Affiliations: [a] Cordant, Inc. | [b] Department of Computer Science, Portland State University, P.O. Box 751, Portland, OR97207-0751, USA | [c] University of Arizona | [d] ORA Corporation | [e] TRW Systems Division | [f] The University of North Carolina | [g] Trusted Information Systems, Inc.
Note: [1] This work is sponsored by the Defense Advanced Research Projects Agency under Contract No. MDA 972-89-C0029. Correspondence should be addressed to Ann Marmor-Squires, TRW Systems Division, Fairfax, VA. or by email to marmor@charm.isi.edu. An earlier version of this paper was presented at the Seventh Annual Computer Security Applications Conference, San Antonio TX, December 1991.
Abstract: This paper describes the architecture of a prototype multilevel secure windowing system based on the X Window System. The prototype, known as TX, is designed to meet the class B3 architectural requirements of the Trusted Computer System Evaluation Criteria (TCSEC). The architecture and prototype described here demonstrate that high assurance windowing technology is feasible. The TX architecture is based on the encapsulation of untrusted functionality, such as that contained in an ordinary X server, using a relatively small amount of trusted applications code. The untrusted functionality is then polyinstantiated or replicated once for each active sensitivity level. This leads to a combination of high assurance and complex functionality while reducing the evaluation effort to a tractable level. The architecture of TX is described, and its information flow and visible labeling security policies are discussed. The trade-offs that were made to maintain assurance while achieving other software engineering goals are considered. TX is compared with several other trusted windowing systems.
