A kernelized architecture for multilevel secure application policies

  • Simon N. Foley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1485)


Mandatory label-based policies may be used to support a wide-range of application security requirements. Labels encode the security state of system entities and the security policy specifies how these labels may change. Building on previous results, this paper develops a model for a kernelized framework for supporting these policies. The framework provides the basis for, what is essentially, an interpreter of multilevel programs: programs that manipulate multilevel label data-structures. This enables application functionality and security concerns to be developed separately, bringing with it the advantages of a separation of concerns paradigm.


Concrete State Object Label Label Manager Object Store Multilevel Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. E. Bell and L. J. La Padula. Secure computer system: unified exposition and MULTICS interpretation. Report ESD-TR-75-306, The MITRE Corporation, March 1976.Google Scholar
  2. 2.
    E. Bertino, L.V. Mancini, and S. Jajodia. Collecting garbage in multilevel secure object stores. In Proceedings of the Symposium on Security and Privacy, pages 106–120, Oakland, CA, May 1994. IEEE Computer Society Press.Google Scholar
  3. 3.
    D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security models. In Proceedings Symposium on Security and Privacy, pages 184–194. IEEE Computer Society Press, April 1987.Google Scholar
  4. 4.
    S.N. Foley. The specification and implementation of commercial security requirements including dynamic segregation of duties. In 4th ACM Conference on Computer and Communications Security, 1997.Google Scholar
  5. 5.
    S.N. Foley. Supporting secure cannonical upgrade policies in multilevel secure object stores. In Proceedings of the 13th. Annual Computer Security Applications Conference, pages 69–80, San Diego, CA, December 1997.Google Scholar
  6. 6.
    J. A. Goguen and J. Meseguer. Unwinding and inference control. In Proceedings 1984 IEEE Symposium on Security and Privacy, pages 75–86, 1984.Google Scholar
  7. 7.
    W.L. Hursch and C.V. Lopes. Separation of concerns. Technical Report NU-CCS-95-03, College of Computer Science, Northeastern University, Boston, MA 02115, USA, 1995.Google Scholar
  8. 8.
    S. Jajodia and B. Kogan. Integrating an object-oriented data model with multilevel security. In IEEE Symposium on Security and Privacy, Oakland, CA, 1990.Google Scholar
  9. 9.
    M. Kang et al. Achieving database security through data replication: The SINTRA prototype. In Proceedings of the 17th National Computer Security Conference, pages 77–87, Baltimore, MD, USA, 1994.Google Scholar
  10. 10.
    M. Makpangou and M. Shapiro. The SOS object-oriented communication service. In 9th International Conference on Computer Communications, Israel, 1988.Google Scholar
  11. 11.
    A.C. Myers and B. Liskov. A decentralized model for information flow control. In 16th Annual Symposium on Operating Systems Principles. ACM, 1997.Google Scholar
  12. 12.
    M.J. Nash and K.R. Poland. Some conundrums concerning separation of duty. In Proceedings of the Symposium on Security and Privacy, pages 201–207, Oakland, CA, May 1990. IEEE Computer Society Press.Google Scholar
  13. 13.
    D. Olawsky, T. Fine, E. Schneider, and R. Spencer. Developing and using a policy neutral access control policy. In Proceedings of the New Security Paradigms Workshop. IEEE Computer Society Press, 1996.Google Scholar
  14. 14.
    J. Rushby. Noninterference, transitivity and channel-control security policies. Technical Report SRI-CSL-92-02, SRI International, Menlo Park, CA., December 1992.Google Scholar
  15. 15.
    M. Saaltink. The Z/EVES system. In ZUM’97 (10th International Conference of Z Users), pages 72–85. Springer Verlag LNCS 1212, 1997.Google Scholar
  16. 16.
    J. M. Spivey. The Z Notation: A Reference Manual. Series in Computer Science. Prentice Hall International, second edition, 1992.Google Scholar
  17. 17.
    D.F. Sterne, G.S. Benson, and H Tajalli. Redrawing the security perimeter of a trusted system. In Proceedings of the IEEE Computer Security Foundations Workshop, pages 162–174, Franconia, NH, 1994.Google Scholar
  18. 18.
    R.K. Thomas and R.S. Sandhu. A kernelized architecture for multilevel secure object-oriented databases supporting write-up. Journal of Computer Security, 2(3):231–275, 1993.Google Scholar
  19. 19.
    R.K. Thomas and R.S. Sandhu. Supporting object-based high assurance write-up in multilevel databases for the replicated architecture. In Proceedings of European Symposium on Research in Computer Security, pages 403–428, UK, 1994.Google Scholar
  20. 20.
    U. S. Department of Defense. Trusted computer system criteria. Technical Report CSC-STD-001-83, U. S. National Computer Security Center, August 1983.Google Scholar
  21. 21.
    D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2/3), 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Simon N. Foley
    • 1
    • 2
  1. 1.University of Cambridge CCSRCambridgeUK
  2. 2.Department of Computer ScienceUniversity CollegeCorkIreland

Personalised recommendations