A security model for military message systems

Abstract

Military systems that process classified information must operate in a secure manner; i.e., they must adequately protect information against unauthorized disclosure, modification, and withholding. A goal of current research in computer security is to facilitate the construction of multilevel secure systems, systems that protect information of different classifications from users with different clearances. Security models are used to define the concept of security embodied by a computer system. A single model, called the Bell and LaPadula model, has dominated recent efforts to build secure systems but has deficiencies. We are developing a new approach to defining security models based on the idea that a security model should be derived from a specific application. To evalu- ate our approach, we have formulated a security model for a family of military message systems. This paper introduces the message system application, describes the problems of using the Bell-LaPadula model in real applications, and presents our security model both informally and formally. Significant aspects of the security model are its definition of multi-level objects and its inclusion of application-dependent security assertions. Pro- totypes based on this model are being developed.