Each UNIX system provides services to a single security partition and operates at full speed; security-critical tasks are performed by separate, specialised processors. These security processors control access to the different security partitions and mediate information flow between them. They also provide a multilevel secure file system and a facility for dynamically changing the security partition to which each UNIX system is assigned. Extensions to support controlled downgrading and multilevel objects are described as well.
Despite the sophistication of the overall system, individual security processors employ only very simple, straightforward mechanisms; their construction and verification requires no more than already established technology. And despite the heterogeneity of its components, the system as a whole appears to be a single multilevel secure UNIX system, since the fact that it is actually a distributed system is completely hidden from its users and their programs. This is achieved through the use of the "Newcastle Connection", a software subsystem that links together multiple UNIX or UNIX-look-alike systems, without requiring any changes to the source code of either the operating system or any user programs.
A first prototype system, providing multiple security partitions, and a multilevel secure file system, has already been successfully demonstrated - construction of a much more complete prototype is now planned.
This is a scanned copy, so the file size is rather large (7MB)
scanned PDF
This is a longer version of a paper published in IEEE Computer July 1983 and selected as a Classic Paper for ACSAC 2007.
@techreport{Rushby&Randel:TR83,
AUTHOR = {John Rushby and John Rushby},
INSTITUTION = {Computing Laboratory, University of Newcastle
upon Tyne},
TITLE = {A Distributed Secure System},
YEAR = 1983,
MONTH = may,
ADDRESS = {Newcastle upon Tyne, UK},
NUMBER = 182
}