%!PS %%Version: 3.3.1 %%DocumentFonts: (atend) %%Pages: (atend) %%EndComments % % Version 3.3.1 prologue for troff files. % /#copies 1 store /aspectratio 1 def /formsperpage 1 def /landscape false def /linewidth .3 def /magnification 1 def /margin 0 def /orientation 0 def /resolution 720 def /rotation 1 def /xoffset 0 def /yoffset 0 def /roundpage true def /useclippath true def /pagebbox [0 0 612 792] def /R /Times-Roman def /I /Times-Italic def /B /Times-Bold def /BI /Times-BoldItalic def /H /Helvetica def /HI /Helvetica-Oblique def /HB /Helvetica-Bold def /HX /Helvetica-BoldOblique def /CW /Courier def /CO /Courier def /CI /Courier-Oblique def /CB /Courier-Bold def /CX /Courier-BoldOblique def /PA /Palatino-Roman def /PI /Palatino-Italic def /PB /Palatino-Bold def /PX /Palatino-BoldItalic def /Hr /Helvetica-Narrow def /Hi /Helvetica-Narrow-Oblique def /Hb /Helvetica-Narrow-Bold def /Hx /Helvetica-Narrow-BoldOblique def /KR /Bookman-Light def /KI /Bookman-LightItalic def /KB /Bookman-Demi def /KX /Bookman-DemiItalic def /AR /AvantGarde-Book def /AI /AvantGarde-BookOblique def /AB /AvantGarde-Demi def /AX /AvantGarde-DemiOblique def /NR /NewCenturySchlbk-Roman def /NI /NewCenturySchlbk-Italic def /NB /NewCenturySchlbk-Bold def /NX /NewCenturySchlbk-BoldItalic def /ZD /ZapfDingbats def /ZI /ZapfChancery-MediumItalic def /S /S def /S1 /S1 def /GR /Symbol def /inch {72 mul} bind def /min {2 copy gt {exch} if pop} bind def /setup { counttomark 2 idiv {def} repeat pop landscape {/orientation 90 orientation add def} if /scaling 72 resolution div def linewidth setlinewidth 1 setlinecap pagedimensions xcenter ycenter translate orientation rotation mul rotate width 2 div neg height 2 div translate xoffset inch yoffset inch neg translate margin 2 div dup neg translate magnification dup aspectratio mul scale scaling scaling scale addmetrics 0 0 moveto } def /pagedimensions { useclippath userdict /gotpagebbox known not and { /pagebbox [clippath pathbbox newpath] def roundpage currentdict /roundpagebbox known and {roundpagebbox} if } if pagebbox aload pop 4 -1 roll exch 4 1 roll 4 copy landscape {4 2 roll} if sub /width exch def sub /height exch def add 2 div /xcenter exch def add 2 div /ycenter exch def userdict /gotpagebbox true put } def /addmetrics { /Symbol /S null Sdefs cf /Times-Roman /S1 StandardEncoding dup length array copy S1defs cf } def /pagesetup { /page exch def currentdict /pagedict known currentdict page known and { page load pagedict exch get cvx exec } if } def /decodingdefs [ {counttomark 2 idiv {y moveto show} repeat} {neg /y exch def counttomark 2 idiv {y moveto show} repeat} {neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat} {neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat} {counttomark 2 idiv {y moveto show} repeat} {neg setfunnytext} ] def /setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def /w {neg moveto show} bind def /m {neg dup /y exch def moveto} bind def /done {/lastpage where {pop lastpage} if} def /f { dup /font exch def findfont exch dup /ptsize exch def scaling div dup /size exch def scalefont setfont linewidth ptsize mul scaling 10 mul div setlinewidth /spacewidth ( ) stringwidth pop def } bind def /changefont { /fontheight exch def /fontslant exch def currentfont [ 1 0 fontheight ptsize div fontslant sin mul fontslant cos div fontheight ptsize div 0 0 ] makefont setfont } bind def /sf {f} bind def /cf { dup length 2 idiv /entries exch def /chtab exch def /newencoding exch def /newfont exch def findfont dup length 1 add dict /newdict exch def {1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall newencoding type /arraytype eq {newdict /Encoding newencoding put} if newdict /Metrics entries dict put newdict /Metrics get begin chtab aload pop 1 1 entries {pop def} for newfont newdict definefont pop end } bind def % % A few arrays used to adjust reference points and character widths in some % of the printer resident fonts. If square roots are too high try changing % the lines describing /radical and /radicalex to, % % /radical [0 -75 550 0] % /radicalex [-50 -75 500 0] % % Move braceleftbt a bit - default PostScript character is off a bit. % /Sdefs [ /bracketlefttp [201 500] /bracketleftbt [201 500] /bracketrighttp [-81 380] /bracketrightbt [-83 380] /braceleftbt [203 490] /bracketrightex [220 -125 500 0] /radical [0 0 550 0] /radicalex [-50 0 500 0] /parenleftex [-20 -170 0 0] /integral [100 -50 500 0] /infinity [10 -75 730 0] ] def /S1defs [ /underscore [0 80 500 0] /endash [7 90 650 0] ] def % % Tries to round clipping path dimensions, as stored in array pagebbox, so they % match one of the known sizes in the papersizes array. Lower left coordinates % are always set to 0. % /roundpagebbox { 7 dict begin /papersizes [8.5 inch 11 inch 14 inch 17 inch] def /mappapersize { /val exch def /slop .5 inch def /diff slop def /j 0 def 0 1 papersizes length 1 sub { /i exch def papersizes i get val sub abs dup diff le {/diff exch def /j i def} {pop} ifelse } for diff slop lt {papersizes j get} {val} ifelse } def pagebbox 0 0 put pagebbox 1 0 put pagebbox dup 2 get mappapersize 2 exch put pagebbox dup 3 get mappapersize 3 exch put end } bind def %%EndProlog %%BeginSetup mark /linewidth 0.5 def /xoffset 0 def /yoffset 0 def /#copies 1 store /magnification 1 def %%FormsPerPage: 1 /formsperpage 1 def /landscape false def /resolution 720 def setup 2 setdecoding %%EndSetup %%Page: 1 1 /saveobj save def mark 1 pagesetup 12 B f (Multilevel Security in the UNIX Tradition)5 2160 1 1800 1230 t 10 I f (M. D. McIlroy)2 576 1 2592 1470 t (J. A. Reeds)2 443 1 2658 1650 t 10 R f (AT&T Bell Laboratories)2 993 1 2383 1830 t (Murray Hill, New Jersey 07974)4 1267 1 2246 1950 t 10 I f (ABSTRACT)2643 2330 w 10 R f (The original)1 503 1 1330 2590 t 9 R f (UNIX)1868 2590 w 10 S f (\322)2093 2590 w 10 R f ( designed to be small and intelligible, achieving)7 2001(system was)1 470 2 2209 2590 t ( this spirit we have designed)5 1135( In)1 133( a profusion of features.)4 950(power by generality rather than by)5 1382 4 1080 2710 t ( IX)1 169( Labs research system.)3 945(and implemented IX, a multilevel-secure variant of the Bell)8 2486 3 1080 2830 t ( public-sector uses other than)4 1214(aims at sound, practical security, suitable for private- and)8 2386 2 1080 2950 t ( major security features are: private paths for)7 1862( The)1 214(critical national-security applications.)2 1524 3 1080 3070 t (safe cooperation among privileged processes, structured management of privilege, and)9 3600 1 1080 3190 t ( of)1 110( labels)1 259( The)1 206(security labels to classify information for purposes of privacy and integrity.)10 3025 4 1080 3310 t ( call that involves data flow and are)7 1562(files and processes are checked at every system)7 2038 2 1080 3430 t (adjusted dynamically to assure that labels on outputs reflect labels on inputs.)11 3064 1 1080 3550 t 10 B f (1. INTRODUCTION)1 925 1 720 3910 t 10 R f (We have built)2 584 1 970 4066 t 10 I f (IX,)1591 4066 w 10 R f (an experimental ``multilevel secure'' variant of the)6 2111 1 1747 4066 t 9 R f (UNIX)3893 4066 w 10 R f ( IX)1 168(operating system.)1 717 2 4155 4066 t (supports document classification with)3 1528 1 720 4186 t 10 I f (mandatory access control)2 1042 1 2278 4186 t 10 R f ( must yield classified out-)4 1049(; classified input)2 671 2 3320 4186 t ( from that of Bell and LaPadula, which is espoused in the National Computer)13 3112( security model differs)3 904(put. Its)1 304 3 720 4306 t (Security Center's ``Orange Book.'')3 1413 1 720 4426 t 8 R f (1, 2)1 120 1 2141 4394 t 10 R f (This paper is an overview; details are given elsewhere.)8 2186 1 2286 4426 t 8 R f (3-5)4480 4394 w 10 I f (IX preserves data classification.)3 1309 1 970 4582 t 10 R f (Every file and every process has a)6 1404 1 2336 4582 t 10 I f (label,)3773 4582 w 10 R f (which tells its classifica-)3 1009 1 4031 4582 t ( transfers may only happen in a)6 1289( Data)1 244( are allowed to see only information they are cleared for.)10 2323(tion. Users)1 464 4 720 4702 t ( during computation to)3 929( of processes or files may adjust automatically)7 1878( Labels)1 320(direction of increasing labels.)3 1193 4 720 4822 t ( are dis-)2 335( Labels)1 323( are classified at least as high as the inputs from which they derive.)13 2764(guarantee that outputs)2 898 4 720 4942 t (cussed more fully in \2472.)4 963 1 720 5062 t 10 I f (IX clips the wings of the superuser.)6 1456 1 970 5218 t 10 R f ( usual)1 245(Activities, such as declassification, that deviate from the)7 2311 2 2484 5218 t ( accomplished only with the exercise of)6 1658(labeling rules can be)3 862 2 720 5338 t 10 I f (privilege.)3277 5338 w 10 R f (A trusted user may be endowed)5 1321 1 3719 5338 t ( exercised only through trusted programs that have been certified)9 2606(with one or more privileges, which may be)7 1714 2 720 5458 t ( vetted by a)3 478( normal usage each use of privilege is)7 1547( In)1 139(for those privileges.)2 808 4 720 5578 t 10 I f (privilege server,)1 659 1 3722 5578 t 10 R f (which confirms)1 629 1 4411 5578 t ( basic privi-)2 479( The)1 206( hands out exactly the privileges needed for the operation at hand.)11 2639(the client's authority and)3 996 4 720 5698 t (lege mechanism is described in \2473; its use is further explained in \2476.)12 2733 1 720 5818 t 10 I f (IX provides private communication paths)4 1694 1 970 5974 t 10 R f ( privileged)1 441(and methods for mutual confirmation between)5 1900 2 2699 5974 t (processes \(\2474\).)1 598 1 720 6094 t 10 I f (IX safeguards outside communications.)3 1619 1 970 6250 t 10 R f ( or communication)2 785(External media such as tape cartridges)5 1602 2 2653 6250 t ( authenticate the clearance)3 1063( code has the duty to)5 844( That)1 237(ports can be opened and labeled only by trusted code.)9 2176 4 720 6370 t ( used like any other file.)5 990( trusted code has set the label, an external medium can be)11 2339( After)1 264(of the destination.)2 727 4 720 6490 t ( as easy to use as in ordinary)7 1208(In particular network connections, once established, are)6 2282 2 720 6610 t 9 R f (UNIX)4242 6610 w 10 R f (systems. We)1 539 1 4501 6610 t ( machines and ordinary)3 970(routinely cross-mount the file systems of IX)6 1831 2 720 6730 t 9 R f (UNIX)3556 6730 w 10 R f (machines for the exchange of)4 1222 1 3818 6730 t (unclassified data.)1 693 1 720 6850 t ( expected that we)3 719( We)1 195(There is little experience with multilevel systems in nonmilitary applications.)9 3156 3 970 7006 t ( we would learn more by trying a model that was not literally)12 2519(would learn by trying to make one, and that)8 1801 2 720 7126 t ( the flexibility and spontaneity of)5 1370( to preserve as much of)5 963( Wishing)1 396(Orange Bookish.)1 684 4 720 7246 t 9 R f (UNIX)4164 7246 w 10 R f (as possible, we)2 618 1 4422 7246 t cleartomark showpage saveobj restore %%EndPage: 1 1 %%Page: 2 2 /saveobj save def mark 2 pagesetup 10 R f (- 2 -)2 166 1 2797 480 t ( Thus,)1 283(have taken less draconian measures against covert channels than the Orange Book suggests \(\2472.2\).)13 4037 2 720 840 t ( protect information from automated theft by unauthorized users and from accidental disclosure, but)13 4032(IX will)1 288 2 720 960 t ( from being leaked laboriously by dishonest programs run on behalf of autho-)12 3209(will not perfectly protect it)4 1111 2 720 1080 t (rized people.)1 515 1 720 1200 t ( shell scripts and)3 687(We wished particularly to preserve the simplicity of programming in the large with)12 3383 2 970 1356 t ( of the need to foresee just what labels a)9 1653( support of this goal, dynamic labels eliminate some)8 2141(pipelines. In)1 526 3 720 1476 t ( labeled exactly, not)3 807( potential benefit is more accurate labeling, for output files can be)11 2628( A)1 122(run might produce.)2 763 4 720 1596 t (merely with a convenient umbrella label.)5 1636 1 720 1716 t ( model, unlike Bell-LaPadula, was intended to make security calculations for users)11 3430(In short, the IX)3 640 2 970 1872 t (rather than against them.)3 987 1 720 1992 t 10 B f ( flow versus subject/object models)4 1448(1.1. Data)1 405 2 720 2232 t 10 R f ( on)1 132(Modern computer systems, where files may be fronts for server processes and processes may act)14 3938 2 970 2388 t ( speaking, that)2 600( Roughly)1 405( model.)1 310(behalf of no person, accord poorly with the Bell-LaPadula subject/object)9 3005 4 720 2508 t ( plus a collection of isolated)5 1134(model describes the computer as a filing cabinet)7 1934 2 720 2628 t 10 I f (subjects)3815 2628 w 10 R f (who visit it to consult)4 876 1 4164 2628 t (or deposit)1 402 1 720 2748 t 10 I f (objects.)1152 2748 w 10 R f ( real people, are branded with)5 1205(The subjects, usually processes understood as proxies for)7 2320 2 1515 2748 t ( A)1 141( usually files.)2 574( objects are)2 490( The)1 223(security clearances.)1 798 5 720 2868 t 10 I f (reference monitor)1 737 1 2990 2868 t 10 R f (guarding the cabinet interdicts)3 1269 1 3771 2868 t ( the beginning)2 580( At)1 154( of public files by cleared people.)6 1357(access to secret files by uncleared people or deposition)8 2229 4 720 2988 t ( session, or ``day at the office,'' a person must select a legitimate clearance and stick to it.)17 3626(of each computer)2 694 2 720 3108 t ( involving data at different classification levels are constrained to run at the highest of)14 3573(Ongoing activities)1 747 2 720 3228 t ( communi-)1 437( Interprocess)1 538( had to be classified.)4 822(those levels, much as if a lunch order from a classified meeting)11 2523 4 720 3348 t ( becomes)1 376( It)1 113( then happen without going through the filing cabinet.)8 2173( Transactions)1 562(cation complicates matters.)2 1096 5 720 3468 t (necessary to invent subjects unconnected with persons and to identify some subjects also as objects.)14 3992 1 720 3588 t ( simply recognizes)2 767( It)1 120( models do.)2 482(IX caters for more realistic ``office protocols'' than subject/object)8 2701 4 970 3744 t ( memory is contami-)3 836( flowing out from a place that has)7 1366( Data)1 241(places between which data occasionally flows.)5 1877 4 720 3864 t ( however,)1 396( Nothing,)1 406( labels must be tracked from place to place.)8 1756(nated by data that has flowed in; hence data)8 1762 4 720 3984 t ( orders can leave classified meet-)5 1326( Lunch)1 305( at different levels.)3 748(prevents a succession of actions from happening)6 1941 4 720 4104 t ( utterly freely, because the computer is charged with assuring that the lunch order not be)15 3706(ings, albeit not)2 614 2 720 4224 t ( ultimately counts is that data leaving the computer should)9 2452( What)1 280(written on the back of a secret report.)7 1588 3 720 4344 t ( agents \(subjects\) do not appear in the model at all; but)11 2211( The)1 207( agents who are eligible to receive it.)7 1483(reach only)1 419 4 720 4464 t (their limitations appear as constraints on the labels of data flowing to output ports.)13 3292 1 720 4584 t 10 B f (1.2. Problems)1 605 1 720 4824 t 10 R f ( the label of a file must remain constant while the file is in use, so labels)16 3027(In Bell-LaPadula systems)2 1043 2 970 4980 t ( IX, by contrast, where labels of files and processes change)10 2380( In)1 136(need be checked only when files are opened.)7 1804 3 720 5100 t ( challenge: to)2 548( label checking posed a)4 947( Continuous)1 516(underfoot, labels must be checked on every data transfer.)8 2309 4 720 5220 t ( also provided reassurance; nothing depends on)6 1963( It)1 123( incurring unacceptable overhead.)3 1387(check labels without)2 847 4 720 5340 t ( untoward side)2 608( special system mechanisms are needed to prevent)7 2067( No)1 181(the fiction that labels never change.)5 1464 4 720 5460 t (effects arising from a change in the label of a file or of a terminal session.)15 2943 1 720 5580 t ( for which the literature offers)5 1219( Privilege,)1 440( to do.)2 261(In retrospect, continuous label checking was not hard)7 2150 4 970 5736 t ( have found ourselves ever more concerned with confining)8 2392( We)1 194( a more recalcitrant matter.)4 1101(no models, was)2 633 4 720 5856 t ( among cooperating privileged processes, and guaranteeing the)7 2518(the use of privilege, establishing mutual trust)6 1802 2 720 5976 t ( concerns were addressed by the notion of private communication)9 2652( These)1 291( communications.)1 714(integrity of their)2 663 4 720 6096 t (paths \(\2474\) and a structured privilege server \(\2476.1\).)7 2003 1 720 6216 t 10 B f (2. LABELS)1 521 1 720 6456 t 10 R f ( technical reasons,)2 750( For)1 197( has a classification label, as does every process.)8 1998(Every file, device, and pipe)4 1125 4 970 6612 t ( Furthermore,)1 582( pointer, which gives the current location in an open file, also has a label \(\2477.2\).)15 3306(every seek)1 432 3 720 6732 t (every process and every file system has a)7 1676 1 720 6852 t 10 I f (ceiling,)2425 6852 w 10 R f ( sys-)1 191( File)1 211(a label below which all transactions must stay.)7 1887 3 2751 6852 t ( ceilings are a kind of)5 917( Process)1 367(tem ceilings help in managing remote file systems and exportable media.)10 3036 3 720 6972 t ( Bell-LaPadula subject labels \320 preventing processes from)7 2462( partly fulfill the function of)5 1184(insurance. They)1 674 3 720 7092 t ( also prevent)2 512( They)1 257(getting into overly sensitive places, from which they could leak data by covert channels.)13 3551 3 720 7212 t cleartomark showpage saveobj restore %%EndPage: 2 2 %%Page: 3 3 /saveobj save def mark 3 pagesetup 10 R f (- 3 -)2 166 1 2797 480 t ( inadvertent excursions to high level that result in)8 2080(the injection of noise by writing into high places, and)9 2240 2 720 840 t (overclassified outputs.)1 899 1 720 960 t ( of two special symbols,)4 1021(A label is an element of a mathematical lattice \(\2472.6\) or one)11 2527 2 970 1116 t 10 B f (yes)4556 1116 w 10 R f (and)4727 1116 w 10 B f (no)4909 1116 w 10 R f (.)5015 1116 w (Label)720 1236 w 10 B f (yes)975 1236 w 10 R f ( files that may always be read or written, notably)9 1970(is intended for)2 583 2 1136 1236 t 10 CW f (/dev/null)3716 1236 w 10 R f ( file labeled)2 475(. A)1 149 2 4256 1236 t 10 B f (yes)4907 1236 w 10 R f ( Label)1 281( what comes out is unrelated to what goes in.)9 1834(is perfectly amnesiac;)2 876 3 720 1356 t 10 B f (no)3740 1356 w 10 R f (is intended for files that can-)5 1165 1 3875 1356 t ( external device file \(terminal, communi-)5 1651( Every)1 290( written without the intervention of privilege.)6 1819(not be read or)3 560 4 720 1476 t (cation link, disk, etc\) is labeled)5 1246 1 720 1596 t 10 B f (no)1991 1596 w 10 R f (when not in use.)3 655 1 2122 1596 t (The label of an entity)4 862 1 970 1752 t 10 I f (x)1859 1752 w 10 R f (\(process, file, or seek pointer\) is denoted)6 1642 1 1931 1752 t 10 I f (L)3601 1752 w 10 R f (\()3665 1752 w 10 I f (x)3706 1752 w 10 R f ( ceiling of an entity \(pro-)5 1016(\). The)1 266 2 3758 1752 t ( file system\) is denoted)4 967(cess or)1 285 2 720 1872 t 10 I f (C)2007 1872 w 10 R f (\()2082 1872 w 10 I f (x)2123 1872 w 10 R f ( write)1 240( We)1 198( may vary with time.)4 870(\). Labels)1 384 4 2175 1872 t 10 I f (L)3902 1872 w 10 R f (\()3966 1872 w 10 I f (x)4007 1872 w 10 R f (,)4059 1872 w 10 I f (t)4116 1872 w 10 R f (\) or)1 151 1 4152 1872 t 10 I f (C)4338 1872 w 10 R f (\()4413 1872 w 10 I f (x)4454 1872 w 10 R f (,)4506 1872 w 10 I f (t)4563 1872 w 10 R f (\) when the)2 441 1 4599 1872 t (time)720 1992 w 10 I f (t)929 1992 w 10 R f ( inequality)1 431( The)1 211( may be compared.)3 777(matters. Labels)1 641 4 988 1992 t 10 I f (L)3079 1992 w 10 R f (\()3143 1992 w 10 I f (x)3184 1992 w 10 R f (\))3236 1992 w 10 S f (\243)3318 1992 w 10 I f (L)3414 1992 w 10 R f (\()3478 1992 w 10 I f (y)3519 1992 w 10 R f (\) holds when either)3 786 1 3571 1992 t 10 I f (x)4388 1992 w 10 R f (or)4463 1992 w 10 I f (y)4577 1992 w 10 R f (is labeled)1 387 1 4653 1992 t 10 B f (yes)720 2112 w 10 R f (or when)1 324 1 878 2112 t 10 I f (L)1227 2112 w 10 R f (\()1291 2112 w 10 I f (y)1332 2112 w 10 R f (\) dominates)1 469 1 1384 2112 t 10 I f (L)1878 2112 w 10 R f (\()1942 2112 w 10 I f (x)1983 2112 w 10 R f (\) in the lattice.)3 577 1 2035 2112 t 10 B f ( flow policy)2 489(2.1. Data)1 405 2 720 2352 t 10 R f ( ``upward'')1 467( general an unprivileged process can only cause)7 1973( In)1 143(Data flow results from system calls.)5 1487 4 970 2508 t ( data flows from source)4 974( When)1 296( all pertinent ceilings.)3 890(data flow below)2 661 4 720 2628 t 10 I f (x)3574 2628 w 10 R f (to destination)1 550 1 3651 2628 t 10 I f (y)4234 2628 w 10 R f (, it is required that)4 762 1 4278 2628 t 10 I f (L)720 2748 w 10 R f (\()784 2748 w 10 I f (x)825 2748 w 10 R f (\))877 2748 w 10 S f (\243)959 2748 w 10 I f (L)1055 2748 w 10 R f (\()1119 2748 w 10 I f (y)1160 2748 w 10 R f ( if the causative process is)5 1055(\). Moreover,)1 528 2 1212 2748 t 10 I f (p)2822 2748 w 10 R f (, then)1 224 1 2872 2748 t 10 I f (L)3123 2748 w 10 R f (\()3187 2748 w 10 I f (y)3228 2748 w 10 R f (\))3280 2748 w 10 S f (\243)3362 2748 w 10 I f (C)3458 2748 w 10 R f (\()3533 2748 w 10 I f (p)3574 2748 w 10 R f (\). If)1 176 1 3632 2748 t 10 I f (x)3835 2748 w 10 R f (\(or)3907 2748 w 10 I f (y)4051 2748 w 10 R f (\) belongs to file system)4 945 1 4095 2748 t 10 I f (z)720 2868 w 10 R f (, then)1 222 1 759 2868 t 10 I f (L)1006 2868 w 10 R f (\()1070 2868 w 10 I f (x)1111 2868 w 10 R f (\))1163 2868 w 10 S f (\243)1245 2868 w 10 I f (C)1341 2868 w 10 R f (\()1416 2868 w 10 I f (z)1457 2868 w 10 R f (\) \(or)1 174 1 1504 2868 t 10 I f (L)1703 2868 w 10 R f (\()1767 2868 w 10 I f (y)1808 2868 w 10 R f (\))1860 2868 w 10 S f (\243)1942 2868 w 10 I f (C)2038 2868 w 10 R f (\()2113 2868 w 10 I f (z)2154 2868 w 10 R f (\)\).)2201 2868 w ( the label of any memory)5 1036( general)1 324( In)1 139(Data also flows in time.)4 976 4 970 3024 t 10 I f (x)3477 3024 w 10 R f (must satisfy)1 488 1 3553 3024 t 10 I f (L)4073 3024 w 10 R f (\()4137 3024 w 10 I f (x)4178 3024 w 10 R f (,)4230 3024 w 10 I f (t)4287 3024 w 7 R f (1)4326 3044 w 10 R f (\))4377 3024 w 10 S f (\243)4459 3024 w 10 I f (L)4555 3024 w 10 R f (\()4619 3024 w 10 I f (x)4660 3024 w 10 R f (,)4712 3024 w 10 I f (t)4769 3024 w 7 R f (2)4808 3044 w 10 R f (\) for)1 181 1 4859 3024 t 10 I f (t)720 3144 w 7 R f (1)759 3164 w 10 S f (\243)834 3144 w 10 I f (t)921 3144 w 7 R f (2)960 3164 w 10 R f ( of an unprivileged process must decrease monotonically with time:)9 3362( ceiling)1 371(. The)1 304 3 1003 3144 t 10 I f (C)720 3264 w 10 R f (\()795 3264 w 10 I f (p)836 3264 w 10 R f (,)894 3264 w 10 I f (t)951 3264 w 7 R f (2)990 3284 w 10 R f (\))1041 3264 w 10 S f (\243)1123 3264 w 10 I f (C)1219 3264 w 10 R f (\()1294 3264 w 10 I f (p)1335 3264 w 10 R f (,)1393 3264 w 10 I f (t)1450 3264 w 7 R f (1)1489 3284 w 10 R f (\) for)1 174 1 1540 3264 t 10 I f (t)1739 3264 w 7 R f (1)1778 3284 w 10 S f (\243)1853 3264 w 10 I f (t)1940 3264 w 7 R f (2)1979 3284 w 10 R f ( ceiling of a mounted file system cannot change.)8 1933(. The)1 230 2 2022 3264 t ( reset when it is reinitialized, that is, when its entire contents are)12 2755(The label of a memory may be)6 1315 2 970 3420 t ( is argumentless execution of a file, which replaces process memory)10 2829( reinitialization action)2 901(replaced. One)1 590 3 720 3540 t ( truncation, however, is not)4 1181( File)1 227( is absolute file seek, which replaces a seek pointer.)9 2248(\(\2472.3\). Another)1 664 4 720 3660 t ( reinitialization, because some settable properties of a file \(owner and permissions\) persist)12 3692(deemed to be a)3 628 2 720 3780 t (across the operation.)2 823 1 720 3900 t ( at a source are received)5 1039( originating)1 479( Bits)1 227(We understand data flow to be a direct transfer of bits.)10 2325 4 970 4056 t ( mechanisms of communicating information are deemed to be covert)9 2838( Other)1 287(unchanged at the destination.)3 1195 3 720 4176 t (channels \(\2472.2\).)1 640 1 720 4296 t ( file seek may)3 572( A)1 127( file names in a directory.)5 1045(Reads and writes constitute data flow, as does creation of)9 2326 4 970 4452 t ( customary permission bits of a file and)7 1621( The)1 211( seek pointer can be read.)5 1043(participate in data flow because the)5 1445 4 720 4572 t ( the other)2 403( On)1 185( date, which can be set arbitrarily, may participate in data flow.)11 2665(the so-called modification)2 1067 4 720 4692 t ( of which can be)4 667(hand, the inode number \(serial position in the file system\) and the file change date, neither)15 3653 2 720 4812 t ( readable kernel data, such as login names and userids,)9 2208( Directly)1 380( flow.)1 236(set directly, do not participate in data)6 1496 4 720 4932 t ( error returns)2 540( Although)1 438( files do not.)3 530(participate in data flow; other kernel data, such as the table of open)12 2812 4 720 5052 t ( one-bit)1 327(from system calls do not constitute data flow, process exit status does; status is censored to a)16 3993 2 720 5172 t (success/fail indication unless the flow is upward.)6 1956 1 720 5292 t 10 B f ( channels)1 398(2.2. Covert)1 493 2 720 5532 t 10 R f ( get a process with a high enough label, the spy could read nuggets of infor-)15 3058(If an uncleared spy could)4 1012 2 970 5688 t ( example, the fact of a file's being classified can be)10 2087( For)1 193( out via covert channels.)4 989(mation and smuggle them)3 1051 4 720 5808 t ( communicate information: a high process conditionally writes in a file and a low process detects)15 4025(used to)1 295 2 720 5928 t ( bit of infor-)3 500( One)1 219( read fails if the write occurred.)6 1272( The)1 209(whether the write happened by attempting to read it.)8 2120 5 720 6048 t ( creation, a write, a read, and a file deletion to wipe the)12 2257(mation has been communicated at the cost of a file)9 2063 2 720 6168 t (slate clean.)1 443 1 720 6288 t ( intrusion by preventing uncleared users from obtaining access to high)10 2857(Process ceilings guard against)3 1213 2 970 6444 t ( horses may be)3 626( Trojan)1 326( a Trojan horse, however, can leak via covert channels.)9 2283( cleared mole or)3 678(places. A)1 407 5 720 6564 t ( during ordinary work, so)4 1058( ceiling of highly cleared users can be kept low)9 1963( The)1 214(countered in several ways.)3 1085 4 720 6684 t ( labels \(\2472.7\) can be used to protect highly)8 1700( Integrity)1 395(that a process label cannot rise to unintentional heights.)8 2225 3 720 6804 t ( auditing can detect mutations in programs.)6 1825( Static)1 293(cleared users against executing unapproved software.)5 2202 3 720 6924 t ( can reveal the exotic behavior of programs exploiting covert channels, most of which)13 3588(Dynamic auditing)1 732 2 720 7044 t (involve an unusual ratio of file or process creation to other activities.)11 2751 1 720 7164 t cleartomark showpage saveobj restore %%EndPage: 3 3 %%Page: 4 4 /saveobj save def mark 4 pagesetup 10 R f (- 4 -)2 166 1 2797 480 t ( channels of signifi-)3 823(We have determined the typical bandwidth of covert channels, and have closed)11 3247 2 970 840 t ( covert channels have been closed for)6 1543( Some)1 286( whether or not they involve direct data flow.)8 1869(cant bandwidth)1 622 4 720 960 t ( deleting from nor searching in a directory entails overt)9 2231( example, neither)2 694( For)1 191(reasons other than bandwidth.)3 1204 4 720 1080 t ( frustrate prowlers, and on deletion to prevent med-)8 2070( labels are checked on search to)6 1280( Nevertheless)1 568(data flow.)1 402 4 720 1200 t (dling above a process ceiling.)4 1184 1 720 1320 t 10 B f ( measures and their dangers)4 1205(2.3. Anti-inflationary)1 928 2 720 1560 t 10 R f ( ``empty'' process gets)3 929( An)1 176( labels as low as possible, IX has a ``drop-on-exec'' feature.)10 2438(To help keep)2 527 4 970 1716 t ( labels of code that the process executes and data)9 1962(the bottom label, which will later rise as usual to cover the)11 2358 2 720 1836 t ( if it has no arguments and has no open files beyond the standard)13 2653( process is deemed empty)4 1042( A)1 126(that it reads.)2 499 4 720 1956 t ( drop-on-exec, a user in a high session can print a low docu-)12 2487( With)1 257( error, and control\).)3 799(four \(input, output,)2 777 4 720 2076 t (ment without gratuitous overclassification, by using a command like*)8 2790 1 720 2196 t 10 CW f (pr