%!PS
%%Version: 3.3.1
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.3.1 prologue for troff files.
%

/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/rotation 1 def
/xoffset 0 def
/yoffset 0 def

/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def

/R  /Times-Roman def
/I  /Times-Italic def
/B  /Times-Bold def
/BI /Times-BoldItalic def
/H  /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/S  /S def
/S1 /S1 def
/GR /Symbol def

/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def

/setup {
	counttomark 2 idiv {def} repeat pop

	landscape {/orientation 90 orientation add def} if
	/scaling 72 resolution div def
	linewidth setlinewidth
	1 setlinecap

	pagedimensions
	xcenter ycenter translate
	orientation rotation mul rotate
	width 2 div neg height 2 div translate
	xoffset inch yoffset inch neg translate
	margin 2 div dup neg translate
	magnification dup aspectratio mul scale
	scaling scaling scale

	addmetrics
	0 0 moveto
} def

/pagedimensions {
	useclippath userdict /gotpagebbox known not and {
		/pagebbox [clippath pathbbox newpath] def
		roundpage currentdict /roundpagebbox known and {roundpagebbox} if
	} if
	pagebbox aload pop
	4 -1 roll exch 4 1 roll 4 copy
	landscape {4 2 roll} if
	sub /width exch def
	sub /height exch def
	add 2 div /xcenter exch def
	add 2 div /ycenter exch def
	userdict /gotpagebbox true put
} def

/addmetrics {
	/Symbol /S null Sdefs cf
	/Times-Roman /S1 StandardEncoding dup length array copy S1defs cf
} def

/pagesetup {
	/page exch def
	currentdict /pagedict known currentdict page known and {
		page load pagedict exch get cvx exec
	} if
} def

/decodingdefs [
	{counttomark 2 idiv {y moveto show} repeat}
	{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
	{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
	{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
	{counttomark 2 idiv {y moveto show} repeat}
	{neg setfunnytext}
] def

/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def

/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def

/f {
	dup /font exch def findfont exch
	dup /ptsize exch def scaling div dup /size exch def scalefont setfont
	linewidth ptsize mul scaling 10 mul div setlinewidth
	/spacewidth ( ) stringwidth pop def
} bind def

/changefont {
	/fontheight exch def
	/fontslant exch def
	currentfont [
		1 0
		fontheight ptsize div fontslant sin mul fontslant cos div
		fontheight ptsize div
		0 0
	] makefont setfont
} bind def

/sf {f} bind def

/cf {
	dup length 2 idiv
	/entries exch def
	/chtab exch def
	/newencoding exch def
	/newfont exch def

	findfont dup length 1 add dict
	/newdict exch def
	{1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall

	newencoding type /arraytype eq {newdict /Encoding newencoding put} if

	newdict /Metrics entries dict put
	newdict /Metrics get
	begin
		chtab aload pop
		1 1 entries {pop def} for
		newfont newdict definefont pop
	end
} bind def

%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
%	/radical	[0 -75 550 0]
%	/radicalex	[-50 -75 500 0]
%
% Move braceleftbt a bit - default PostScript character is off a bit.
%

/Sdefs [
	/bracketlefttp		[201 500]
	/bracketleftbt		[201 500]
	/bracketrighttp		[-81 380]
	/bracketrightbt		[-83 380]
	/braceleftbt		[203 490]
	/bracketrightex		[220 -125 500 0]
	/radical		[0 0 550 0]
	/radicalex		[-50 0 500 0]
	/parenleftex		[-20 -170 0 0]
	/integral		[100 -50 500 0]
	/infinity		[10 -75 730 0]
] def

/S1defs [
	/underscore		[0 80 500 0]
	/endash			[7 90 650 0]
] def
%
% Tries to round clipping path dimensions, as stored in array pagebbox, so they
% match one of the known sizes in the papersizes array. Lower left coordinates
% are always set to 0.
%

/roundpagebbox {
    7 dict begin
	/papersizes [8.5 inch 11 inch 14 inch 17 inch] def

	/mappapersize {
		/val exch def
		/slop .5 inch def
		/diff slop def
		/j 0 def
		0 1 papersizes length 1 sub {
			/i exch def
			papersizes i get val sub abs
			dup diff le {/diff exch def /j i def} {pop} ifelse
		} for
		diff slop lt {papersizes j get} {val} ifelse
	} def

	pagebbox 0 0 put
	pagebbox 1 0 put
	pagebbox dup 2 get mappapersize 2 exch put
	pagebbox dup 3 get mappapersize 3 exch put
    end
} bind def

%%EndProlog
%%BeginSetup
mark
/linewidth 0.5 def
/xoffset 0 def
/yoffset 0 def
/#copies 1 store
/magnification 1 def
%%FormsPerPage: 1
/formsperpage 1 def

/landscape false def
/resolution 720 def
setup
2 setdecoding
%%EndSetup
%%Page: 1 1
/saveobj save def
mark
1 pagesetup
12 B f
(Secure IX Network)2 984 1 2358 1230 t
12 R f
(\262)3342 1230 w
10 I f
(Jim Reeds)1 407 1 2676 1470 t
10 R f
(AT&T Bell Laboratories)2 993 1 2383 1650 t
(Murray Hill, New Jersey 07974)4 1267 1 2246 1770 t
10 I f
(ABSTRACT)2643 2150 w
10 R f
( McIlroy-)1 405(This paper sketches a design for a network of computers running the)11 2945 2 1330 2410 t
( modularity and decentralization; security does not)6 2049( emphasis is on)3 629( The)1 210(Reeds IX system.)2 712 4 1080 2530 t
( that there are multiple overlapping)5 1501( assumes)1 376( It)1 129(rely much on central key distribution.)5 1594 4 1080 2650 t
( authority, and relies only loosely on an ultimate common organizational loy-)11 3147(domains of)1 453 2 1080 2770 t
( is heavily influenced by the networking arrangements)7 2227( It)1 119( is speculative.)2 607( work)1 237(alty. This)1 410 5 1080 2890 t
(in the Research 10th Edition)4 1138 1 1080 3010 t
9 R f
(UNIX)2241 3010 w
10 S f
(\322)2466 3010 w
10 R f
(system.)2570 3010 w
10 B f
( Machine IX*)2 583(1. Single)1 387 2 720 3370 t
10 R f
( working on IX M. D. McIlroy and I simply wanted to add to the usual)15 2867(When we began)2 646 2 970 3526 t
9 R f
(UNIX)4509 3526 w
10 R f
(system)4762 3526 w
( that)1 177( believed)1 366( We)1 191(model a stricter file access policy, a variant of the military security classification system.)13 3586 4 720 3646 t
( the Orange Book)3 710(a no-frills implementation of this part of)6 1610 2 720 3766 t
([DOD])3040 3716 w
(requirements for a secure computer would)5 1692 1 3348 3766 t
( users, even if it might NOT satisfy the Orange Book people them-)12 2714(satisfy most real security needs of most)6 1606 2 720 3886 t
( also believed that our new access restrictions could be kept largely orthogonal to the existing)15 3856(selves. We)1 464 2 720 4006 t
(scheme of)1 414 1 720 4126 t
10 CW f
(rwx)1201 4126 w
10 R f
( policy could be airtight and draco-)6 1439( new access)2 484( The)1 212(bits, which we left essentially intact.)5 1492 4 1413 4126 t
( its preservation of security labels \(and the intellectual property rights they represent\), even if on the)16 4043(nian in)1 277 2 720 4246 t
(same machine, at the same time, the usual)7 1706 1 720 4366 t
9 R f
(UNIX)2453 4366 w
10 R f
(system concepts of userid, setuid, root accounts, and)7 2125 1 2707 4366 t
10 CW f
(rwx)4860 4366 w
10 R f
(file permission bits were subverted.)4 1423 1 720 4486 t
(After three years of part-time but intense work we have not changed those beliefs, but we have)16 4070 1 970 4642 t
( system, like all)3 640( resulting)1 380( Our)1 210(expanded our notion of what needs to go into a ``no-frills implementation.'')11 3090 4 720 4762 t
( is the generality of user)5 967( There)1 283(other attempts at secure operating systems, ends up with a two-tier structure.)11 3070 3 720 4882 t
( in the public program)4 892(programs, including all programs written by ordinary users and most of the programs)12 3428 2 720 5002 t
( the security system, covering)4 1238( then there are the privileged programs used to administer)9 2403(directories. And)1 679 3 720 5122 t
(functions like logging users in, changing user's security clearances, and so on.)11 3128 1 720 5242 t
( security rules, or)3 732(The distinguishing property is that the privileged programs must break the usual)11 3338 2 970 5398 t
( violation)1 383(viewed another way, that the kernel must be assured by a privileged program that some particular)15 3937 2 720 5518 t
( for instance, are not usually allowed to drop in)9 1940( Files,)1 276( rules is not in fact a breach of security.)9 1628(of the usual)2 476 4 720 5638 t
( ports are files in the)5 833( Terminal)1 419(security classification level.)2 1118 3 720 5758 t
9 R f
(UNIX)3116 5758 w
10 R f
( port used in a)4 574(system, so when a terminal)4 1097 2 3369 5758 t
( unclassified,)1 528(classified login session becomes free at the end of the session, before it may be used for a new,)18 3792 2 720 5878 t
( disk files might be declassified)5 1328( Ordinary)1 423( declassified by a privileged program.)5 1573(login session it must be)4 996 4 720 5998 t
( kernel cannot itself)3 826( The)1 217( again needs a privileged program.)5 1440(from time to time for the usual reasons; this)8 1837 4 720 6118 t
( the privileged programs to tell when to deviate from its)10 2251(know when such actions are acceptable: it relies on)8 2069 2 720 6238 t
(worst-case application of the usual rules.)5 1630 1 720 6358 t
8 S1 f
(__________________)720 6580 w
8 R f
( Theoretical Computer Science, Volume 2,)5 1434(\262 Reprinted from DIMACS Series in Discrete Mathematics and)8 2129 2 720 6680 t
8 I f
(Distributed)4317 6680 w
(Computing and Cryptography,)2 990 1 720 6780 t
8 R f
( the American Mathe-)3 705(J. Feigenbaum and M. Merritt, editors, pp. 235-244, by permission of)10 2242 2 1733 6780 t
(matical Society.)1 512 1 720 6880 t
( true description is in the)5 853( The)1 177( of single-machine IX given below are, for exposition's sake, simplified.)10 2437(* Some details)2 493 4 720 6980 t
( is)1 73( IX)1 124(accompanying papers.)1 711 3 720 7080 t
8 I f
(not)1648 7080 w
8 R f
(pronounced like the German word)4 1092 1 1770 7080 t
8 I f
(ich.)2882 7080 w
cleartomark
showpage
saveobj restore
%%EndPage: 1 1
%%Page: 2 2
/saveobj save def
mark
2 pagesetup
10 R f
(- 2 -)2 166 1 2797 480 t
10 B f
(Trusted Computing Base)2 1073 1 720 840 t
10 R f
( questions like)2 584( Obviously)1 470(The presence of these privileged programs complicates things enormously.)8 3016 3 970 996 t
( or ``how do programs become)5 1248(``how do I know that a baddie hasn't tampered with a privileged program,'')12 3072 2 720 1116 t
( programs get installed on the system'' are relevant.)8 2175(privileged,'' or ``how do new releases of privileged)7 2145 2 720 1236 t
( operating systems\) are: Giving or removing privileged)7 2221(The easy answers \(essentially the same in all secure)8 2099 2 720 1356 t
( privileged program can not be removed or)7 1808( A)1 136( privileged program.)2 846(status to files can only be done by a)8 1530 4 720 1476 t
( time,)1 228( the program that first runs at boot)7 1375( And)1 223(changed, other than to have its privileged status removed.)8 2310 4 720 1596 t
10 I f
(init)4881 1596 w
10 R f
(,)5015 1596 w
( privileged programs thus form a self-nominating closed ``committee'' which, together)10 3575( The)1 214(is privileged.)1 531 3 720 1716 t
(with the kernel as an)4 842 1 720 1836 t
10 I f
(ex-officio)1591 1836 w
10 R f
( committee is TCB: trusted)4 1096( jargon for this)3 603( The)1 209(member, runs the computer.)3 1135 4 1997 1836 t
(computing base.)1 655 1 720 1956 t
( TCB know which information from the out-)7 1834( does the)2 367( How)1 250(This in turn leads to the hard questions.)7 1619 4 970 2112 t
( is talking to the)4 661( does the computer user know he)6 1344( How)1 249(side world it should act on, and which is spurious?)9 2066 4 720 2232 t
( another, in such a way)5 975( does one privileged program communicate with)6 1996( How)1 254(TCB and not an imposter?)4 1095 4 720 2352 t
( two mechanisms,)2 729( answers to these questions are based on)7 1647( IX's)1 233(that each recognizes the other's privilege?)5 1711 4 720 2472 t
( easily extendible over a)4 978(one in the kernel, the other coded into the privileged programs, both of which seem)14 3342 2 720 2592 t
( TCB's iron reign can be extended over a network, and hence so can IX security ser-)16 3499( the)1 156(network. Hence)1 665 3 720 2712 t
(vices.)720 2832 w
10 B f
(PEX)720 3072 w
10 R f
( mandatory exclusive file locking, which we call)7 1997(The first of these wonder mechanisms is a form of)9 2073 2 970 3228 t
( file may be marked for exclusive use by a process in which it is open,)15 2866( Any)1 226(PEX for ``process exclusive.'')3 1228 3 720 3348 t
( exclusivity lasts until the process explicitly drops it or)9 2258( The)1 213( process has done so first.)5 1066(so long as no other)4 783 4 720 3468 t
( special twist occurs in pipes, each end of which may be inde-)12 2494( A)1 124( exits.)1 241(until the file is closed or the process)7 1461 4 720 3588 t
( PEXed: an)2 485( pipe will not carry data unless both ends are PEXed or neither end is)14 2958( A)1 136(pendently PEXed.)1 741 4 720 3708 t
( a pipe end is PEXed the other end is)9 1482( When)1 289( read or write on a half-PEXed pipe result in an error.)11 2144(attempt to)1 405 4 720 3828 t
( synchronously and independently of the)5 1653( this is done)3 496( All)1 183(given indicia of privilege of the PEXing process.)7 1988 4 720 3948 t
(usual stream)1 510 1 720 4068 t
([R])1230 4018 w
( pipe can tell if it has a unique)8 1260( a privileged process communicating on a)6 1712(discipline. Thus)1 672 3 1396 4068 t
( privileged program, for)3 983( A)1 130( other end, and whether the partner process is privileged.)9 2336(partner process at the)3 871 4 720 4188 t
( talking to an IO device)5 965( If)1 121( standard input.)2 629(example, can refuse to collect a password unless it can PEX the)11 2605 4 720 4308 t
( no interloping process that also has the device)8 1936(unPEXed to any other process, the PEX call succeeds and)9 2384 2 720 4428 t
( talking to a pipe \(say, to a window on a windowing terminal\) the PEX bid)15 3041( If)1 120(open can steal the password.)4 1159 3 720 4548 t
( accepted, the privileged program)4 1350( If)1 119( rejected by the process at the other end of the pipe.)11 2089(will be accepted or)3 762 4 720 4668 t
( windows)1 390(can now tell if the other end is also in the TCB \(as a trusted terminal multiplexor running secure)18 3930 2 720 4788 t
( these means)2 534( Using)1 301( go forward, and so on.)5 983(would have to be\), in which case the password dialogue can)10 2502 4 720 4908 t
( other, can know when they are talking to users, and \320although the)12 2809(parts of the TCB can recognize each)6 1511 2 720 5028 t
(details are clumsy\320 can prove to users that they are indeed talking to the TCB.)14 3176 1 720 5148 t
( of as a generalization of the Orange Book's ``trusted path'' mechanism, and as)13 3261(This can be thought)3 809 2 970 5304 t
( inverse labels are described in pages 69-71 of)8 2069( \(Biba)1 300( labels''.)1 377(an alternative to Biba-style ``inverse)4 1574 4 720 5424 t
(Gasser)720 5544 w
([G])991 5494 w
(; the labels track trustability or provanance of data rather than secrecy.\))11 2842 1 1129 5544 t
( PEXed pipe is nothing other than that of a secure communications channel between)13 3442(The notion of a)3 628 2 970 5700 t
( The)1 210( an end goal of both classical and modern cryptology and of secure network design.)14 3405(identified parties,)1 705 3 720 5820 t
( user processes, protecting themselves from eavesdropping,)6 2451(novelty is in making this service available to)7 1869 2 720 5940 t
( its current single-machine form, the writ of PEX ends at the)11 2545( In)1 146(forging or spoofing by other processes.)5 1629 3 720 6060 t
( \(New)1 276( feature.)1 331(machine boundary, and cryptography is not needed to implement this new operating system)12 3713 3 720 6180 t
(to the)1 227 1 720 6300 t
9 R f
(UNIX)972 6300 w
10 R f
( network to another machine would require at)7 1828( PEX to go over a)5 723( For)1 191(operating system, at least.\))3 1074 4 1224 6300 t
( in discussing the PEXity of their ends of the cross-machine)10 2482(least a special protocol for the kernels to use)8 1838 2 720 6420 t
( to identify and authenticate the end machines and to protect the data in)13 2848(pipe, and also possibly cryptography)4 1472 2 720 6540 t
(transit.)720 6660 w
cleartomark
showpage
saveobj restore
%%EndPage: 2 2
%%Page: 3 3
/saveobj save def
mark
3 pagesetup
10 R f
(- 3 -)2 166 1 2797 480 t
10 B f
(Privilege Server)1 684 1 720 840 t
10 R f
( is a)2 167(The second special mechanism for privileged process control in IX)9 2693 2 970 996 t
10 I f
(privilege server)1 632 1 3858 996 t
10 R f
(embodying a)1 522 1 4518 996 t
( main idea is that although the)6 1253( The)1 213( and exercising users' rights.)4 1177(particular design for denoting, recording,)4 1677 4 720 1116 t
( self-protection and economic)3 1225(TCB is all-powerful, it doesn't have any security interests of its own, save)12 3095 2 720 1236 t
( originate)1 391( TCB is a custodian of users' rights, which might)9 2074( The)1 217(control of the local hardware resources.)5 1638 4 720 1356 t
( the management or ownership of the local)7 1761(off-machine, possibly created under an authority separate from)7 2559 2 720 1476 t
( IX these fiduciary responsibilities of the TCB are managed by the privilege server.)13 3327( In)1 133(host computer.)1 594 3 720 1596 t
(The privilege server centralizes)3 1296 1 970 1752 t
10 I f
(authorization)2305 1752 w
10 R f
(calculations, much the way an authentication server)6 2155 1 2885 1752 t
( stylized form: a resource's)4 1174( calculations often take a)4 1084( Authorization)1 628(centralizes authentication services.)2 1434 4 720 1872 t
( a credential to a user, who later presents the credential together with a particular resource)15 3779(owner passes)1 541 2 720 1992 t
( IX the privilege server is the custodian of most users')10 2263( In)1 143( of the resource.)3 672(usage request to the custodian)4 1242 4 720 2112 t
( each request, the priv-)4 915( For)1 190( access rights implied by user id and process label\).)9 2061(rights \(other than routine file)4 1154 4 720 2232 t
( is)1 100(ilege server must check that the credential indeed authorizes the request, that the privilege server itself)15 4220 2 720 2352 t
( has been)2 417(authorized to act on the request \(which includes checking whether the resource in question)13 3903 2 720 2472 t
( as authentication information, such as whether the issuer of the)10 2633(entrusted to the privilege server\), as well)6 1687 2 720 2592 t
(certificate is the owner of the resource, and so on.)9 1986 1 720 2712 t
( state-)1 246(Requests for privileged services are made to the privilege server as text strings, which are also)15 3824 2 970 2868 t
( a trivial computer command language,)5 1594(ments in)1 349 2 720 2988 t
10 I f
(nosh)2694 2988 w
10 R f
( is a restricted, feature-starved ``secure'' shell)6 1865(. \(This)1 292 2 2883 2988 t
(with fewer possibilities for latent subversive side effects than found in the usual interactive shells)14 3889 1 720 3108 t
10 I f
(sh)4634 3108 w
10 R f
(,)4723 3108 w
10 I f
(csh)4773 3108 w
10 R f
(, or)1 134 1 4906 3108 t
10 I f
(ksh)720 3228 w
10 R f
( requester has a right warranting the command string in question then the privilege server exe-)15 3852( the)1 154(.\) If)1 181 3 853 3228 t
( to each right, then, is the set of)8 1254( Corresponding)1 644(cutes the command.)2 796 3 720 3348 t
10 I f
(nosh)3439 3348 w
10 R f
(command strings it warrants.)3 1160 1 3653 3348 t
( privileges file as pairs)4 968( are recorded in a)4 751( Rights)1 327(More precisely, a ``right'' is a regular language.)7 2024 4 970 3504 t
(\()720 3624 w
10 I f
(R)761 3624 w
10 R f
(,)830 3624 w
10 I f
(Q)887 3624 w
10 R f
(\), where)1 328 1 967 3624 t
10 I f
(R)1322 3624 w
10 R f
( set of)2 250(is a regular expression* \(specifying the)5 1576 2 1410 3624 t
10 I f
(nosh)3264 3624 w
10 R f
(commands warranted by the right\) and)5 1559 1 3481 3624 t
(where)720 3744 w
10 I f
(Q)989 3744 w
10 R f
( of the privi-)3 502(is a predicate applied to: the user, the execution environment of the current invocation)13 3451 2 1087 3744 t
( to the server, and \(optionally\) a protocol execution status.)9 2417(lege server, the status of the user's connection)7 1903 2 720 3864 t
( request)1 313(When a)1 308 2 720 3984 t
10 I f
(s)1366 3984 w
10 R f
(is presented to the server, it is executed only if a pair \()12 2165 1 1430 3984 t
10 I f
(R)3603 3984 w
10 R f
(,)3672 3984 w
10 I f
(Q)3729 3984 w
10 R f
(\) can be found such that)5 956 1 3809 3984 t
10 I f
(s)4790 3984 w
10 R f
(is an)1 186 1 4854 3984 t
(element of)1 424 1 720 4104 t
10 I f
(R)1169 4104 w
10 R f
(and such that the predicate)4 1064 1 1255 4104 t
10 I f
(Q)2344 4104 w
10 R f
( ``anyone'' who satisfies)3 989( Thus)1 250(evaluates true.)1 576 3 2441 4104 t
10 I f
(Q)4281 4104 w
10 R f
(may exercise)1 523 1 4378 4104 t
10 I f
(R)4926 4104 w
10 R f
(.)4987 4104 w
( Node)1 292( rooted tree.)2 531(For ease of subdivision and delegation, we organize our privilege file as a)12 3247 3 970 4260 t
(\()720 4380 w
10 I f
(R)761 4380 w
7 R f
(1)833 4400 w
10 R f
(,)884 4380 w
10 I f
(Q)941 4380 w
7 R f
(1)1024 4400 w
10 R f
(\) may be above \(closer to the root than\) node \()10 1951 1 1075 4380 t
10 I f
(R)3034 4380 w
7 R f
(2)3106 4400 w
10 R f
(,)3157 4380 w
10 I f
(Q)3214 4380 w
7 R f
(2)3297 4400 w
10 R f
(\) only if language)3 734 1 3348 4380 t
10 I f
(R)4116 4380 w
7 R f
(2)4188 4400 w
10 R f
(is contained in)2 601 1 4265 4380 t
10 I f
(R)4900 4380 w
7 R f
(1)4972 4400 w
10 R f
(.)5015 4380 w
( to sub-rights, and if you can exercise a right at a given node you automatically)15 3216(Thus sub-nodes correspond)2 1104 2 720 4500 t
(may do anything you could do by exercising rights at sub-nodes.)10 2584 1 720 4620 t
( it is possible to formulate rights)6 1325(Our command language has statements to edit the privileges file, so)10 2745 2 970 4776 t
( tree of rights.)3 587( particular, it is easy to formulate a right to edit only a sub-tree of the)15 2907( In)1 143(to change rights.)2 683 4 720 4896 t
( a node, delete a node or sub-tree, create a sub-)10 1971(Allowed edit commands are: diminish the set of rights at)9 2349 2 720 5016 t
(node with rights equal to the parent node, and change the)10 2322 1 720 5136 t
10 I f
(Q)3071 5136 w
10 R f
( editing can only reparcel)4 1026( Thus)1 254(part of a node.)3 588 3 3172 5136 t
( privilege file edits are relatively infrequent there is)8 2059( \(Since)1 306( existing rights, but not create new ones.)7 1619(or dilute)1 336 4 720 5256 t
(no practical performance loss in forbidding concurrent edits, or forbidding privilege calculations during)12 4320 1 720 5376 t
(edits.\))720 5496 w
(To delegate a right means simply to create a sub-node in the tree of rights.)14 2964 1 970 5652 t
(The)970 5808 w
10 I f
(Q)1151 5808 w
10 R f
( given login ids, ask for a password, require successful completion of a)12 2858(predicate might require)2 933 2 1249 5808 t
( pro-)1 196(challenge-response protocol, or insist that the privilege server is being invoked by a particular named)14 4124 2 720 5928 t
(gram.)720 6048 w
10 I f
(Q)1000 6048 w
10 R f
(specifies the)1 496 1 1097 6048 t
10 I f
(authentication)1618 6048 w
10 R f
(needed to enjoy the rights in question.)6 1524 1 2221 6048 t
( care)1 203(A weak point in this scheme lies in the formulation of rights as regular expressions: extreme)15 3867 2 970 6204 t
(must be taken to ensure that the)6 1313 1 720 6324 t
10 I f
(nosh)2066 6324 w
10 R f
( catch the real meaning of)5 1068(command language statements accurately)3 1684 2 2288 6324 t
( particular, the manual describing the TCB and the)8 2078( In)1 140(the rights in question.)3 888 3 720 6444 t
10 I f
(nosh)3858 6444 w
10 R f
( accu-)1 248(language must be)2 713 2 4079 6444 t
( arguments and options to privileged programs may never be)9 2445(rate, and worse, the meaning of command-line)6 1875 2 720 6564 t
(lightly changed, lest established rights be overthrown or inadvertently widened.)9 3182 1 720 6684 t
8 S1 f
(__________________)720 6880 w
8 R f
( to follow: I make no notational distinction between a regular expression)11 2385(*Abuse of notation)2 623 2 720 6980 t
8 I f
(R)3755 6980 w
8 R f
(and its corresponding lan-)3 849 1 3831 6980 t
(guage, so sometimes)2 661 1 720 7080 t
8 I f
(R)1401 7080 w
8 R f
(really means)1 403 1 1470 7080 t
8 I f
(L)1893 7080 w
8 R f
(\()1944 7080 w
8 I f
(R)1976 7080 w
8 R f
(\).)2031 7080 w
cleartomark
showpage
saveobj restore
%%EndPage: 3 3
%%Page: 4 4
/saveobj save def
mark
4 pagesetup
10 R f
(- 4 -)2 166 1 2797 480 t
10 B f
(An Example)1 531 1 720 840 t
10 R f
( Suppose)1 405( compartment.)1 593(Here is how the privilege server helps administer a security classification)10 3072 3 970 996 t
( project and want to create a security compartment to guard their)11 2646(some users of an IX machine start a new)8 1674 2 720 1116 t
( new security compartment shows up outside the computer as a new classifica-)12 3180( This)1 230(work on the computer.)3 910 3 720 1236 t
( new bit field in the security labels carried)8 1680(tion keyword stamped on documents and inside the computer as a)10 2640 2 720 1356 t
( a compartment)2 623( project leader Alpha wants to create)6 1462( Say)1 200(by files and processes.)3 898 4 720 1476 t
10 CW f
(BETA)3964 1476 w
10 R f
(for his project; what)3 810 1 4230 1476 t
(steps does it take to teach the TCB about this new compartment?)11 2589 1 720 1596 t
(To begin with the TCB's only interest in)7 1632 1 970 1752 t
10 CW f
(BETA)2664 1752 w
10 R f
(is in issues of operating system resource exhaustion:)7 2109 1 2931 1752 t
( keyword)1 379(is the)1 220 2 720 1872 t
10 CW f
(BETA)1384 1872 w
10 R f
(already in use for some other security compartment and is there an unused label bit)14 3386 1 1654 1872 t
(field on the local machine to represent)6 1602 1 720 1992 t
10 CW f
(BETA)2394 1992 w
10 R f
( these problems apply: categories)4 1383( usual solutions to)3 762(? The)1 261 3 2634 1992 t
(might have hierarchical names \(keywords like)5 1968 1 720 2112 t
10 CW f
(ADONIS.PICCOLO.BETA)2773 2112 w
10 R f
( likely to be pre-)4 756(are less)1 321 2 3963 2112 t
( So)1 165(empted\), and only certain users may consume label bit fields by creating new security classifications.)14 4155 2 720 2232 t
(among the rights already stored in the privileges file is an entry \()12 2633 1 720 2352 t
10 I f
(R)3361 2352 w
7 R f
(mkcat)3433 2372 w
10 R f
(,)3621 2352 w
10 I f
(Q)3687 2352 w
7 R f
(mkcat)3770 2372 w
10 R f
(\) giving project leaders the)4 1082 1 3958 2352 t
(right to run the privileged)4 1027 1 720 2472 t
10 I f
(mkcategory)1772 2472 w
10 R f
(program:)2262 2472 w
10 I f
(R)1220 2652 w
7 R f
(mkcat)1292 2672 w
10 S f
(=)1554 2652 w
10 CW f
(mkcategory .*)1 780 1 1691 2652 t
10 I f
(Q)1209 2832 w
7 R f
(mkcat)1292 2852 w
10 S f
(=)1554 2832 w
10 I f
(login)1691 2832 w
10 S f
(_)1905 2832 w
10 I f
(id)1963 2832 w
8 S f
(\316)2049 2832 w
10 I f
({ Alpha)1 287 1 2114 2832 t
10 R f
(,)2409 2832 w
10 I f
(Rocky)2475 2832 w
10 R f
(,)2726 2832 w
10 I f
(Boris)2792 2832 w
10 R f
(,)3017 2832 w
10 I f
(Natasha)3083 2832 w
10 R f
(. . .)2 125 1 3450 2807 t
10 I f
(} .)1 73 1 3608 2832 t
10 R f
(So Alpha presents the request)4 1187 1 720 3012 t
10 CW f
(mkcategory BETA)1 900 1 1080 3192 t
10 R f
(to the privilege server, which runs the)6 1517 1 720 3372 t
10 I f
(mkcategory)2264 3372 w
10 R f
(program in such a way that)5 1094 1 2756 3372 t
10 I f
(mkcategory)3877 3372 w
10 R f
(knows this invo-)2 671 1 4369 3372 t
( has only been guarding the local)6 1374( that so far the privilege server)6 1279( Note)1 254(cation is an authorized invocation.)4 1413 4 720 3492 t
(machine's operators' interest in preventing resource exhaustion, and not any security interest)11 3709 1 720 3612 t
10 I f
(per se)1 241 1 4454 3612 t
10 R f
(.)4695 3612 w
10 I f
(Mkcategory)970 3768 w
10 R f
( bit field in the machine's internal representation of)8 2108( is to allot a)4 491( One)1 222(has two functions.)2 742 4 1477 3768 t
(security labels and bind the name)5 1379 1 720 3888 t
10 CW f
(BETA)2168 3888 w
10 R f
( other function is to)4 815( The)1 213(to it, registering this in an official list.)7 1570 3 2442 3888 t
( of)1 110(register Alpha as the ``owner'')4 1233 2 720 4008 t
10 CW f
(BETA)2125 4008 w
10 R f
(by placing a new entry)4 917 1 2392 4008 t
10 S f
(b =)1 159 1 3336 4008 t
10 R f
(\()3544 4008 w
10 I f
(R)3585 4008 w
7 S f
(b)3657 4028 w
10 R f
(,)3712 4008 w
10 I f
(Q)3769 4008 w
7 S f
(b)3852 4028 w
10 R f
( \(The)1 240(\) in the privileges file.)4 893 2 3907 4008 t
10 I f
(mkcategory)720 4128 w
10 R f
( to edit part of the tree of rights, according to a)11 2468(program itself has the right)4 1306 2 1266 4128 t
10 I f
(Q)720 4248 w
7 R f
(mkcat 2)1 212 1 803 4268 t
10 S f
(=)1072 4248 w
10 I f
(invokerprog)1176 4248 w
10 S f
(\272)1672 4248 w
10 CW f
(mkcategory)1735 4248 w
10 R f
( begin with)2 452(.\) To)1 220 2 2335 4248 t
10 I f
(mkcategory)3033 4248 w
10 R f
(finds out from Alpha what formula to)6 1516 1 3524 4248 t
(use for)1 275 1 720 4368 t
10 I f
(Q)1021 4368 w
7 S f
(b)1104 4388 w
10 R f
(, that is, how future commands from Alpha about)8 1978 1 1151 4368 t
10 CW f
(BETA)3190 4368 w
10 R f
( may provide)2 527( Alpha)1 294( recognized.)1 487(will be)1 276 4 3456 4368 t
(any formula for)2 662 1 720 4488 t
10 I f
(Q)1425 4488 w
7 S f
(b)1508 4508 w
10 R f
( he may simply specify a password, or may specify that possession of)12 3005(he wishes:)1 437 2 1598 4488 t
(Alpha's)720 4608 w
10 I f
(login)1075 4608 w
10 S f
(_)1281 4608 w
10 I f
(id)1331 4608 w
10 R f
( by which future commands may be verified,)7 1882(suffices, may present the public key)5 1506 2 1448 4608 t
10 I f
(a la)1 166 1 4874 4608 t
10 R f
( The)1 205(RSA, and so on.)3 653 2 720 4728 t
10 I f
(R)1603 4728 w
10 R f
( newly created category, and expresses)5 1555(part of the new right is always the same for a)10 1796 2 1689 4728 t
(the union of these rights:)4 994 1 720 4848 t
( marked)1 334(Exerciser may access data)3 1070 2 970 5004 t
10 CW f
(BETA)2444 5004 w
10 R f
(by logging on with the appropriate bit set in his process)10 2321 1 2719 5004 t
(label.)970 5124 w
( declassify category)2 820(Exerciser may)1 586 2 970 5280 t
10 CW f
(BETA)2450 5280 w
10 R f
(from files, by executing a privileged command of form)8 2311 1 2729 5280 t
10 CW f
(downgrade BETA .*)2 1020 1 970 5400 t
10 R f
(which clears the)2 648 1 2040 5400 t
10 CW f
(BETA)2748 5400 w
10 R f
(bit from the named file.)4 946 1 3013 5400 t
(Exerciser may specify network addresses that may receive)7 2329 1 970 5556 t
10 CW f
(BETA)3359 5556 w
10 R f
(data.)3624 5556 w
(Exerciser may edit this node)4 1137 1 970 5712 t
10 S f
(b)2132 5712 w
10 R f
(in the tree of rights.)4 785 1 2212 5712 t
( can make classified)3 821( He)1 171( label all of his own.)5 841(Now project leader Alpha has a private security classification)8 2487 4 720 5868 t
(login sessions, he can create secret files readable by no one else, he can declassify them.)15 3524 1 720 5988 t
( secret files,)2 499(Soon however Alpha wishes his assistants Mr. Gamma and Ms. Delta could access his)13 3571 2 970 6144 t
( invokes his right to edit node)6 1237(too. He)1 327 2 720 6264 t
10 S f
(b)2317 6264 w
10 R f
( whatever credentials he earlier spelled out in)7 1858(\(by presenting)1 582 2 2405 6264 t
10 I f
(Q)4877 6264 w
7 S f
(b)4960 6284 w
10 R f
(\))5007 6264 w
(and creates a sub-node, call it)5 1230 1 720 6384 t
10 S f
(b)1985 6384 w
10 I f
(/ access)1 296 1 2048 6384 t
10 R f
(, whose)1 315 1 2344 6384 t
10 I f
(R)2694 6384 w
10 R f
( the exerciser's right to read and)6 1351(part consists solely of)3 899 2 2790 6384 t
(write data marked)2 720 1 720 6504 t
10 CW f
(BETA)1500 6504 w
10 R f
(. The)1 230 1 1740 6504 t
10 I f
(Q)1995 6504 w
10 R f
(part is again at Alpha's discretion, who \(say\) chooses the formula)10 2620 1 2092 6504 t
10 I f
(Q)1181 6684 w
7 S f
(b)1264 6704 w
7 I f
(/)1308 6704 w
7 R f
(access)1333 6704 w
10 S f
(=)1601 6684 w
10 I f
(login)1738 6684 w
10 S f
(_)1952 6684 w
10 I f
(id)2010 6684 w
8 S f
(\316)2096 6684 w
10 I f
({ Gamma)1 364 1 2161 6684 t
10 R f
(,)2533 6684 w
10 I f
( & shows)2 405(Delta })1 270 2 2599 6684 t
10 S f
(_)3282 6684 w
10 I f
(password)3340 6684 w
10 R f
(\()3732 6684 w
10 CW f
(cyto 97 plasm)2 676 1 3797 6684 t
10 R f
(\))4505 6684 w
10 I f
(.)4554 6684 w
10 R f
(\(Alpha need not add himself to the list in)8 1646 1 720 6864 t
10 I f
(Q)2392 6864 w
7 S f
(b)2475 6884 w
7 I f
(/)2519 6884 w
7 R f
(access)2544 6884 w
10 R f
( superior right)2 570(because he already may exercise the)5 1452 2 2756 6864 t
10 S f
(b)4805 6864 w
10 R f
(, but)1 180 1 4860 6864 t
(might want to do so because for simple file access)9 2113 1 720 6984 t
10 I f
(Q)2870 6984 w
7 S f
(b)2953 7004 w
7 I f
(/)2997 7004 w
7 R f
(access)3022 7004 w
10 R f
(might be easier to use than)5 1128 1 3245 6984 t
10 I f
(Q)4410 6984 w
7 S f
(b)4493 7004 w
10 R f
( that)1 186(.\) Note)1 314 2 4540 6984 t
( rights to Gamma and Delta: as desired, Gamma and Delta can read and)13 2899(Alpha has extended only his access)5 1421 2 720 7104 t
(write)720 7224 w
10 CW f
(BETA)985 7224 w
10 R f
(secrets, but they cannot change the list of people so cleared.)10 2389 1 1250 7224 t
cleartomark
showpage
saveobj restore
%%EndPage: 4 4
%%Page: 5 5
/saveobj save def
mark
5 pagesetup
10 R f
(- 5 -)2 166 1 2797 480 t
( boss-man Alpha tires of)4 1014(The project prospers, and when new assistants Eps through Lamb show up)11 3056 2 970 840 t
(editing)720 960 w
10 S f
(b)1047 960 w
10 I f
(/ access)1 296 1 1110 960 t
10 R f
( his)1 165( he appoints Ms. Delta as)5 1130(. So)1 205 3 1406 960 t
10 CW f
(BETA)2989 960 w
10 R f
(-clearance officer, by creating a new node)6 1811 1 3229 960 t
10 S f
(b)720 1080 w
10 I f
(/ clearance)1 429 1 783 1080 t
10 R f
(.)1212 1080 w
10 I f
(Q)1308 1080 w
7 S f
(b)1391 1100 w
7 I f
(/)1435 1100 w
7 R f
(clearance)1460 1100 w
10 R f
(only lets Delta in.)3 774 1 1778 1080 t
10 I f
(R)2623 1080 w
7 S f
(b)2695 1100 w
7 I f
(/)2739 1100 w
7 R f
(clearance)2764 1100 w
10 R f
( predicate)1 412(only allows the exerciser to edit the)6 1546 2 3082 1080 t
10 I f
(Q)720 1200 w
7 S f
(b)803 1220 w
7 I f
(/)847 1220 w
7 R f
(access)872 1220 w
10 R f
(.)1058 1200 w
( press coverage is needed, so Alpha appoints Gamma his publicity)10 2719(At appropriation time some good)4 1351 2 970 1356 t
( leaks of)2 344(manager, whose job of course includes shrewdly sequenced)7 2411 2 720 1476 t
10 CW f
(BETA)3538 1476 w
10 R f
(data, which means a new node)5 1234 1 3806 1476 t
10 S f
(b)720 1596 w
10 I f
(/ declass)1 330 1 783 1596 t
10 R f
(is formed, with a)3 680 1 1139 1596 t
10 I f
(Q)1845 1596 w
7 S f
(b)1928 1616 w
7 I f
(/)1972 1616 w
7 R f
(declass)1997 1616 w
10 R f
( and with)2 376(for Mr. Gamma alone,)3 898 2 2233 1596 t
10 I f
(R)3534 1596 w
7 S f
(b)3606 1616 w
7 I f
(/)3650 1616 w
7 R f
(declass)3675 1616 w
10 R f
(allowing)3912 1596 w
10 CW f
(BETA)4324 1596 w
10 R f
(-downgrade)4564 1596 w
(rights to the exerciser.)3 887 1 720 1716 t
( the)1 164( at set-up time)3 617( Obviously)1 483(What would it take to extend these activities to another computer?)10 2806 4 970 1872 t
( file security labels: it is)5 1043(remote file servers need to reconcile their differing internal representations of)10 3277 2 720 1992 t
(almost guaranteed that the bit slot allotted to represent category)9 2637 1 720 2112 t
10 CW f
(BETA)3429 2112 w
10 R f
( But)1 207(will differ on all machines.)4 1127 2 3706 2112 t
(before)720 2232 w
10 CW f
(BETA)1036 2232 w
10 R f
( that what each knows)4 891(files may be traded the two machines should really check to make sure)12 2846 2 1303 2232 t
(as category)1 456 1 720 2352 t
10 CW f
(BETA)1241 2352 w
10 R f
(is really Alpha's)2 670 1 1511 2352 t
10 CW f
(BETA)2246 2352 w
10 R f
( verifying credentials signed by Alpha, accord-)6 1912(, by trading and)3 642 2 2486 2352 t
(ing to the recipe spelled out in)6 1210 1 720 2472 t
10 I f
(Q)1955 2472 w
7 S f
(b)2038 2492 w
10 R f
(.)2085 2472 w
10 B f
( IX)1 136(2. Networked)1 596 2 720 2712 t
10 R f
( con-)1 203( a pair of machines trust their network)7 1522( If)1 116(The general shape of a network of IX machines is clear.)10 2229 4 970 2868 t
( they may extend PEX)4 903(nection, and trust each other's TCBs to enforce the same basic security policies, then)13 3417 2 720 2988 t
( minimal version might consist of the follow-)7 1856( A)1 128( system service as sketched above.)5 1410(service and remote file)3 926 4 720 3108 t
(ing ingredients:)1 625 1 720 3228 t
10 S f
(\267)720 3384 w
10 R f
(A LAN offers secure networking within the confines of a single department.)11 3049 1 970 3384 t
10 S f
(\267)720 3540 w
10 R f
( run identical software on the)5 1237(The individual IX machines are run by the same systems staff, who)11 2833 2 970 3540 t
(machines, so any of the machines can trust any other's TCB as much as it trusts its own)17 3502 1 970 3660 t
10 S f
(\267)720 3816 w
10 R f
(Terminals are at known network locations at known physical locations)9 2821 1 970 3816 t
( carry varying mixes of secret data: some label categories)9 2408(Within such a network different machines can)6 1912 2 720 3972 t
( categories may exist on single machines only, other categories yet may)11 2972(may exist on all machines, other)5 1348 2 720 4092 t
( user communities may be heterogeneous: not all users may have)10 2676( The)1 213( subsets of machines.)3 873(exist on other)2 558 4 720 4212 t
( the same security categories.)4 1172(accounts on all machines, nor need all users of a given machine have access to)14 3148 2 720 4332 t
(Such a setup might be appropriate in a small department, or in a rigidly run branch of the government.)18 4083 1 720 4452 t
(A more ambitious network might include subnets of the above description but would also have inse-)15 4070 1 970 4608 t
( of terminals in unknown or uncontrolled locations, a variety of computers with)12 3177(cure network links, a variety)4 1143 2 720 4728 t
( a network would need a)5 1013( Such)1 257( physical locations.)2 783(differing software, some of which are in isolated secure)8 2267 4 720 4848 t
( While)1 296(measure of cryptographic boost to give untappable connections, or connections to known endpoints.)12 4024 2 720 4968 t
( run exactly the same system software there is still a chance)11 2403(it is unreasonable to hope that the computers all)8 1917 2 720 5088 t
( TCB there is a possibility)5 1058( two machines each believe the other's)6 1564( If)1 119(that their security software is the same.)6 1579 4 720 5208 t
( TCBs some appeal to)4 931( prove that partner machines have correct)6 1716( To)1 172(that they can trade security services.)5 1501 4 720 5328 t
( address, or)2 461( on details, machine A might trust B if B is at a known network)14 2577( Depending)1 491(authority is needed.)2 791 4 720 5448 t
( an authority A trusts, or \(what is really a variation of)11 2185(if B has a document attesting B's honesty, signed by)9 2135 2 720 5568 t
(this\) if B can communicate at all with A when A uses cryptographic keys it was provided with by a trust-)20 4320 1 720 5688 t
(worthy authority.)1 694 1 720 5808 t
( user terminals and user authentication pose a real problem: there is no gen-)13 3084(In an ambitious network)3 986 2 970 5964 t
( between a terminal and a work station or heftier)9 1964(eral way for a network or a computer to tell the difference)11 2356 2 720 6084 t
( purporting to come from a user at a terminal might really come from a hostile)15 3261( command)1 427(computer. Any)1 632 3 720 6204 t
( on the network are thus)5 1042( Terminals)1 471(computer, which can play the IX protocols for dishonest purposes.)9 2807 3 720 6324 t
( secure network addresses on a trusted network, they)8 2135(treated as computers: unless they are at certain special)8 2185 2 720 6444 t
(must prove their)2 671 1 720 6564 t
10 I f
(bona fides)1 421 1 1423 6564 t
10 R f
(before they are given PEX service, and hence before they may be used to get)14 3164 1 1876 6564 t
(favors from the privilege server.)4 1288 1 720 6684 t
(Little special software is needed for networked IX given single-machine IX and given regular)13 3816 1 970 6840 t
9 R f
(UNIX)4815 6840 w
10 R f
( a protocol for the TCBs to manage cross-machine PEX)9 2353( hinted earlier,)2 609( As)1 176(system networking facilities.)2 1182 4 720 6960 t
(would be needed, possibly as a stream)6 1534 1 720 7080 t
([R])2280 7030 w
( file systems, for example, a form)6 1354( to handle remote)3 699(module. And)1 548 3 2439 7080 t
( protocol is needed, by which one machine can prove to another that it has authority)15 3365(of ``power of attorney'')3 955 2 720 7200 t
cleartomark
showpage
saveobj restore
%%EndPage: 5 5
%%Page: 6 6
/saveobj save def
mark
6 pagesetup
10 R f
(- 6 -)2 166 1 2797 480 t
( must be user software to make it convenient to create)10 2181( be usable there)3 629( To)1 163(from a third party known to both.)6 1347 4 720 840 t
(\(say\) RSA keys on demand, and so on.)7 1551 1 720 960 t
10 B f
( Terminals and User Authentication Hardware)5 2002(3. Special)1 431 2 720 1200 t
10 R f
( be)1 141(In a network of IX machines, terminals at unknown or uncontrolled network locations must)13 3929 2 970 1356 t
( potentially hostile computers, which of course makes logging in, authenticating users, and read-)13 3934(treated as)1 386 2 720 1476 t
( is a possible solution to these problems, relying on special)10 2442( Here)1 252( difficult.)1 381(ing secret data over a terminal)5 1245 4 720 1596 t
(hardware, prompted by our experience with windowing terminals in single-machine IX)10 3485 1 720 1716 t
( purpose secure computers as terminals, together with smart-card-like)8 2820(The main idea is to use special)6 1250 2 970 1872 t
(user identification tokens which are also special purpose secure computers.)9 2999 1 720 1992 t
( TCB is unprogrammable \(in ROM, say\))6 1678( The)1 214( is part of the TCB.)5 817(The terminal and screen software)4 1361 4 970 2148 t
( whole packaged in a tamper-proof)5 1458(and contains secret cryptographic keys in an uninspectable store; the)9 2862 2 720 2268 t
( primitive form of IX file access policy \(each multiplexed terminal pro-)11 2919( TCB can enforce a)4 795(container. The)1 606 3 720 2388 t
( a label, with label inequalities obeyed on mouse-initiated cross-)9 2713(cess and associated windows, say, has)5 1607 2 720 2508 t
( a form of PEX is available: if a screen layer is accessible by exactly)14 2858( Also,)1 273( or ``snarfs''\).)2 579(window copies)1 610 4 720 2628 t
( only by that terminal process, then a distinctive)8 2030(one terminal process, and if the keyboard is accessible)8 2290 2 720 2748 t
(unforgeable visual mark may be placed on the screen layer \(a flashing border, say\).)13 3321 1 720 2868 t
( authentication tokens'' are small special purpose computers with their own TCBs and)12 3643(The ``user)1 427 2 970 3024 t
( visible to the user)4 761( token can be plugged into a special terminal, and has a light)12 2512( A)1 130(tamper-proof memory.)1 917 4 720 3144 t
(when the token is plugged into the terminal.)7 1760 1 720 3264 t
( are as many as four parties with differ-)8 1613( There)1 287(This hardware is used to help several authentications.)7 2170 3 970 3420 t
( user token must be convinced that)6 1393( The)1 206( host computer.)2 621(ing security interests: user, user token, terminal, and)7 2100 4 720 3540 t
( up cross-)2 406( terminal and host must like each other's TCBs enough to set)11 2528( The)1 213(its legitimate user is present.)4 1173 4 720 3660 t
( host must communicate through the terminal to the user token, but the terminal will not)15 3536( The)1 206(machine PEX.)1 578 3 720 3780 t
(play PEX unless it trusts the token, and so on.)9 1836 1 720 3900 t
( Fiat-Shamir)1 514(Most of these security interests are satisfied by multiple applications of, say, the)12 3322 2 970 4056 t
([FFS])4806 4006 w
( FS protocol has two)4 868( The)1 215( roles.)1 254(protocol, where the terminal, host, and token successively play differing)9 2983 4 720 4176 t
( a ``verifier'' who checks the certifi-)6 1497(roles: the ``prover'', who has a certificate issued by an authority, and)11 2823 2 720 4296 t
( mod-)1 238( authority knows the factorization of a)6 1543( The)1 208(cate without\320and this is the big trick\320actually seeing it.)8 2331 4 720 4416 t
(ulus)720 4536 w
10 I f
(N)915 4536 w
10 R f
( modulus)1 373(. The)1 233 2 982 4536 t
10 I f
(N)1616 4536 w
10 R f
( the verifier)2 473( What)1 270( verifier.)1 347(, but not its factorization, is known ahead of time by the)11 2267 4 1683 4536 t
(knows at the end of the protocol is that whoever prepared the certificate knew the factorization of)16 3890 1 720 4656 t
10 I f
(N)4635 4656 w
10 R f
(.)4702 4656 w
( modulus)1 377(The terminals and tokens carry certificates from their manufacturers, signed according to a)12 3693 2 970 4812 t
10 I f
(N)720 4932 w
7 R f
(term)798 4952 w
10 R f
( modulus)1 375( This)1 233( the brand name of the terminal.)6 1308(, characteristic of)2 701 4 935 4932 t
10 I f
(N)3582 4932 w
7 R f
(term)3660 4952 w
10 R f
(is known by all the host com-)6 1213 1 3827 4932 t
( distinct)1 328( prior distribution of public authenticating key is not a burden because the number of)14 3488(puters. This)1 504 3 720 5052 t
(brands of secure terminals will remain small.)6 1800 1 720 5172 t
( cer-)1 186( These)1 295( carry certificates attesting to the identity of their owners.)9 2353(User identification tokens also)3 1236 4 970 5328 t
(tificates are signed with a modulus)5 1475 1 720 5448 t
10 I f
(N)2237 5448 w
7 R f
(dom)2315 5468 w
10 R f
( which the user lives.)4 910(characteristic of the security domain in)5 1640 2 2490 5448 t
( with a user identification token carrying several such certificates valid in different)12 3370(There is nothing wrong)3 950 2 720 5568 t
( same moduli)2 545( also have one or more certificates signed by the)9 1962(domains. Computers)1 857 3 720 5688 t
10 I f
(N)4112 5688 w
7 R f
(dom)4190 5708 w
10 R f
( assumption)1 484(. The)1 233 2 4323 5688 t
( if you have an account)5 938( Roughly,)1 422( computers.)1 468(is that the same authorities that certify users are able to certify)11 2492 4 720 5808 t
(on a machine, there is at least one)7 1347 1 720 5928 t
10 I f
(N)2092 5928 w
7 R f
(dom)2170 5948 w
10 R f
(you and the machine have in common.)6 1545 1 2328 5928 t
( the token and terminal authenticate)5 1443( First,)1 262(Here is how to set up a login session with such equipment.)11 2365 3 970 6084 t
(each other with respect to modulus)5 1415 1 720 6204 t
10 I f
(N)2164 6204 w
7 R f
(term)2242 6224 w
10 R f
( tell the user that they like each other by visual signals: the)12 2378(. They)1 283 2 2379 6204 t
( the token has a chance)5 927( Then)1 256( the token is lit, a special icon or message is displayed on the terminal.)14 2828(light on)1 309 4 720 6324 t
( the token)2 408( Then)1 262( from the user, typed via the keyboard of the now-trusted terminal.)11 2736(to demand a password)3 914 4 720 6444 t
(tells its)1 294 1 720 6564 t
10 I f
(N)1046 6564 w
7 R f
(dom)1124 6584 w
10 R f
( a common)2 460( and host computer negotiate to find)6 1485( Terminal)1 423(values to the terminal.)3 909 4 1289 6564 t
10 I f
(N)4599 6564 w
7 R f
(dom)4677 6584 w
10 R f
(, then)1 230 1 4810 6564 t
(the computer proves its)3 944 1 720 6684 t
10 I f
(bona fides)1 417 1 1692 6684 t
10 R f
( modulus)1 372(to the terminal using)3 834 2 2137 6684 t
10 I f
(N)3370 6684 w
7 R f
(dom)3448 6704 w
10 R f
(and the terminal proves to the com-)6 1432 1 3608 6684 t
(puter that it is a special terminal with modulus)8 1943 1 720 6804 t
10 I f
(N)2699 6804 w
7 R f
(term)2777 6824 w
10 R f
( computer and terminal now set up the cross-)8 1885(. The)1 241 2 2914 6804 t
( proves his identity to the computer either by typing a clas-)11 2356(machine PEX protocol on their link, and the user)8 1964 2 720 6924 t
(sical password or by letting his token prove the user's credentials using)11 2849 1 720 7044 t
10 I f
(N)3594 7044 w
7 R f
(dom)3672 7064 w
10 R f
(.)3805 7044 w
( one security domain which knows about)6 1679(A simplification is possible in the case where there is only)10 2391 2 970 7200 t
cleartomark
showpage
saveobj restore
%%EndPage: 6 6
%%Page: 7 7
/saveobj save def
mark
7 pagesetup
10 R f
(- 7 -)2 166 1 2797 480 t
( the user token is not needed: the single modulus)9 2063( Then)1 268(all trustable computers.)2 961 3 720 840 t
10 I f
(N)4050 840 w
7 R f
(term)4128 860 w
10 R f
( for all)2 290(can suffice)1 447 2 4303 840 t
(applications of Fiat Shamir.)3 1111 1 720 960 t
10 B f
(Conclusion)720 1200 w
10 R f
( far more)2 387(The forgoing describes a general architecture for a network of secure computers, offering)12 3683 2 970 1356 t
( in the)2 262(security than is commonly found)4 1344 2 720 1476 t
9 R f
(UNIX)2355 1476 w
10 R f
(system, offering users a measure of distributed security ser-)8 2429 1 2611 1476 t
(vices with a minimal overhead of centralized bureaucracy.)7 2332 1 720 1596 t
( a net serve, before the methods of user authentication, delega-)10 2539(How large an organization could such)5 1531 2 970 1752 t
( How)1 251( becomes too cumbersome?)3 1127(tion of rights and authorities, and system administration sketched above)9 2942 3 720 1872 t
(much work would it take to build such a net, given the existing pieces?)13 2836 1 720 1992 t
( McIl-)1 260(I have had chats with Baldwin, Coutinho, Feigenbaum, Fernandez, Fraser, Grampp, Kurshan,)11 3810 2 970 2148 t
( I am grateful for)4 693(roy, Merritt, Pike, Presotto, Ritchie, Thompson, Wilson, Zempol, among others, to whom)11 3627 2 720 2268 t
(ideas and helpful criticism.)3 1082 1 720 2388 t
cleartomark
showpage
saveobj restore
%%EndPage: 7 7
%%Page: 8 8
/saveobj save def
mark
8 pagesetup
10 R f
(- 8 -)2 166 1 2797 480 t
10 B f
(References)720 840 w
10 R f
( of Defense Computer Security Center.)5 1673([DOD] Department)1 800 2 720 996 t
10 I f
(Department of Defense Trusted Computer)4 1774 1 3266 996 t
(System Evaluation Criteria.)2 1114 1 970 1116 t
10 R f
(US Department of Defense, Fort Meade, MD, 15 August 1983.)9 2521 1 2134 1116 t
( Proofs of Identity'',)3 860( ``Zero-Knowledge)1 810( A. Shamir.)2 487([FFS] U. Feige, A. Fiat, and)5 1185 4 720 1392 t
10 I f
(Journal of Cryptology,)2 940 1 4100 1392 t
10 B f
(1)970 1512 w
10 R f
(:77-94, 1988.)1 536 1 1020 1512 t
( Gasser.)1 321([G] M.)1 364 2 720 1788 t
10 I f
(Building a secure computer system.)4 1423 1 1455 1788 t
10 R f
(New York, Van Nostrand Reinhold, 1988.)5 1692 1 2928 1788 t
( Security with Fewer Fetters'', in)5 1381( ``Multilevel)1 544( J. A. Reeds.)3 538([MR2] M. D. McIlroy and)4 1094 4 720 2064 t
10 I f
(UNIX Around the)2 727 1 4313 2064 t
( Spring 1988 EUUG Conference.)4 1337(World: Proceedings of the)3 1066 2 970 2184 t
10 R f
(European UNIX Users' Group, London,)4 1615 1 3425 2184 t
(1988.)970 2304 w
( Windows on a Single-level Terminal'' in)6 1676( ``Multilevel)1 534( Reeds.)1 295([MR3] M. D. McIlroy and J. A.)6 1265 4 720 2580 t
10 I f
(Proceedings,)4516 2580 w
( in the present collection.)4 1053( Also)1 238( 29-30, 1988.)2 553(UNIX Security Workshop, August)3 1376 4 970 2700 t
10 R f
(USENIX, Portland,)1 790 1 4250 2700 t
(OR.)970 2820 w
( Stream Input-Output System'',)3 1278( ``A)1 192( M. Ritchie.)2 486([R] D.)1 350 4 720 3096 t
10 I f
(AT&T Bell Laboratories Technical Journal,)4 1781 1 3055 3096 t
10 R f
(Vol.)4865 3096 w
(63, No. 8, October 1984.)4 993 1 970 3216 t
cleartomark
showpage
saveobj restore
%%EndPage: 8 8
%%Trailer
done
%%Pages: 8
%%DocumentFonts: Courier Times-Bold Times-Italic Times-Roman Times-Roman Symbol