RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd)

[Jeremy Epstein <jepstein () tis com>]

Paul,

At 08:04 AM 10/28/98 -0600, Paul McNabb wrote:
> You are right.  Last week I went back and looked more closely at what
> they had done, and it isn't really CMW trusted X Window stuff, though
> it is solving some of the same types of problems.  In fact, this looks
> a lot like some of the work done at NRL over the last few years.  The
> NRL folks were solving the problem of having information flow only from
> low systems to high systems.  They did this by replicating databases
> on different systems and providing a one-way communication mechanism to
> send transactions up the chain to higher systems.

Yes, it is solving some of the same problems as CMWs tried to, but in a
totally different way (and one which can give a lot of assurance, which is
something CMWs were always weak on).

It's sort of related to the stuff NRL is doing, in that one of the things
it provides is safe upward flow without leakage.  It's much simpler than
what NRL did, though, because they don't try to use queues to avoid loss...
they rely on things being fast enough not to lose packets.

> I was sitting next to a bunch of military guys while the NRL project was
> being presented, and the most interesting comment I heard was something
> like "Big deal.  We aren't concerned about secure upgrading, we can do
> that now.  We want secure downgrading."  I'm not sure if this is the
> general feeling about the rash of "diodes" now coming on the market, but
> I think there is still a great need for secure, bi-directional flow.

I understand why the military folks say that.  And sometimes I say it too :-)

> Galaxy Computer Services, Inc. (www.gcsi.com) makes something they call
> an "Information Diode" which is based on Linux running on PCs.  They use
> two systems running modified tftp protocols on top of "hardened" (not
> trusted) versions of the operating system.  They claims are similar:
> information can flow in only one direction.  The site says that source
> is delivered with the product.

Yes, I've heard about it.  Haven't had a chance to look at it, but I'm
extremely suspicious of people who claim to have one way flows built on top
of relatively untrustworthy platforms.  For example, NRL built several
versions of their Pump one-way transfer.  The versions built on Windows NT
are a great demo, but neither they nor I would ever rely on them for an
actual one-way device.  Not sure about the Galaxy device being in that same
category.

> BTW, wasn't your solution at TRW the one that used multiple instantiations
> of the X server, each handling a separate security level?

Yes, that's correct.  And in a certain sense, that's what the Australians
did, except they use multiple instantiations of the X server in *hardware*,
while I did it in *software*.  Because I did it in software, I needed a
trusted operating system to make it work, but I could support as many
levels as you wanted.  Because they do it in hardware, they require
multiple boxes (one per unique level/category combination), but they don't
need a trusted operating system.  Viva la difference  :-)
---------------------------------+-------------------------------------
| Jeremy Epstein                 |  E-mail: jepstein () tis com          |
| TIS Labs at Network Associates |  Voice:  +1 (703) 356-4938         |
| Northern Virginia Office       |  Fax:    +1 (703) 821-8426         |
---------------------------------+-------------------------------------