Design of a message processing system for a multilevel secure environment

A primary requirement for a message system in an operational military environment is that it be secure enough to process messages at multiple levels of classification. But for the system to be accepted, the operator interface must be "usable." Usability relates to three things: features provided, ease of entering commands, and overall performance. Certainly an interface that does not perform well in these respects, or is difficult to learn or use, will not be used. The Department of Defense Advanced Research Projects Agency (DARPA) and the Navy are sponsors of an experiment to evaluate the operational use of a computer-aided message handling system at P ACOM Headquarters in Hawaii. The experiment will evaluate the operational and organizational impact of the automated service on a community that now uses a largely manual system. The purpose of this paper is to document the security design of SIGMA, ** the system that will be used in the experiment. In the following section, a description of the SIGMA message processing system is given. The third section provides background and discusses the kernel approach to multilevel security. In the fourth section we describe several security problems encountered in the design. The fifth section presents the design of the SIGMA message service. The additional features that the kernel must provide to support SIGMA efficiently are documented in the sixth section. Finally, a summary is provided to highlight the paper's main points.