Multilevel security

Multilevel Security or MLS is the capability of a computer system to carry information with different sensitivities (i.e. classified information at different security levels) and simultaneously permit access by users with different security clearances and needs-to-know, while preventing users from obtaining access to information for which they lack authorization.

This is often interpreted in different ways.

• A user community in which users have differing security clearances may perceive MLS as a data sharing capability: all users can share information as long as the recipient's clearance allows receipt of that information. A system implements MLS if it allows easy access to less-sensitive information by higher-cleared individuals, and it allows higher-cleared individuals to easily share sanitized documents with less-cleared individuals. A sanitized document is one that has been edited to remove information that the less-cleared individual is not allowed to see.

• Developers of products or systems intended to allow MLS data sharing tend to perceive it in terms of a specific mechanism that enforces data sharing restrictions, like those that implement the Bell-LaPadula model. A system therefore implements MLS if it implements a mechanism that enforces the proper restrictions on sharing classified information, regardless of how effectively it shares information. These mechanisms do not provide direct support of sanitization.

The term MLS also specifies a security mode in which a computer system may operate.

Sanitization is a problem area for MLS systems. Systems that implement MLS restrictions, like those defined by Bell-LaPadula, only allow sharing when it does not obviously violate security restrictions. Users with lower clearances can easily share their work with users holding higher clearances, but not vice versa. There is no efficient, reliable mechanism by which a Top Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to users with Secret or lower clearances. In practice, MLS systems circumvent this problem via privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a file's security classification. However, the technique is not reliable.

Covert channels pose another problem for MLS systems. For an MLS system to keep secrets perfectly, there must be no possible way for a Top Secret process to transmit signals of any kind to a Secret or lower process. This includes side effects such as changes in available memory or disk space, or changes in process timing. When a process exploits such a side effect to transmit data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a practical computing system, and it may be impossible in practice. The process of identifying all covert channels is a challenging one by itself. Most commercially available MLS systems do not attempt to close all covert channels, even though this makes it impractical to use them in high security applications.

MLS implementation requires a highly trustworthy information processing system. If MLS is being deployed on a single computer, then that computer must use a trusted operating system (OS). Because all information in an MLS environment is physically accessible by the OS, strong logical controls must exist to ensure that access to information is strictly controlled. Typically this involves mandatory access control that uses security labels, like the Bell-LaPadula model noted earlier.

Freely available implementations of MLS operating systems include Security-Enhanced Linux and TrustedBSD.

Sun Microsystems offers "Trusted Solaris," a commercial version of the Solaris Operating Environment that supports MLS. Early versions were evaluated at the TCSEC B1 level (the lowest allowed for MLS) and more recent versions were evaluated under the Common Criteria.

These acronyms are commonly used in the defense community, and they refer to the now-common practice of using dedicated computers to process information at different classification levels. MILS refers to multiple independent levels of security and MSL refers to multiple single levels.

The drive to develop MLS operating systems was severly hampered by the dramatic fall in data processing costs in the early 1990s. Before the advent of desktop computing, users with classified processing requirements had to either spend a lot of money for a dedicated computer or use one that hosted an MLS operating system. Throughout the 1990s, many offices in the defense and intelligence communities deployed desktop systems classified to operate at the highest classification level used in their organization. These desktop computers operated in a System High mode of operation and were connected with LANs that carried traffic at the same level as the computers.

Users often had two or more computers, each processing information at a different classification level, or at the unclassified level. Each computer was connected to its own LAN at the appropriate classification level.

To permit data sharing between computers working at different classification levels, such sites deploy either or both of two types of devices: MLS servers and guards. MLS servers connect to the LANs at different security levels and share appropriately-classified information with users on those LANs. These servers are typically implemented using an MLS operating system. Some implementations provide the end user with a thin client to access desktop applications that, unlike conventional applications, are more aware of how to handle classification labels correctly.

Guards are devices that filter traffic flowing between networks. Unlike a commercial Internet firewall, a guard is built to much more stringent assurance requirements and its filtering is carefully designed to try to prevent any improper leakage of classified information between LANs operating at different security levels.

This mode of operation works well in numerous environments that process classified information. The vast majority of classified information is classified Secret, and MSL provides a practical environment for most types of Secret work. MSL can be impractical in environments that handle compartmented or special access information. Each such restriction tends to combine with other restrictions to create separate classification levels for every possible combination; it quickly becomes impractical to deploy separate systems for every permutation of restrictions.

Several guard systems have been developed since the 1980s. An early family of guards were developed to sanitize logistics and force deployment information. The early 1990s saw the development of several e-mail guards.

The "Trusted Multi-Net" is a commercial off-the-shelf (COTS) system that provides a thin client MSL product. The product was developed jointly by an industry coalition including Microsoft Corporation, Citrix Systems, NYTOR Technologies, and MITRE Corporation to meet requirements specified by the National Security Agency. The Trusted Multi-Net offers users the ability to access multiple classified and unclassified networks from a single thin client device over a common cabling plant.

Another thin client product is the "SecureOffice" product line produced by Trusted Computer Solutions.

• Bell-La Padula security model
• Mandatory Access Control - MAC
• Discretionary Access Control - DAC
• Biba Integrity Model
• Take-Grant Model
• The Clark-Wilson Integrity Model
• Graham-Denning Model
• Take-Grant Model
• Security Modes of Operation

Trusted Computer System Evaluation Criteria (a.k.a. the TCSEC or "Orange Book")

Lampson, B. (1973). A note on the confinement problem. Communications of the ACM 16 10, pp 613-615. This paper introduced the concept of covert channels.

Smith, R. E. Introduction to multilevel security. Chapter 205 of the Handbook of Information Security, Volume 3, Threats, Vulnerabilities, Prevention, Detection and Management, Hossein Bidgoli, ed., ISBN 0-471-64832-9, John Wiley, 2005.