Constance Heitmeyer, John McLean
Naval Research Laboratory
In the late 1970's and early 1980's, the military conducted an experiment to investigate replacing existing military message systems with a new system based on the ARPANET and e-mail that provided a simulated multilevel secure (MLS) interface. At the same time, research was underway to develop multilevel secure operating systems. Experiences with both the MME and with prototype MLS systems led to research conducted at the Naval Research Laboratory to specify and prototype a family of military message systems (MMS) based on software engineering principles and on specifying the desired security behavior at the application level, rather than at the operating system level. The resulting security model was published as an NRL technical report and subsequently in ACM Transactions on Computer Systems in August, 1984. That paper is reprinted here, together with some retrospective observations on the work and its import. The original paper was the first in an archival journal to present a security model based on application requirements, as opposed to operating system structure. The informal model is accessible to users, while the formal model provides the precision needed for designing a system and determining whether an implementation enforces the model. The paper also introduced access controls based on user roles. The approach to developing informal security models remains quite relevant; efforts to develop assurance arguments for today's systems can in many cases be related to the approach taken in this work.
Keywords: Security, Security Model, Verification, Assurance Argument, Access Controls, Role-based Access Controls, Storage Channels, Message Systems, Confinement
Read Paper (in PDF)