%!PS
%%Version: 3.3.1
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.3.1 prologue for troff files.
%

/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/rotation 1 def
/xoffset 0 def
/yoffset 0 def

/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def

/R  /Times-Roman def
/I  /Times-Italic def
/B  /Times-Bold def
/BI /Times-BoldItalic def
/H  /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/S  /S def
/S1 /S1 def
/GR /Symbol def

/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def

/setup {
	counttomark 2 idiv {def} repeat pop

	landscape {/orientation 90 orientation add def} if
	/scaling 72 resolution div def
	linewidth setlinewidth
	1 setlinecap

	pagedimensions
	xcenter ycenter translate
	orientation rotation mul rotate
	width 2 div neg height 2 div translate
	xoffset inch yoffset inch neg translate
	margin 2 div dup neg translate
	magnification dup aspectratio mul scale
	scaling scaling scale

	addmetrics
	0 0 moveto
} def

/pagedimensions {
	useclippath userdict /gotpagebbox known not and {
		/pagebbox [clippath pathbbox newpath] def
		roundpage currentdict /roundpagebbox known and {roundpagebbox} if
	} if
	pagebbox aload pop
	4 -1 roll exch 4 1 roll 4 copy
	landscape {4 2 roll} if
	sub /width exch def
	sub /height exch def
	add 2 div /xcenter exch def
	add 2 div /ycenter exch def
	userdict /gotpagebbox true put
} def

/addmetrics {
	/Symbol /S null Sdefs cf
	/Times-Roman /S1 StandardEncoding dup length array copy S1defs cf
} def

/pagesetup {
	/page exch def
	currentdict /pagedict known currentdict page known and {
		page load pagedict exch get cvx exec
	} if
} def

/decodingdefs [
	{counttomark 2 idiv {y moveto show} repeat}
	{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
	{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
	{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
	{counttomark 2 idiv {y moveto show} repeat}
	{neg setfunnytext}
] def

/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def

/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def

/f {
	dup /font exch def findfont exch
	dup /ptsize exch def scaling div dup /size exch def scalefont setfont
	linewidth ptsize mul scaling 10 mul div setlinewidth
	/spacewidth ( ) stringwidth pop def
} bind def

/changefont {
	/fontheight exch def
	/fontslant exch def
	currentfont [
		1 0
		fontheight ptsize div fontslant sin mul fontslant cos div
		fontheight ptsize div
		0 0
	] makefont setfont
} bind def

/sf {f} bind def

/cf {
	dup length 2 idiv
	/entries exch def
	/chtab exch def
	/newencoding exch def
	/newfont exch def

	findfont dup length 1 add dict
	/newdict exch def
	{1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall

	newencoding type /arraytype eq {newdict /Encoding newencoding put} if

	newdict /Metrics entries dict put
	newdict /Metrics get
	begin
		chtab aload pop
		1 1 entries {pop def} for
		newfont newdict definefont pop
	end
} bind def

%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
%	/radical	[0 -75 550 0]
%	/radicalex	[-50 -75 500 0]
%
% Move braceleftbt a bit - default PostScript character is off a bit.
%

/Sdefs [
	/bracketlefttp		[201 500]
	/bracketleftbt		[201 500]
	/bracketrighttp		[-81 380]
	/bracketrightbt		[-83 380]
	/braceleftbt		[203 490]
	/bracketrightex		[220 -125 500 0]
	/radical		[0 0 550 0]
	/radicalex		[-50 0 500 0]
	/parenleftex		[-20 -170 0 0]
	/integral		[100 -50 500 0]
	/infinity		[10 -75 730 0]
] def

/S1defs [
	/underscore		[0 80 500 0]
	/endash			[7 90 650 0]
] def
%
% Tries to round clipping path dimensions, as stored in array pagebbox, so they
% match one of the known sizes in the papersizes array. Lower left coordinates
% are always set to 0.
%

/roundpagebbox {
    7 dict begin
	/papersizes [8.5 inch 11 inch 14 inch 17 inch] def

	/mappapersize {
		/val exch def
		/slop .5 inch def
		/diff slop def
		/j 0 def
		0 1 papersizes length 1 sub {
			/i exch def
			papersizes i get val sub abs
			dup diff le {/diff exch def /j i def} {pop} ifelse
		} for
		diff slop lt {papersizes j get} {val} ifelse
	} def

	pagebbox 0 0 put
	pagebbox 1 0 put
	pagebbox dup 2 get mappapersize 2 exch put
	pagebbox dup 3 get mappapersize 3 exch put
    end
} bind def

%%EndProlog
%%BeginSetup
mark
/linewidth 0.5 def
/xoffset 0 def
/yoffset 0 def
/#copies 1 store
/magnification 1 def
%%FormsPerPage: 1
/formsperpage 1 def

/landscape false def
/resolution 720 def
setup
2 setdecoding
%%EndSetup
%%Page: 1 1
/saveobj save def
mark
1 pagesetup
12 B f
(Multilevel Windows on a Single-level Terminal)5 2410 1 1645 1230 t
12 R f
(\262)4055 1230 w
10 I f
(M. D. McIlroy)2 576 1 2592 1470 t
(J. A. Reeds)2 443 1 2658 1650 t
10 R f
(AT&T Bell Laboratories)2 993 1 2383 1830 t
(Murray Hill, New Jersey 07974)4 1267 1 2246 1950 t
10 I f
(ABSTRACT)2643 2330 w
10 R f
( in a companion paper, ``Multilevel security)6 1767(Outboard from the IX system described)5 1583 2 1330 2590 t
( are ``intelligent'' terminals that contain a local operating system to)10 2786(with fewer fetters,'')2 814 2 1080 2710 t
( of memory)2 512(support multiple windows and downloaded programs, all without benefit)8 3088 2 1080 2830 t
( in the host mediates between \(multiple\) shell sessions)8 2179( program)1 365( A)1 124(management hardware.)1 932 4 1080 2950 t
( needs to run as a privi-)6 991( run multilevel windows, the host program)6 1750( To)1 169(and the terminal.)2 690 4 1080 3070 t
( Very)1 260( terminal.)1 394(leged program, keep track of labels, and monitor the trustedness of the)11 2946 3 1080 3190 t
(small changes in the terminal program enforce mandatory security policy.)9 2950 1 1080 3310 t
10 I f
(Mux,)970 3586 w
10 R f
(the manager of)2 610 1 1202 3586 t
10 I f
(layers,)1843 3586 w
10 R f
(or windows, for Teletype 5620 and related terminals,)7 2163 1 2143 3586 t
8 R f
(1, 2)1 120 1 4314 3554 t
10 R f
(poses difficult)1 575 1 4465 3586 t
( behaves as a separate virtual terminal serving its)8 2005( principle, each layer on a terminal)6 1430( In)1 140(security problems.)1 745 4 720 3706 t
( we wish to run each layer with)7 1257( get the most out of the terminal,)7 1305( To)1 161(own shell and associated process group.)5 1597 4 720 3826 t
( is difficult)2 447( This)1 232( the formal security policy.)4 1095( data transfers among layers must obey)6 1588( Hence)1 309(a separate label.)2 649 6 720 3946 t
( it is possible to)4 649( Worse,)1 340( is possible to copy data between layers.)7 1638( It)1 116( mutually accessible.)2 845(because layers are)2 732 6 720 4066 t
(download arbitrary programs into layers, and layers enjoy no hardware protection.)10 3287 1 720 4186 t
10 I f
(Mux)970 4342 w
10 R f
( the terminal)2 515(is implemented by a pair of programs, a host part that multiplexes data transfers to)14 3349 2 1176 4342 t
( host part multi-)3 675( The)1 216(and a downloaded terminal part\320a multiprocess operating system in its own right.)11 3429 3 720 4462 t
( layers that have different labels, the host)7 1704( it must deal with)4 727( Since)1 280(plexes bidirectional traffic to all layers.)5 1609 4 720 4582 t
(part must be trusted, with capability)5 1458 1 720 4702 t
10 I f
(Tnochk)2207 4702 w
10 R f
( part deals with the process group of a layer through)10 2109( host)1 196(. The)1 234 3 2501 4702 t
( pipe obeys the same labeling discipline as would a)9 2072( The)1 208( the process group sees as a terminal.)7 1501(a pipe, which)2 539 4 720 4822 t
( trusted processes with)3 916(terminal; its label is marked rigid and can be changed only by)11 2510 2 720 4942 t
10 I f
(T)4174 4942 w
7 R f
(mount)4241 4962 w
10 R f
(capability. To)1 583 1 4457 4942 t
( the host process enables signal)5 1281(detect label changes)2 813 2 720 5062 t
10 CW f
(SIGLAB)2845 5062 w
10 R f
( accepts all changes, secure in the knowl-)7 1693(. It)1 142 2 3205 5062 t
( change is relayed to the appropriate layer.)7 1716( Each)1 252( must have been made by trusted processes.)7 1762(edge they they)2 590 4 720 5182 t
( extant data; in effect the process group gets)8 1765(Upon a downward label change, the layer is reset to expunge all)11 2555 2 720 5302 t
(a new layer.)2 484 1 720 5422 t
( the full)2 331( does not implement)3 841( It)1 120(The terminal part knows only enough about labels to prevent leaks.)10 2778 4 970 5578 t
( attempts)1 366( are checked on every attempt to cut and paste data between layers;)12 2717( Labels)1 319(dynamic label scheme.)2 918 4 720 5698 t
( an extra precaution in the face of a shared address space, the terminal)13 2882( As)1 168( are ignored.)2 515(to copy downward)2 755 4 720 5818 t
(part erases all storage as it becomes free, including screen bitmaps, downloaded programs, and displayed)14 4320 1 720 5938 t
( logging of actions at the terminal is provided, however.)9 2239(text. No)1 347 2 720 6058 t
( hardware of the 5620 and have access to the)9 1813(Programs to be downloaded into layers run in the native)9 2257 2 970 6214 t
( An)1 173( of multiple labels must be trusted.)6 1392( code run in the presence)5 1004( Hence)1 306(entire address space of the terminal.)5 1445 5 720 6334 t
( the terminal;)2 543(untrusted program may be countenanced only if its label is identical to the label of all data in)17 3777 2 720 6454 t
( an untrusted program can-)4 1091( Moreover)1 447( processes.)1 436(otherwise it could write down to or read down from other)10 2346 4 720 6574 t
( nothing can prevent)3 863( Since)1 287( into the terminal while any private path reaches the terminal.)10 2604(not be loaded)2 566 4 720 6694 t
(untrusted code from modifying the terminal part of)7 2116 1 720 6814 t
10 I f
(mux)2872 6814 w
10 R f
( becomes untrusted as)3 909(itself, the terminal, which)3 1057 2 3074 6814 t
8 S1 f
(__________________)720 6914 w
8 R f
( earlier version of this paper appeared in)7 1294(\262 An)1 159 2 720 7014 t
8 I f
(Proceedings UNIX Security Workshop,)3 1254 1 2195 7014 t
8 R f
(Usenix Association, Portland, August)3 1209 1 3471 7014 t
(1988, 24-31.)1 406 1 720 7114 t
cleartomark
showpage
saveobj restore
%%EndPage: 1 1
%%Page: 2 2
/saveobj save def
mark
2 pagesetup
10 R f
(- 2 -)2 166 1 2797 480 t
( labels)1 261( The)1 208(soon as untrusted code is downloaded into it, must remain untrusted forever \261 or until rebooted.)15 3851 3 720 840 t
( practice we are more stringent and require all labels in an untrusted terminal)13 3081( In)1 135(stick at the untrusted value.)4 1104 3 720 960 t
(to have the same value as the the initial label of the terminal.)12 2427 1 720 1080 t
(To separate concerns,)2 888 1 970 1236 t
10 I f
(mux)1894 1236 w
10 R f
( by it.)2 255(was designed so that downloading would be done through it, not)10 2689 2 2096 1236 t
(Yet, to trust the terminal,)4 1025 1 720 1356 t
10 I f
(mux)1775 1356 w
10 R f
( into layers are)3 602( Downloads)1 509( code.)1 242(must assess the trustability of downloaded)5 1716 4 1971 1356 t
( program,)1 391(handled by a trusted specialist)4 1212 2 720 1476 t
10 I f
(32ld,)2351 1476 w
10 R f
(that passes data through)3 966 1 2582 1476 t
10 I f
(mux. Mux)1 421 1 3576 1476 t
10 R f
(ascertains the trustedness)2 1015 1 4025 1476 t
(of the downloader program and its connection to)7 1958 1 720 1596 t
10 I f
(mux.)2705 1596 w
10 R f
(The downloader is expected in turn to determine the)8 2093 1 2947 1596 t
( the main pipe between)4 954( Since)1 279(trustability of downloaded code.)3 1314 3 720 1716 t
10 I f
(32ld)3299 1716 w
10 R f
(and)3509 1716 w
10 I f
(mux)3685 1716 w
10 R f
( per-)1 193(is shared by a shell and)5 964 2 3883 1716 t
( other processes)2 639( prevent)1 350( over that pipe by using pex to)7 1220(haps by other processes, we protect communications)6 2111 4 720 1836 t
( is deemed trustworthy if it has capability)7 1783( downloader)1 513( The)1 222(from using the pipe until its status reverts.)7 1802 4 720 1956 t
10 I f
(T)720 2076 w
7 R f
(mount)787 2096 w
10 R f
( it relinquishes when downloading an untrusted file.)7 2076(, which)1 295 2 975 2076 t
10 I f
(Mux)3396 2076 w
10 R f
(observes the trustedness by examin-)4 1442 1 3598 2076 t
( the downloader is trusted,)4 1121( Unless)1 338( pex.)1 210(ing indicia of privilege that come with)6 1622 4 720 2196 t
10 I f
(mux)4052 2196 w
10 R f
(marks the terminal)2 781 1 4259 2196 t
(untrusted.)720 2316 w
( special coda from)3 767(A legitimate trusted download ends with a)6 1753 2 970 2472 t
10 I f
(32ld)3526 2472 w
10 R f
(that must be received while the)5 1300 1 3740 2472 t
( an imposter kills)3 719( If)1 125( exclusive use.)2 603(pipe is marked for)3 759 4 720 2592 t
10 I f
(32ld)2960 2592 w
10 R f
(in mid-download the download pipe becomes)5 1868 1 3172 2592 t
(unusable: the)1 531 1 720 2712 t
10 I f
(mux)1277 2712 w
10 R f
( state)1 210( This)1 229(end is marked for exclusive use, while the other end reverts to permissive use.)13 3132 3 1469 2712 t
( by the imposter to forge a download or to reassert process-)11 2436(prevents all IO activity, in particular, attempts)6 1884 2 720 2832 t
(exclusive access.)1 684 1 720 2952 t
10 I f
(Mux)1457 2952 w
10 R f
(detects the change in state with a failed)7 1594 1 1662 2952 t
10 I f
(read)3285 2952 w
10 R f
( The)1 209(system call and deletes the layer.)5 1334 2 3497 2952 t
(terminal remains trusted.)2 996 1 720 3072 t
(The standard version of)3 990 1 970 3228 t
10 I f
(mux)2000 3228 w
10 R f
(depends on)1 467 1 2206 3228 t
10 I f
(32ld)2713 3228 w
10 R f
(to download the terminal part before the host part)8 2108 1 2932 3228 t
( arrangement, which made it difficult to assure the host part that it is)13 2938( have abandoned this)3 891(begins. We)1 491 3 720 3348 t
( we let)2 272( Instead,)1 366(indeed talking to the correct terminal part.)6 1701 3 720 3468 t
10 I f
(mux)3087 3468 w
10 R f
(do that download itself, again protecting its)6 1759 1 3281 3468 t
( through the whole)3 779( fact, process-exclusive access is retained)5 1700( In)1 143(access to the terminal with pex.)5 1309 4 720 3588 t
10 I f
(mux)4685 3588 w
10 R f
(ses-)4885 3588 w
( curious division of labor, wherein downloading into the raw terminal and into layers is done by)16 3896(sion. This)1 424 2 720 3708 t
( existing programs that need to load into layers already know)10 2601(different agents, is marginally justifiable:)4 1719 2 720 3828 t
(about)720 3948 w
10 I f
(32ld,)967 3948 w
10 R f
(and the protocols differ, one being in hardware and one in software.)11 2707 1 1195 3948 t
10 I f
(Mux)970 4104 w
10 R f
( While)1 302( private path between user terminal and application program.)8 2495(also uses pex to provide a)5 1064 3 1179 4104 t
( pipe to)2 304(the terminal is trusted, a trusted user process running in a layer may issue a pex call on its)18 3635 2 720 4224 t
10 I f
(mux.)4686 4224 w
10 R f
(As)4929 4224 w
(in the special case of)4 831 1 720 4344 t
10 I f
(32ld)1576 4344 w
10 R f
(sketched above,)1 637 1 1779 4344 t
10 I f
(mux)2441 4344 w
10 R f
( pipe together)2 551(detects the new process-exclusive status of the)6 1857 2 2632 4344 t
( notifies the terminal part, which in turn)7 1642( It)1 118( privilege of the process that issued the call.)8 1806(with indicia of the)3 754 4 720 4464 t
( user then knows that new data typed in that layer are not)12 2423( The)1 217( visual mark.)2 543(gives the layer a distinctive)4 1137 4 720 4584 t
( private path mechanism can be used for confidential negotia-)9 2509( This)1 233(accessible by eavesdropping programs.)3 1578 3 720 4704 t
(tions, such as password collection, that should not pass through an untrusted terminal.)12 3434 1 720 4824 t
(Various flaws remain.)2 884 1 970 4980 t
( downloading a terminal simulator that could receive and)8 2320(First, the 5620 itself might be subverted by)7 1750 2 970 5136 t
(corrupt a later download of)4 1102 1 720 5256 t
10 I f
(mux.)1851 5256 w
10 R f
( giving a visual indication on the screen,)7 1636(This is impossible to do without)5 1308 2 2096 5256 t
( to detect such a gambit would be to download a)10 1991( way)1 196( One)1 221(but it could happen while nobody was looking.)7 1912 4 720 5376 t
( hard-to-compute numbers, then answers inquiries about the contents of ran-)10 3057(program that fills memory with)4 1263 2 720 5496 t
( be suspected of harboring other,)5 1313( it doesn't answer fast enough, the memory may)8 1922( If)1 116(domly chosen locations.)2 969 4 720 5616 t
( countermeasure would be to modify the hardware to provide an out-of-band)11 3255( Another)1 395(unwanted, code.)1 670 3 720 5736 t
( have taken neither precaution, counting instead on)7 2091( We)1 195(channel from the host to the native boot program.)8 2034 3 720 5856 t
(users avoiding the trap by booting the terminal afresh just before starting)11 2965 1 720 5976 t
10 I f
(mux.)3715 5976 w
10 R f
(Aside from its dependence)3 1079 1 3961 5976 t
( is sound: if a phony)5 884(on human behavior, this procedure)4 1441 2 720 6096 t
10 I f
(mux)3084 6096 w
10 R f
(were downloaded instead, it would not be)6 1751 1 3289 6096 t
(trusted, so multilevel data could not be accessed.)7 1950 1 720 6216 t
(Second, under)1 574 1 970 6372 t
10 I f
(mux,)1573 6372 w
10 R f
( gen-)1 206( For)1 193(the terminal practically becomes an extension of the operating system.)9 2848 3 1793 6372 t
( host computer should be extended to every)7 1767(uine safety, the physical security arrangements for the)7 2191 2 720 6492 t
10 I f
(mux)4707 6492 w
10 R f
(ter-)4902 6492 w
(minal, and especially to the terminal's ROM.)6 1804 1 720 6612 t
( path for session-authorizing negotiations outlined above, will not work with an)11 3346(Third, the private)2 724 2 970 6768 t
( question: how to perform an authorizing)6 1673( is only a special case of a more general)9 1650( This)1 235(untrusted terminal.)1 762 4 720 6888 t
( of which has not been established, and may be)9 2051(negotiation over any external medium, the trustedness)6 2269 2 720 7008 t
( boxes, which accomplish confidential negotiations in)6 2199( Challenge)1 463( follows.)1 358(unnecessary for the session that)4 1300 4 720 7128 t
(the presence of eavesdroppers, are the preferred solution.)7 2278 1 720 7248 t
cleartomark
showpage
saveobj restore
%%EndPage: 2 2
%%Page: 3 3
/saveobj save def
mark
3 pagesetup
10 R f
(- 3 -)2 166 1 2797 480 t
10 B f
(REFERENCES)720 840 w
10 R f
( R., ``The Blit: a multiplexed graphics terminal,'')7 2193([1] Pike,)1 394 2 889 1056 t
10 I f
(Bell Laboratories Tech. J.)3 1143 1 3533 1056 t
10 B f
(63)4733 1056 w
10 R f
(, pp.)1 207 1 4833 1056 t
(1607-1631 \(1984\).)1 749 1 1080 1176 t
( Bell Laboratories Computing Science Research Center,)6 2238([2] AT&T)1 463 2 889 1356 t
10 I f
(UNIX Research System)2 1261 1 3779 1356 t
(Programmer's Manual)1 924 1 1080 1476 t
10 R f
(, Vol. 1, Saunders, Philadelphia \(1990\).)5 1582 1 2004 1476 t
cleartomark
showpage
saveobj restore
%%EndPage: 3 3
%%Trailer
done
%%Pages: 3
%%DocumentFonts: Courier Times-Bold Times-Italic Times-Roman Times-Roman