While many multilevel security systems exist on paper and in the laboratory the Honeywell Secure Communications Processor is the first of its kind to be offered commercially Scomp A Solution to the Multilevel Security Problem Lester J Fraim Honeywell Information Systems The Honeywell Secure Communications Processor supports a variety of specialized applications that require the processing of information with multilevel security attributes A commercial hardware product the Scomp system is a unique implementation of a hardware software general purpose operating system based on the security kernel concept Scomp hardware supports a Multics like hardware enforced ring mechanism virtual memory virtual I O processing page fault recovery support and performance mechanisms to aid in the implementation of an efficient operating system The Scomp trusted operating program or STOP is a security kernel based general purpose operating system that provides a multilevel hierarchical file system interprocess communication security administrator functions and operator commands The idea for the Scomp system originated in a joint Honeywell Air Force program called Project Guardian which was an attempt to further enhance the security of Honeywell s Multics system A secure front end processor was needed that would use the security kernel approach to control communications access to Multics Multics was designed to provide program and data sharing while simultaneously protecting against both program and data misuse The system emphasizes information availability applications implementation database facilities decentralized administrative control simplified system operation productivity and growth The Multics system uses the combination of hardware and software mechanisms to provide a dynamic multiuser environment The Multics security mechanisms considered far more advanced than those available in most large commercial systems use access control lists a hardware enforced 26 ring structure supporting eight rings and the Access Isolation Mechanism that allows the definition of privilege independent of other controls Access control provided by these mechanisms is interpreted by software but enforced by hardware on each reference to information The hardware implementation includes a demand paged virtual memory capability that is invisible to the user programs Although Project Guardian was never completed the use of Multics features to provide multilevel security was pursued in a revised Scomp effort a joint project of Honeywell Information Systems and the Department of Defense specifically the Naval Electronics Systems Command or Navelex In this implementation the Scomp is a trusted minicomputer operating system using software verification techniques Originally the plan was to use the traditional approach to building a trusted operating system Namely to build a security kernel and an emulator ofan existing operating system to run on top of the kernel This approach was taken by UCLA2 and Mitre in their early development programs and by Ford for KSOS 11 3 One conclusion drawn from these efforts was that an operating system emulator was many times slower than the emulated system 4 This performance reduction can be attributed to a variety of factors including the incompatibility of the security kernel with the emulated system the hardware capabilities of the system and the code generated by the implementation language In August 1982 HoneyweU requested that the newly formed Department of Defense Computer Evaluation Center formally evaluate the Scomp This evaluation which still is continuing is using the Draft Trusted Computer System Evaluation Criteria dated January 27 1983 to determine whether the Scomp is a Class Al system The evaluation is expected to be complete in late summer 1983 0018 9162 83 07 D 0026S01 00 1983 IEEE COM PUTER The planned interface for the Scomp system was a Bell Labs Unix emulator the same type of emulator used by KSOS I 1 The goal was to provide a compatible interface on both systems thereby using the vast amount of software that exists on current Unix implementations However KSOS 11 and other attempts to build Unix emulators on secure systems have shown that certain Unix features e g process family sharing of open file seek pointers are incompatible with the requirements of secure systems Furthermore the Unix notion of doing I O by copying data into a process address space is incompatible with the Scomp demand paging system Rather than trying to achieve a full Unix compatibility Honeywell has taken a new approach to building an interface for the Scomp The SKIP or Scomp kernel interface package does not try to emulate a specific system Instead it takes advantage of the underlying hardware and security kernel architecture to provide an efficient applications interface The Scomp system a solution to many multilevel security problems contains the mechanisms necessary to allow controlled processing of different levels of classified information Implementing MLS applications on the Scomp system can provide greater flexibility and efficiency than the current use of procedural and administrative controls to protect information resources Many systems today overclassify both people and information because the computer cannot maintain the separation of information with different classifications Most systems operate in a system high mode in which the level of the system and all its users is cleared to the highest level of any information in the system Procedural and physical controls are applied to protect the information in the system The Scomp system provides for the processing of information at its classification level and it enforces the separation of users with different security characteristics In addition the Scomp system can provide specialized interfaces between systems of different classifications to provide more efficient management of information Such MLS applications referred to as guard systems 5 provide the timely flow of information from resources with different security levels These resources can be two networks two systems or a system with users at a level lower than that of the systems The Scomp s basic security mechanism The Scomp system is a unique implementation of the security kernel approach because of the way in which the hardware functions support the software capabilities The Scomp system satisfies the requirements of the reference monitor by providing complete mediation