A Distributed Secure System

John Rushby and Brian Randell

IEEE Computer, Volume 16, Issue 7, pp 55-67, July 1983.


We describe, in tutorial detail, the design of a distributed general-purpose computing system that enforces a multilevel security policy. The system is composed of standard UNIX systems and small trustworthy security mechanisms linked together in such a way as to provide a total system which is not only demonstrably secure, but also highly efficient and cost effective.

Each UNIX system provides services to a single security partition and operates at full speed; security-critical tasks are performed by separate, specialised processors. These security processors control access to the different security partitions and mediate information flow between them. They also provide a multilevel secure file system and a facility for dynamically changing the security partition to which each UNIX system is assigned. Extensions to support controlled downgrading and multilevel objects are described as well.

Despite the sophistication of the overall system, individual security processors employ only very simple, straightforward mechanisms; their construction and verification requires no more than already established technology. And despite the heterogeneity of its components, the system as a whole appears to be a single multilevel secure UNIX system, since the fact that it is actually a distributed system is completely hidden from its users and their programs. This is achieved through the use of the "Newcastle Connection", a software subsystem that links together multiple UNIX or UNIX-look-alike systems, without requiring any changes to the source code of either the operating system or any user programs.

A first prototype system, providing multiple security partitions, and a multilevel secure file system, has already been successfully demonstrated--construction of a much more complete prototype is now planned.

 *NOTE* This was selected as a "classic paper" for ACSAC 2007; Brian Randell and I added some reminiscences and updates and that version is available at Distributed Secure Systems: Then and Now.

Original paper: PDF only (this is a big file--3.5 MBytes--scanned from the magazine)

A preliminary version of this paper was presented at the 1983 IEEE Symposium on Security and Privacy: PDF only

There is also a much longer Technical Report

BibTeX Entry

	AUTHOR = {John Rushby and Brian Randell},
	JOURNAL = {IEEE Computer},
	TITLE = {A Distributed Secure System},
	YEAR = 1983,
	MONTH = jul,
	PAGES = {55--67},
	VOLUME = 16,

	AUTHOR = {John Rushby and Brian Randell},
	BOOKTITLE = {Proceedings of the Symposium on Security and Privacy},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Oakland, CA},
	TITLE = {A Distributed Secure System (Extended Abstract)},
	PAGES = {127--135},
	MONTH = apr,
	YEAR = 1983

Having trouble reading our papers?
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page