[ale] slightly OT: Bastion Host

jeff hubbs hbbs at mediaone.net
Mon Jan 21 10:41:09 EST 2002


Keith Hopkins wrote:

> Hi all,
> 
>   I'm in a class for the HP Secure OS (Linux), and I was wondering what experiences, good or bad, anyone has had with other secure OSes (Virtual Vault, NSA secure linux, trusted Solaris, etc).
> 
> Lost in Tokyo,
>   Keith


Keith -

I worked extensively with DEC's Security Enhanced VMS starting around
1989-1990.  The primary feature added to the OS by SEVMS was a highly
configurable access control mechanism that added to the
"system/group/world" and Access Control List (ACL) mechanisms already
present.

You configured SEVMS with an ordered set of arbitrary "levels" and a
non-ordered set of arbitrary "categories."  You'd assign numbers to
levels and categories and assign human-helpful labels to the numbers.
You might have levels of 0, 10, 20, and 30 and label them UNCLASSIFIED,
CONFIDENTIAL, SECRET, and TOP SECRET, and a set of categories 0, 1, 2,
and 3 labeled NONE, RED, GREEN, and BLUE.

Now, when I said that categories were non-ordered, that wasn't quite
true; all non-zero categories were treated as being "higher" than
category 0.

Every "object" on the system - a file, a directory, a device, a piece of
media, etc. - had a "classification range" that was part of its
descriptor.  Every process on the system had a classification, i.e., a
level and a category.  From the point of view of a process, SEVMS would
not let you "read up," "write down," or "read/write across" in the
classification hierarchy.  If your process were running as SECRET/BLUE,
you couldn't write to UNCLASSIFIED/NONE or SECRET/RED.

The way you'd set this up is that your system drive - the one that held
the OS and your COTS software - and everything on it would be
UNCLASSIFIED/NONE, and you'd put your "important" data and/or software
on a drive set to some other non-zeroes classification.  This way, you
could pretty much be assured that your "important" stuff would stay
right where you wanted it to and no one could do anything to break it.

When set up properly and activated, SEVMS was a sight to behold.
However, most of the time, any software you'd want to run from a process
with non-zeroes classification would break.  ALLIN1, DEC's behemoth
office automation/word processing/e-mail app was the worst, and I
finally solved the problem by running multiple instances of it,
switching the user to the correct instance by sensing his process'
classification and setting its logical names to the ones for the
appropriate instance.  Backups were fun too, because you couldn't just
put everything on one tape; that broke the security rules.  Thank
goodness that DAT drives with movable tape magazines had come out; if I
had had to do this with 9-track tapes, I would have gone insane.

One point of contention that I faced with management over all this was
that after going to all this expense (considerable, too!) and trouble
(the phrase "Miller time" frequently came up), the whole arrangement was
compromised the instant you connected a PC with a terminal emulator to
the SEVMS/VAX.  That permitted you to "walk around" SEVMS' walls.  You
could log in under one classification from your PC, xmodem or even
screen-capture some data down, log off, log in again under a different
classification, and upload it back.

If you're thinking, "well, tell people not to do that," you're missing
the point - specifically, the point of "mandatory access controls,"
which is to not have to rely on having every last one of a large group
of people to act according to how they're instructed in order to keep
your security intact.  In practice, it's very, very difficult to not
rely on SOME kind of "discretionary access control," even if it's just
giving people a first-time password, forcing them to change it, and
telling them to keep it a secret.

It's always been kind of funny to me how, in my subsequent
private-industry work, I've been given such a hard time about doing
things like refusing to send clear-text passwords over the Internet or
insisting that servers' clocks have the correct time whereas, back in
those days, I was doing things like making sure that when a user logged
off, all 15 of the non-background colors on the terminal were
overwritten in order to make sure that there was no "black-on-black"
text still on the screen.  Heh, I was a little uneasy about the fact
that you could store data in a DEC VT terminal in the form of character
sets.

- Jeff


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.





More information about the Ale mailing list