- ware that exists on current Unix implementations. How- ever, KSOS-11 and other attempts to build Unix emula- The Scomp's basic security mechanism tors on secure systems have shown that certain Unix features (e.g., process family sharing of open-file seek The Scomp system is a unique implementation of the pointers) are incompatible with the requirements of security kernel approach because of the way in which the secure systems. Furthermore, the Unix notion of doing hardware functions support the software capabilities. I/O by copying data into a process address space is in- The Scomp system satisfies the requirements of the compatible with the Scomp demand-paging system. reference monitor by providing complete mediation, Rather than trying to achieve a full Unix compatibility, isolation, and verification of the system design. Honeywell has taken a new approach to building an in- Mediation is provided through the interaction of the terface for the Scomp. The SKIP, or Scomp kernel inter- Scomp hardware and software. The software provides face package, does not try to emulate a specific system. the initial mediation of a request for access using the Instead, it takes advantage of the underlying hardware kernel's internal data structures. It validates the request and security kernel architecture to provide an efficient for both the subject and the object of the requested ac- applications interface. tion (e.g., read or write). The software then builds a data The Scomp system, a solution to many multilevel se- element, in the form of a descriptor, for use by the hard- curity problems, contains the mechanisms necessary to ware in the continued mediation of the access. The allow controlled processing of different levels of descriptor consists of four words of information in- classified information. Implementing MLS applications cluding access permission (i.e., read, write, or execute) on the Scomp system can provide greater flexibility and and the location of the object. This cooperative media- efficiency than the current use of procedural and ad- tion of hardware and software is shown in Figure 1. The ministrative controls to protect information resources. hardware implementation provides performance advan- Many systems today overclassify both people and infor- tages over a mechanism implemented strictly in software. mation because the computer cannot maintain the sepa- Isolation is provided by the hardware implementation ration of information with different classifications. Most of a Multics-like four-ring mechanism,6 with ring 0 con- systems operate in a "system high" mode, in which the taining the security kernel. This implementation, which level of the system and all its users is cleared to the was developed from the Multics architecture to meet the highest level of any information in the system. Proced- needs of a Level 6/DPS 6 operating system, includes con- ural and physical controls are applied to protect the in- trolled ring-crossing to allow less privileged software to formation in the system. access an inner ring for a service function. A ring-bracket The Scomp system provides for the processing of in- mechanism controls operations of read, write, and ex- formation at its classification level, and it enforces the ecute using the ring of execution. separation of users with different security characteristics. The Scomp security-relevant software (the security In addition, the Scomp system can provide specialized kernel and trusted software) is verified with two technol- interfaces between systems of different classifications ogies. The first is the SRI International Hierarchical to provide more efficient management of information. Development Methodology.7 This method of verifica- Such MLS applications, referred to as guard systems,5 tion requires the development of a formal top-level provide the timely flow of information from resources specification, which defines the system from the view of Figure 1. Mediation implemented through a combination of hardware and software. The software establishes the descriptor, deriving physical permissions on the basis of subject/object security attributes. The hardware controls physical access on the basis of descriptors. July 1983 27 Authorized licensed use limited to: Penn State University. Downloaded on December 18, 2009 at 16:06 from IEEE Xplore. Restrictions apply. a user process. The FTLS, written in a nonprocedural All system components connect to the Level 6/DPS 6 language called Special, is then verified using tools bus, allowing access to I/O controllers, processors, and developed by SRI. The Scomp security kernel FTLS has memory. The Scomp hardware design uses all standard been verified, using this methodology, against a model of peripherals and provides the security mechanisms totally DoD security policy.8 through the special hardware. Consequently, we can The second verification technology involves trusted easily convert a standard Level 6/DPS 6 to a Scomp-the software, which is security-relevant software outside the standard processor is simply replaced with a modified security