Proceedings of JENC8
`
`Editors: H. Lubich
`P. Rendek
`
`8th Joint European Networking Conference (JENCS)
`
`Diversity and Integration: The New European Networking Landscape
`
`To order copies, contact:
`
`TERENA Secretariat
`
`Sing“ 466-468
`NL-1017 AW AMSTERDAM
`The Netherlands
`
`E-mail: jenc8-sec@terena.nl
`
`V
`UB/TIB Hanno er
`116182 466
`
`89
`
`
`
`
`
`
`
` “MIMI“
`
`

`

`
`
`JENC8Proceedings May 1997
`
`
`
`PROCEEDINGS JENCS
`
`TABLE OF CONTENTS
`
`SESSION I
`
`Session I-2:
`Chair:
`
`
`
`TECHr-isg ‘
`
`Co-operation through the Web
`INFORM A Y i (I
`
`
`
`Manfred Bogen, GMD Sankt Augustin, Germa
`
`UNIVERSITS‘KTSBlBUOTHEK ':
`HA N NOV ER
`
`
`
`121
`
`Building a Web Caching System - Architectural Considerations
`Ingrid Melve <Ingrid.Melve@uninett.n0>, UNINETT Norway, Lars Slettjord
`<Lars.Slettjord@cc.uit.no>, Troms¢ University, Norway, Henny Bekker
`<H.Bekker@cc.ruu.nl>, Utrecht University, The Netherlands, Ton Verschuren
`<Ton. Verschuren@surfnet.nl>, SURFnet, The Netherlands
`
`122
`
`Collaborative Browsing in the World Wide Web
`Gabriel Sidler <sidler@ tik.ee.ethz,ch>, ETH Zurich, Switzerland, Andrew Scott
`
`<acs@comp.lancs.ac.uk>, University ofLancaster, United Kingdom, Heiner Wolf
`<wolf@informatik.uni-ulm.de>, University of Ulm, Germany
`
`123 Visualising and Populating the Web: Collaborative Virtual Environments for Browsing,
`Searching and Inhabiting Webspace
`Steve Benford <sdb@cs.nott.ac.uk> , Dave Snowdon <dns@cs.nott.ac.uk>, Chris Brown
`<ceb@cs.nott.ac.uk>, Gail Reynard <gtr@cs.nott.ac.uk>, Rob Ingram <rji@cs.nott.ac.uk>,
`The University ofNottingham, United Kingdom
`
`Session I-3:
`Chair:
`
`Delivering Broadband to the Customer
`Ole Jacobsen, Interop, USA
`
`132
`
`Issues in Residential Broadband Internet Service Provision
`
`Saleem Bhatti <S.Bhatti@cs.ucl.ac.uk>, Graham Knight <G.Knight@cs.ucl.ac.uk>,
`University College London, United Kingdom
`
`133
`
`BT CityMedia Network - Video Multicast and ATM
`Dave Ginsburg <dginsbur@ cisco.com>,Cisco Systems Europe, Chris Gibbings
`< Chris. Gibbings @ bt-sys. bt. co. uk>, BT Laboratories, Dave Newson
`<newsondj@boat.bt.com>, BT Laboratories, Jeremy Barnes
`<Jeremy.Barnes@concert.com> Concert Communications, United Kingdom
`
`SESSION II
`
`Session II-1:
`
`Commerce on the Internet
`
`Chair:
`
`Thierry Gourdon, CYBERserve, France
`
`211
`
`The Internet and EDI - EDI as the backbone of Electronic Commerce?
`
`Dick Raman, <info@edi-tie.nl>, EDI-TIE B. V., The Netherlands
`
`212 Using the Internet for Business - Web Oriented Routes to Market and Existing IT
`Infrastructures
`
`James W. West <EJWWEST@vnet.ibm.com>, IBM United Kingdom Labs, United Kingdom
`
`121
`
`122
`
`123
`
`132
`
`133
`
`211
`
`212
`
`
`
`

`

`
`
` Proceedings JENC8 May 1997
`
`
`
`Session II-2:
`Chair:
`
`User Support and Training - Issues and Initiatives
`Gerti Foest, DFN-Verein, Germany
`
`221 On-line Training Materials Using State Information Derived from Cookies, H'I'I'Pl .0
`and its Descendents
`
`Tony McDonald, <Tony.McDonald@newcastle.ac.uk>, University of Newcastle,
`United Kingdom
`
`222
`
`Environment To Inspire Network Users (ETINU) - The development of a complete
`online support system
`Christine Cahoon <christine@unite.co.uk>, George Munroe <george@unite.co.uk>,
`UNITE Solutions Limited, George Dunn <G.Dunn@qub.ac.uk>, Majella McCarron
`<M.MeCarron@qub.ac.uk>, The Queen’s University of Belfast, Northern Ireland
`
`223 Gossamer Strands to Institutional Infrastructure - Experiences Establishing a
`University Web Site
`Majella McCarron <M.McCarron@qub.ac.uk>, George Dunn <G.Dunn@qub.ac.uk>,
`The Queen’s University of Belfast, Christine Cahoon <christine@unite.co.uk>,
`George Munroe <george@unite.co.uk>, UNITE Solutions Limited, Northern Ireland.
`
`SESSION III
`
`Session III-1:
`Chair:
`
`Secure Network Applications
`Rfidiger Grimm, GMD Darmstadt, Germany
`
`312 Handling Confidential Internet Conferences by Email
`Knut Bahr <bahr@gmd.de>, Elfn'ede Hinsch <hinsch @gmd.de>, Anne Jaegemann
`<jaegemann@gmd.de>, Lan Wang <wang@gmd.de>, GMD Dannstadt. Germany
`
`313
`
`Status of Industry Work on Signed Mobile Code
`Matthew Christian Faupel <mcf@ansa. co. uk>, APM Ltd, United Kingdom
`
`Session III-2:
`Chair:
`
`Searching in the Web
`Stefan Kelm, DFN-PCA, Germany
`
`321 Adding Softlinks to the Web
`Oli Kai Paulus, Markus Andrezak, Guido Dunker. Ulrich Sehweiger
`{okp,andrezak,dunker,uswg}@cs.tu-berlin.de, KIT Project Group -
`Technical University of Berlin, Germany
`
`322 A Distributed Weighted Centroid-based Indexing System
`Miguel Rio <rio@uminh0.pt>, Joaquim Macedo <macedo@uminh0.pt>,
`Vasco Freitas <vf@uminho.pt>, Universidade do Minho, Portugal
`
`323
`
`The Evolution of a National Networked Bibliographic Data Service
`Terry Morrow <TM.Morrow@bids.ac.uk>, University ofBath, United Kingdom
`
`Session III-3:
`
`TEN-34: Implementing a High-Speed European Research
`Backbone
`Thomas Brunner, S WIICH, Switzerland
`
`Chair:
`
`331
`
`The Implementation of TEN-34
`Michael H. Behringer; DANTE, <M.H.Behringer@dante.org.uk>, DANTE,
`United Kingdom
`
`221
`
`222
`
`223
`
`312
`
`313
`
`321
`
`322
`
`323
`
`331
`
`

`

`
`
`J“CSProceedings May l997
`
`
`
`332
`
`Experiments for Advanced Backbone Services
`Michael Behringer <michael.behn'nger@dante.org.uk>, Frank Breiter
`<breiter@ibdninftu-dresden.de>, Mauro Campanella <campanella@mi.infn.it>,
`Roberta Canada <canada®rccn.net>, Zlatica Cekro <cekro@helios.iihe.ac.be>,
`Phil Chimento <chimento@cs.utwente.nl>, Magnus Danielson <magda@it.kth.se>,
`Vegard Engen <vegard.engen@uninett.no>, Hziana Ferrari <ferran'@infn.it>, Christoph Graf
`<christoph.graf@dante.org.uk>, Steinar Haug <sthaug@nethelp.no>, Ramin Najmabadi Kia
`<najmabadi@helios.iihe.ac.be>, Sabine Kuehn <sabine_kuehn@ibdrinftu-dresden.de>,
`Olav Kvittem <olav.kvittem@uninett.no>, Simon Leinen <simon@switch.ch>, Olivier Martin
`<omartin@dxcoms.cern.ch>, Kevin Meynell <kmeynell@terena.nl>, Paulo Neves
`<pneves@rccn.net>, Victor Reijs <victon reijs @surfnet.nl>, Celestino Tomas
`<ctomas@chico. rediris. es >, José Vilela <vilela@rccn.net>
`
`332
`
`SESSION IV
`
`Session IV-1:
`
`Liberalization and Privatization - Delivering leading edge services
`in the brave new commercial Internet world
`
`Chair:
`
`411
`
`Peter VVlntlev-Jensen, European Commission
`
`STAM - The Privatized NSFNET as a two-year old, and what US higher education
`is doing about it
`Michael Staman, <staman@cic.net>, CICnet Inc., USA
`
`Session IV-2:
`Chair:
`
`Education and the Net - A New Environment
`
`Dave Hartland, University of Newcastle Upon Tyne, United Kingdom
`
`421
`
`422
`
`423
`
`Use of Instructional Material in Universal Teleteaching Environments
`Robert Grebner <grebner@wi2.wiso.uni-erlangen.de>, University of
`Erlangen—Nuremberg, Germany
`
`Evaluation of a Network Based Learning Environment for Dermatology
`Andreas Bittorf <bittorf@derma.med.uni-erlangen.de>, Thomas L Diepgen
`<diepgen@denna.med.uni-erlangen.de>, University of Erlangen, Germany
`
`The Internet - Networking and the Humanities
`Barton D. Thurber <thurber@acusd.edu>, Jack Pope <pope@acusd edu>,
`University of San Diego, USA
`
`Session IV-3:
`Chair:
`
`Digital Signature Applications
`Wolfgang Schneider, GMD Darmstadt, Germany
`
`431
`
`432
`
`433
`
`A BAKO Extension Proposal
`Petra Glockner <gloeckner@gmd.de>, Stephan Kalletzki <kolletzki@gmd.de>,
`Michael Wichert <wichert@gmd.de>, GMD Darmstadt, Germany
`
`Providing Security to the Building Licenses Delivering Process in the City of Ton'no
`Antonio Lioy <lioy @polito.it>, Fabio Maino <maino @polito.it>, Politecnico di Torino,
`Italy
`
`The Digital Signature Initiative
`Peter Lipp <plipp@iaik tu-graz.ac.at>, University of Technology Graz, Austria
`
`411
`
`421
`
`422
`
`423
`
`431
`
`432
`
`433
`
`

`

`
`
`JENC8Proceedings May 1997
`
`
`
`SESSION V
`
`Session V-2:
`
`Chair:
`
`Network Developments in the Former Soviet Union and
`Eastern Europe
`Dave Probert, Digital Equipment Corporation, United Kingdom
`
`521
`
`NATO’s Contribution to Computer Networking in Central and Eastern Europe and
`in the Former Soviet Union
`
`Jean-Paul Nadreau <nadreau@qbc.clic.net>, NATO, Canada
`
`522
`
`523
`
`Current Tendencies in Russian Academic and Research Network Development
`at the National and Regional Levels
`A.S. Mendkovich <asm@free.net>, Russian Academy of Sciences. A]. Rusakov
`<alex@free.net>, 1.73 McCormick <jmccor@yars.free.net>, MN. Zakharova,
`P.G. Demidov Yarosalvl State University, Russian Federation
`
`Siberia: Putting the Virgin Lands to the Internet Plough
`S.D. Belov <belov@inp.nsk.su>, S.Vf Bredikhin <bred@c0mcen.nsk.su>, S.P. Kovalyov
`<kovalyov@inp.nsk.su>, S.A. Kulagin <rtgroup®iae.nsk.su>, S.L. Musher <musher@nsc.ru>,
`V.S. Nikultzev <nik@scnet.nsk.su>, N. G. Scherbakova <scherbakova@iae.nsk.su>,
`I.V. Shabalnikov <igor@ iis.nsk.su>, Yu.I. Shokin <shokin@scnet.nsk.su>,
`Siberian Branch of the Russian Academy of Sciences, Russian Federation
`
`524 Networks Development in the Ural Region: the Ekaterinburg integrated project
`Konstantin E. Lovtsky <Konstantin.Lovtsky@usu.ru>, Sergei V. Sleptsov
`<Sergei.Sleptsov@usu.ru>, Vladimir E. Tretyakov <Vladimir. Tretyakov@usu.ru>,
`Ural State University, Russia
`
`525 Minsk Internet Project: Results and Perspectives
`Nikolay Listopad <listopad@nil.minedu.minsk.by>, Computer and Analytical
`Center of Ministry of Education, Sergei Kritsky <kritsky@cacedu.minsk by>,
`Belarussian State University ofInformatics and Radioelectronics, Igor Tavgen
`<itavgen@bsf. minsk.by>, Belorussian Soros Foundation, Sergey Ivanov
`<listopad@cacedu.minsk.by>, SOLIDEX PI Ltd, Minsk, Belarus, Slava Shkarupin
`<slava@sunone.isfkiev.ua>, Open Society Institute, Kiev Regional Office, Kiev,
`Ukraine, Ilya Mafier <ilya@soros.org>, Open Society Institute, New York, USA
`
`526
`
`527
`
`Synergy in Cyberspace and a New Networking Landscape: Telenetics Approach
`Vladimir Zaborovski <vlad@neva.ru>, Yuri Podgurski <p0dg@neva.ru>,
`RTC Institute, Yuri Shemanin <yuri@stu.neva.ru>, Vasili Semyonovski
`<swb@stu.neva.ru>, Andrey Vasiliev <wa@stu.neva.ru>, Technical Univesity
`of Saint-Petersburg, Russia
`
`RUSLANet - Intemet—Aware Library System in Russia (St Petersburg)
`Alexander Plemnek, <plm@unilib.unilib.nevaru>, Natalia Sokolova,
`<natalia@unilib.unilib.neva.ru>, Vladimir Baranov, ,<barvl@unilib.unilib.neva.ru>,
`St Petersburg State Technical University, Russia
`
`SESSION VII
`
`Session VII-1:
`Chair:
`
`Secure Commercial Applications
`Harald T. Alvestrand, UNINE'I'I‘ A/S, Norway
`
`711
`
`Applying Military Grade Security to the Internet
`C I Dalton <cid@hplb.hpl.hp.com>, J F Grifi‘in <jfg@hplb.hpl.hp.com>,
`Hewlett-Packard Laboratories, United Kingdom
`
`521
`
`522
`
`523
`
`524
`
`525
`
`526
`
`527
`
`711
`
`

`

`
`
` Proceedings JFJ‘ICS May 1997
`
`
`
`712 Architecture and Design of a Secure Electronic Marketplace
`Matthias Schunter <schunter@acm.org>, University of Hildesheim, Germany,
`Michael Waidner <wmi@zurich.ibm.com>, IBM Zurich Research Lab., Switzerland
`
`713
`
`Properties of Secure Transaction Protocols
`Douglas H. Steves <dhs@cs.utexas.edu>, Chris Edmondson-Yurkanan
`<dragon@cs.utexas.edu>, Mohamed Gouda <gouda@cs.utexas.edu>,
`The University of Texas at Austin, USA
`
`Session VII-2: About Plain Old Email
`
`Chair:
`
`Urs Eppenberger, S WI I CH, Switzerland
`
`721
`
`722
`
`The Email Infrastructure in Europe Today
`Claudio Allocchio <Claudio.Allocchi0@elettra.trieste.it>, Sincrotrone Trieste, Italy
`
`IMAP Servers: What Differentiates Standards-Based Messaging Systems?
`Lee Levitt <Lee.Levitt@software.com>, Donald Livengood
`<Donald.Livengood@software.com), Andrew MacFarlane
`<Andrew.MacFarlane@software.com>, Softwarecom, USA
`
`723 W3Gate - The Service
`
`Manfred Bogen <Manfred.Bogen@gmd.de>, Guido Hansen
`<Guido.Hansen@gmdde>, Michael Lenz <Michael.Lenz@gmd.de>,
`GMD Sankt Augustin, Germany
`
`SESSION VIII
`
`Session VIII-1: The Role of Cryptography in a Networked World
`Chair:
`Bernhard Plattner, ETH Zurich, Switzerland
`
`811
`
`Crypto Regulation in Europe - some key trends and issues
`Bert-Jaap Koops <e.j.koops@kub.nl>, Tilburg University, The Netherlands
`
`Session VIII-2: Education and the Net - Cooperative and Distance Learning
`Chair:
`Antoine Barthel, RESTENA, Luxembourg
`
`821
`
`822
`
`823
`
`An Interactive Distance Education Service Utilising the World Mde Web -
`a preliminary study
`Nicolas Hine <nhine@mic.dundee.ac.uk> , W. Beattie, J.L. Amott, A. McKinlay,
`University of Dundee, United Kingdom, M. Kravcik <kravcik@dent. ii.fmph. uniba.sk>,
`A. Bebjak, L. Moravcikova, Comenius University, Slovakia, A. Arato
`<ARATO@IIF.KFKI.HU>, J. Tolgyesi, R Giese, B. Blasovszky, KFKI, Hungary,
`EP. Seiler <seiler@ps3.iaee.tuwien.ac.at>, Vienna University of Technology, Austria
`
`Cooperative and Contributive Learning - the real choice to push professional
`education in Networking Information Technologies in Ukraine and CIS
`Yuri Demchenko <demch@cad.ntu-kpi.kiev. ua>, Kiev Polytechnic Institute, Ukraine
`
`Support, Training and Continued Education for Electronic Joumals in
`Physics Research Networks 823
`Anne Dixon <anne.dixon @ioppublishing.ca.uk>, Institute ofPhysics
`Publishing - Bristol, UK
`
`712
`
`713
`
`721
`
`722
`
`723
`
`811
`
`821
`
`822
`
`823
`
`vrfi
`
`wev—u-wwv‘v‘
`
`
`
`>——~o~myA«Aw—o‘wvmA
`
`

`

`
`
` Proceedings JENC8 May 1997
`
`
`
`SESSION IX
`
`Session IX-2:
`Chair:
`
`On Video Conferencing
`George Howat, University of Edinburgh, Scotland
`
`921
`
`Scalable Video Transmission for the Internet
`
`Uwe Horn <uhorn@nt.e-technik. uni-erlangen.de>, Bernd Girod
`<girod@nt.e—technik.uni-erlangen.de>, University of Erlangen-Nuremberg,
`Germany
`
`922 Desktop Video: Building Large-Scale Services with Incompatible Products
`Manfred Bogen <manfred.bogen@gmd.de>, Christian Bonkowski
`<christian.bonkowski@gmd.de>, Richard Rodriguez-Val <richard.rodriguez@gmd.de>,
`Clemens Wermelskirchen <clemens.wemtelskirchen@gmd.de>, GMD SanktAugustin,
`Germany
`
`923
`
`Recent Activities in the MERCI Conferencing Project
`Peter TKirstein <P.Kirstein@cs.ucl.ac.uk>, Roy Bennett
`<R.Bennett@cs.ucl.ac.uk>, University College London, United Kingdom
`
`Session IX-3:
`Chair:
`
`Network Management
`Thomas Walter, ETH Zurich, Switzerland
`
`931 Network Management by Delegation - From Research Prototypes Towards Standards
`Juergen Schonwalder <schoenw@ cs. utwente.nl>, University of Twente,
`The Netherlands
`
`932 Management by Delegation in ISDN-based Remote Access Environments
`Udo Payer <upayer@iaik.tu-graz.ac.at>, Herbert Leitold
`<hleitold@ iaik.tu-graz.ac.at>, Reinhard Posch <rposch@iaik.tu-graz,ac.at>,
`University of Technology Graz, Austria
`
`933
`
`Java-based Mobile Intelligent Agents as Network Management Solutions
`Tianning Zhang <zhang @fokus.gmd.de>, Stefan Covaci <covaci@fokus.gmd.de>,
`GMD F0KUS, Germany
`
`921
`
`922
`
`923
`
`931
`
`932
`
`933
`
`

`

`Applying Military Grade Security to the Internet
`(cid:223)(cid:176)(cid:176)·§•†„ (cid:211)•·•‹¿fi§ (cid:217)fi¿…» ˝»‰«fi•‹§ ‹– ‹‚» (cid:215)†‹»fi†»‹
`
`Proceedings JENCS
`—fi–‰»»…•†„› (cid:214)(cid:219)(cid:210)(cid:221)Ł
`
`Dalton, Griffin
`(cid:220)¿·‹–†(cid:244) (cid:217)fi•””•†
`
`(cid:223)(cid:176)(cid:176)·§•†„ (cid:211)•·•‹¿fi§ (cid:217)fi¿…» ˝»‰«fi•‹§ ‹– ‹‚» (cid:215)†‹»fi†»‹
`Applying Military Grade Security to the Internet
`
`(cid:221)(cid:242) (cid:215)(cid:242) (cid:220)¿·‹–† (cid:228)‰•…(cid:224)‚(cid:176)·(cid:190)(cid:242)‚(cid:176)·(cid:242)‚(cid:176)(cid:242)‰–‡(cid:226)
`C. I. Dalton <cid@hplb.hpl.hp.com>
`
`(cid:214)(cid:242) (cid:218)(cid:242) (cid:217)fi•””•† (cid:228)¶”„(cid:224)‚(cid:176)·(cid:190)(cid:242)‚(cid:176)·(cid:242)‚(cid:176)(cid:242)‰–‡(cid:226)
`J. F. Giiffm <jfg@hplb.hpl.hp.com>
`
`Abstract
`(cid:223)(cid:190)›‹fi¿‰‹
`
`The explosive growth witnessed in the Internet
`(cid:204)‚» »¤(cid:176)·–›•“»„fi–'‹‚'•‹†»››»…•†‹‚»(cid:215)†‹»fi†»‹
`over the lastfew years has encouraged companies to
`–“»fi‹‚»·¿›‹ ”»'§»¿fi›‚¿›»†‰–«fi¿„»…‰–‡(cid:176)¿†•»›‹–
`connect to it and to ofler services to their customers
`‰–††»‰‹ ‹–•‹¿†…‹– –””»fi ›»fi“•‰»›‹–‹‚»•fi‰«›‹–‡»fi›
`over it. Concerns about security are holding them
`–“»fi•‹(cid:242)(cid:221)–†‰»fi†›¿(cid:190)–«‹›»‰«fi•‹§¿fi»‚–·…•†„‹‚»‡
`backfrom all but the most restrictive connectivity.
`(cid:190)¿‰(cid:181) ”fi–‡ ¿·· (cid:190)«‹ ‹‚» ‡–›‹ fi»›‹fi•‰‹•“» ‰–††»‰‹•“•‹§(cid:242)
`
`This paper explores
`the use of a military
`(cid:204)‚•›(cid:176)¿(cid:176)»fi»¤(cid:176)·–fi»›‹‚»«›»–”¿‡•·•‹¿fi§
`development,
`the
`Compartmented
`Mode
`…»“»·–(cid:176)‡»†‹(cid:244)
`‹‚»
`(cid:221)–‡(cid:176)¿fi‹‡»†‹»…
`(cid:211)–…»
`Workstation,
`in a commercial setting, as a plaflorm
`(cid:201)–fi(cid:181)›‹¿‹•–†(cid:244)•† ¿ ‰–‡‡»fi‰•¿·›»‹‹•†„(cid:244)¿›¿ (cid:176)·¿‹”–fi‡
`that is secure enough to implement services that are
`‹‚¿‹ •› ›»‰«fi» »†–«„‚‹–•‡(cid:176)·»‡»†‹›»fi“•‰»›‹‚¿‹¿fi»
`accessed over the Internet. Two applications have
`¿‰‰»››»… –“»fi‹‚»(cid:215)†‹»fi†»‹(cid:242)(cid:204)'– ¿(cid:176)(cid:176)·•‰¿‹•–†›‚¿“»
`been investigated in detail, a firewalled Domain
`(cid:190)»»†•†“»›‹•„¿‹»…•† …»‹¿•·(cid:244) ¿”•fi»'¿··»…(cid:220)–‡¿•†
`Name System and a World Wide Web service with
`(cid:210)¿‡»˝§›‹»‡¿†… ¿ (cid:201)–fi·…(cid:201)•…»(cid:201)»(cid:190)›»fi“•‰»'•‹‚
`enhanced authentication.
`Finally,
`there
`is
`»†‚¿†‰»… ¿«‹‚»†‹•‰¿‹•–†(cid:242)
`(cid:218)•†¿··§(cid:244)‹‚»fi»
`•›
`discussion of how other Internet-based services
`…•›‰«››•–† –”‚–'–‹‚»fi(cid:215)†‹»fi†»‹(cid:243)(cid:190)¿›»…›»fi“•‰»›
`might benefit
`from the
`application of CMW
`‡•„‚‹(cid:190)»†»”•‹ ”fi–‡
`‹‚» ¿(cid:176)(cid:176)·•‰¿‹•–† –”
`(cid:221)(cid:211)(cid:201)
`technology.
`‹»‰‚†–·–„§(cid:242)
`
`This work was carried out as part of the EZS
`(cid:204)‚•›'–fi(cid:181)'¿›‰¿fifi•»… –«‹¿›(cid:176)¿fi‹–” ‹‚»(cid:219)(cid:238)˝
`project
`in
`the European
`IVth
`Framework
`(cid:176)fi–¶»‰‹ •†
`‹‚» (cid:219)«fi–(cid:176)»¿†
`(cid:215)˚‹‚
`(cid:218)fi¿‡»'–fi(cid:181)
`Programme, ITRTD Project No. 20.563.
`—fi–„fi¿‡‡»(cid:244) (cid:215)(cid:204) ˛(cid:204)(cid:220) —fi–¶»‰‹ (cid:210)–(cid:242) (cid:238)(cid:240)(cid:242)ºŒ(cid:237)(cid:242)
`
`I. Introduction
`(cid:215)(cid:242) (cid:215)†‹fi–…«‰‹•–†
`
`The business community has not been slow in
`(cid:204)‚»(cid:190)«›•†»››‰–‡‡«†•‹§ ‚¿›†–‹(cid:190)»»†›·–'•†
`recognising
`the
`potentially
`vast
`commercial
`fi»‰–„†•›•†„
`‹‚»
`(cid:176)–‹»†‹•¿··§ “¿›‹
`‰–‡‡»fi‰•¿·
`opportunities created by the remarkable growth in
`–(cid:176)(cid:176)–fi‹«†•‹•»›‰fi»¿‹»… (cid:190)§ ‹‚»fi»‡¿fi(cid:181)¿(cid:190)·»„fi–'‹‚•†
`the Internet. Further, many businesses View Internet
`‹‚»(cid:215)†‹»fi†»‹(cid:242)(cid:218)«fi‹‚»fi(cid:244)‡¿†§ (cid:190)«›•†»››»›“•»'(cid:215)†‹»fi†»‹
`based e-commerce as critical
`to their long term
`(cid:190)¿›»…»(cid:243)‰–‡‡»fi‰» ¿›‰fi•‹•‰¿· ‹–‹‚»•fi·–†„‹»fi‡
`survival. The fimdamentally insecure nature of the
`›«fi“•“¿·(cid:242)(cid:204)‚»”«†…¿‡»†‹¿··§•†›»‰«fi»†¿‹«fi»–”‹‚»
`Internet is, however, proving to be a limiting factor
`(cid:215)†‹»fi†»‹ •›(cid:244)‚–'»“»fi(cid:244)(cid:176)fi–“•†„‹– (cid:190)» ¿ ·•‡•‹•†„”¿‰‹–fi
`in allowing the maximum exploitation of these new
`•†¿··–'•†„‹‚»‡¿¤•‡«‡»¤(cid:176)·–•‹¿‹•–† –”‹‚»›»†»'
`found electronic markets.
`”–«†… »·»‰‹fi–†•‰ ‡¿fi(cid:181)»‹›(cid:242)
`
`Over the last three decades, military agencies
`(cid:209)“»fi‹‚»·¿›‹ ‹‚fi»»…»‰¿…»›(cid:244)‡•·•‹¿fi§¿„»†‰•»›
`have spent considerable amounts of fimding on
`‚¿“»›(cid:176)»†‹‰–†›•…»fi¿(cid:190)·» ¿‡–«†‹›–” ”«†…•†„ –†
`research and development of computer security,
`fi»›»¿fi‰‚¿†… …»“»·–(cid:176)‡»†‹–”‰–‡(cid:176)«‹»fi›»‰«fi•‹§(cid:244)
`ever anxious to find ways of guaranteeing secure
`»“»fi¿†¤•–«›‹–”•†…'¿§›–”„«¿fi¿†‹»»•†„›»‰«fi»
`electronic communication across their own private
`»·»‰‹fi–†•‰ ‰–‡‡«†•‰¿‹•–†¿‰fi–››‹‚»•fi–'† (cid:176)fi•“¿‹»
`networks. With the current desperate commercial
`†»‹'–fi(cid:181)›(cid:242)(cid:201)•‹‚‹‚» ‰«fifi»†‹…»›(cid:176)»fi¿‹» ‰–‡‡»fi‰•¿·
`need for network security, it would seem obvious to
`†»»…”–fi†»‹'–fi(cid:181)›»‰«fi•‹§(cid:244)•‹'–«·…›»»‡–(cid:190)“•–«›‹–
`look at ways of applying the military generated
`·––(cid:181)¿‹'¿§›–”¿(cid:176)(cid:176)·§•†„‹‚»‡•·•‹¿fi§ „»†»fi¿‹»…
`technology in the Internet arena.
`‹»‰‚†–·–„§ •† ‹‚» (cid:215)†‹»fi†»‹ ¿fi»†¿(cid:242)
`
`In this paper we present
`the results of our
`(cid:215)†‹‚•›(cid:176)¿(cid:176)»fi'»(cid:176)fi»›»†‹ ‹‚»fi»›«·‹›–”–«fi
`investigation into the use of one particular military
`•†“»›‹•„¿‹•–†•†‹–‹‚»«›»–”–†»(cid:176)¿fi‹•‰«·¿fi‡•·•‹¿fi§
`
`development, Compartmented Mode Workstation
`…»“»·–(cid:176)‡»†‹(cid:244)(cid:221)–‡(cid:176)¿fi‹‡»†‹»…(cid:211)–…»(cid:201)–fi(cid:181)›‹¿‹•–†
`(CMW)[l],
`in a role as an application gateway
`ł(cid:221)(cid:211)(cid:201)(cid:247)¯(cid:239)ˆ(cid:244)•†¿fi–·» ¿›¿†¿(cid:176)(cid:176)·•‰¿‹•–† „¿‹»'¿§
`situated between internal systems and the Internet.
`›•‹«¿‹»… (cid:190)»‹'»»†•†‹»fi†¿·›§›‹»‡›¿†…‹‚»(cid:215)†‹»fi†»‹(cid:242)
`We
`describe
`scenarios where
`use of CMW
`(cid:201)»
`…»›‰fi•(cid:190)»
`›‰»†¿fi•–›'‚»fi»
`«›»
`–” (cid:221)(cid:211)(cid:201)
`technology in this role can be advantagous, creating
`‹»‰‚†–·–„§•†‹‚•›fi–·» ‰¿† (cid:190)» ¿…“¿†‹¿„–«›(cid:244)‰fi»¿‹•†„
`a firewalled Domain Name System service and
`¿”•fi»'¿··»…(cid:220)–‡¿•†(cid:210)¿‡»˝§›‹»‡›»fi“•‰» ¿†…
`providing enhanced authentication of World Wide
`(cid:176)fi–“•…•†„»†‚¿†‰»…¿«‹‚»†‹•‰¿‹•–† –”(cid:201)–fi·…(cid:201)•…»
`Web services. We end with a discussion of how
`(cid:201)»(cid:190)›»fi“•‰»›(cid:242)(cid:201)» »†…'•‹‚¿…•›‰«››•–† –”‚–'
`other Internet based services might benefit from the
`–‹‚»fi (cid:215)†‹»fi†»‹(cid:190)¿›»…›»fi“•‰»›‡•„‚‹(cid:190)»†»”•‹”fi–‡‹‚»
`application of this technology.
`¿(cid:176)(cid:176)·•‰¿‹•–† –” ‹‚•› ‹»‰‚†–·–„§(cid:242)
`
`(cid:215)(cid:215)(cid:242) (cid:204)‚» (cid:221)–‡(cid:176)¿fi‹‡»†‹»… (cid:211)–…»
`II. The Compartmented Mode
`Workstation
`(cid:201)–fi(cid:181)›‹¿‹•–†
`
`The Compartmented Mode Workstation was
`(cid:204)‚»(cid:221)–‡(cid:176)¿fi‹‡»†‹»…(cid:211)–…»(cid:201)–fi(cid:181)›‹¿‹•–†'¿›
`originally developed for military and government
`–fi•„•†¿··§ …»“»·–(cid:176)»…”–fi‡•·•‹¿fi§¿†… „–“»fi†‡»†‹
`use
`according to the CMWEC criteria[2]
`for
`«›» ¿‰‰–fi…•†„
`‹– ‹‚» (cid:221)(cid:211)(cid:201)(cid:219)(cid:221) ‰fi•‹»fi•¿¯(cid:238)ˆ ”–fi
`evaluating trusted systems. The CMW class is an
`»“¿·«¿‹•†„‹fi«›‹»…›§›‹»‡›(cid:242)(cid:204)‚»
`(cid:221)(cid:211)(cid:201) ‰·¿››•›¿†
`entirely separate but related set of criteria to the
`»†‹•fi»·§›»(cid:176)¿fi¿‹»(cid:190)«‹fi»·¿‹»…›»‹–”‰fi•‹»fi•¿‹–‹‚»
`more familiar Orange Book criteria[3].
`In Orange
`‡–fi»”¿‡•·•¿fi(cid:209)fi¿†„»(cid:222)––(cid:181)‰fi•‹»fi•¿¯(cid:237)ˆ(cid:242)(cid:215)†(cid:209)fi¿†„»
`Book terms, CMW has all of the B1 level security
`(cid:222)––(cid:181)‹»fi‡›(cid:244) (cid:221)(cid:211)(cid:201) ‚¿›¿··–”‹‚»(cid:222)(cid:239)·»“»·›»‰«fi•‹§
`features, and includes a number of B2 and B3
`”»¿‹«fi»›(cid:244)¿†…•†‰·«…»›¿†«‡(cid:190)»fi–”(cid:222)(cid:238)¿†…(cid:222)(cid:237)
`features. A number of the CMW features are relevant
`”»¿‹«fi»›(cid:242)(cid:223)†«‡(cid:190)»fi–”‹‚»
`(cid:221)(cid:211)(cid:201) ”»¿‹«fi»›¿fi»fi»·»“¿†‹
`to
`Internet
`firewalls/application
`gateways,
`in
`‹–
`(cid:215)†‹»fi†»‹”•fi»'¿··›æ¿(cid:176)(cid:176)·•‰¿‹•–† „¿‹»'¿§›(cid:244)•†
`particular, mandatory
`access
`control
`(MAC);
`(cid:176)¿fi‹•‰«·¿fi(cid:244)‡¿†…¿‹–fi§
`¿‰‰»››
`‰–†‹fi–·
`ł(cid:211)(cid:223)(cid:221)(cid:247)(cid:229)
`discretionary access
`control
`(DAC);
`privileges;
`…•›‰fi»‹•–†¿fi§ ¿‰‰»››‰–†‹fi–·
`ł (cid:220)(cid:223)(cid:221)(cid:247)(cid:229)(cid:176)fi•“•·»„»›(cid:229)
`command authorizations; audit.
`‰–‡‡¿†… ¿«‹‚–fi•ƒ¿‹•–†›(cid:229) ¿«…•‹(cid:242)
`
`The combination of these security features
`(cid:204)‚» ‰–‡(cid:190)•†¿‹•–† –”‹‚»›»›»‰«fi•‹§”»¿‹«fi»›
`makes CMW especially suitable as an application
`‡¿(cid:181)»› (cid:221)(cid:211)(cid:201) »›(cid:176)»‰•¿··§›«•‹¿(cid:190)·» ¿›¿†¿(cid:176)(cid:176)·•‰¿‹•–†
`gateway. Some features make it easier to administer
`„¿‹»'¿§(cid:242)˝–‡»”»¿‹«fi»›‡¿(cid:181)»•‹»¿›•»fi‹–¿…‡•†•›‹»fi
`and maintain the gateway machine in a secure state
`¿†…‡¿•†‹¿•†‹‚»„¿‹»'¿§‡¿‰‚•†»•†¿›»‰«fi»›‹¿‹»
`and to detect attempts at attack:
`the detailed
`¿†…‹– …»‹»‰‹¿‹‹»‡(cid:176)‹›¿‹¿‹‹¿‰(cid:181)(cid:230) ‹‚»…»‹¿•·»…
`auditing,
`the
`command authorizations
`allowing
`¿«…•‹•†„(cid:244)‹‚» ‰–‡‡¿†…¿«‹‚–fi•ƒ¿‹•–†›¿··–'•†„
`separation of duty and retirement of the root
`›»(cid:176)¿fi¿‹•–† –”…«‹§¿†…fi»‹•fi»‡»†‹–”‹‚»fi––‹
`account, and the trusted execution path combating
`¿‰‰–«†‹(cid:244)¿†…‹‚»‹fi«›‹»…»¤»‰«‹•–† (cid:176)¿‹‚‰–‡(cid:190)¿‹•†„
`Trojan horses. Other features make it possible to
`(cid:204)fi–¶¿† ‚–fi›»›(cid:242)(cid:209)‹‚»fi ”»¿‹«fi»›‡¿(cid:181)»•‹(cid:176)–››•(cid:190)·»‹–
`build and run applications securely:
`MAC and
`(cid:190)«•·…¿†…fi«†¿(cid:176)(cid:176)·•‰¿‹•–†› ›»‰«fi»·§(cid:230)
`(cid:211)(cid:223)(cid:221) ¿†…
`privileges in particular. This section explains these
`(cid:176)fi•“•·»„»›•† (cid:176)¿fi‹•‰«·¿fi(cid:242)(cid:204)‚•› ›»‰‹•–†»¤(cid:176)·¿•†›‹‚»›»
`security features;
`the remainder of this paper
`›»‰«fi•‹§”»¿‹«fi»›(cid:229) ‹‚»fi»‡¿•†…»fi–”‹‚•›(cid:176)¿(cid:176)»fi
`concentrates on the use of these features to develop
`‰–†‰»†‹fi¿‹»›–†‹‚»«›»–”‹‚»›»”»¿‹«fi»›‹– …»“»·–(cid:176)
`applications to run securely on CMW while providing
`¿(cid:176)(cid:176)·•‰¿‹•–†›‹–fi«†›»‰«fi»·§ –† (cid:221)(cid:211)(cid:201) '‚•·»(cid:176)fi–“•…•†„
`access from the Internet to sensitive resources and
`¿‰‰»››”fi–‡‹‚»(cid:215)†‹»fi†»‹ ‹–›»†›•‹•“»fi»›–«fi‰»›¿†…
`information.
`•†”–fi‡¿‹•–†(cid:242)
`
`711-1 (Session VII-1, lSt paper)
`Ø(cid:239)(cid:239)(cid:243)(cid:239) ł˝»››•–† ˚(cid:215)(cid:215)(cid:243)(cid:239)(cid:244) (cid:239) ›‹ (cid:176)¿(cid:176)»fi(cid:247)
`
`

`

`Applying Military Grade Security to the Internet
`(cid:223)(cid:176)(cid:176)·§•†„ (cid:211)•·•‹¿fi§ (cid:217)fi¿…» ˝»‰«fi•‹§ ‹– ‹‚» (cid:215)†‹»fi†»‹
`
`Proceedings JENCS
`—fi–‰»»…•†„› (cid:214)(cid:219)(cid:210)(cid:221)Ł
`
`Dalton, Griffin
`(cid:220)¿·‹–†(cid:244) (cid:217)fi•””•†
`
`a process tries to make a system call which could in
`¿(cid:176)fi–‰»››‹fi•»›‹–‡¿(cid:181)» ¿ ›§›‹»‡‰¿··'‚•‰‚‰–«·…•†
`some way compromise security. There is a total of
`›–‡»'¿§‰–‡(cid:176)fi–‡•›»›»‰«fi•‹§(cid:242)(cid:204)‚»fi»•›¿‹–‹¿·–”
`approximately 50 different privileges, ranging from
`¿(cid:176)(cid:176)fi–¤•‡¿‹»·§ º(cid:240) …•””»fi»†‹(cid:176)fi•“•·»„»›(cid:244)fi¿†„•†„”fi–‡
`fairly harmless to very dangerous.
`”¿•fi·§ ‚¿fi‡·»›› ‹– “»fi§ …¿†„»fi–«›(cid:242)
`
`Some of the most dangerous privileges are those
`˝–‡»–”‹‚»‡–›‹…¿†„»fi–«›(cid:176)fi•“•·»„»›¿fi»‹‚–›»
`which allow a process to override the MAC, and
`'‚•‰‚¿··–'¿(cid:176)fi–‰»››‹– –“»fifi•…»‹‚»
`(cid:211)(cid:223)(cid:221)(cid:244)¿†…
`these must be carefully granted to allow selected
`‹‚»›»‡«›‹(cid:190)» ‰¿fi»”«··§ „fi¿†‹»…‹–¿··–'›»·»‰‹»…
`traffic to cross the firewall. For safety, we grant
`‹fi¿””•‰‹–‰fi–››‹‚»”•fi»'¿··(cid:242)(cid:218)–fi›¿”»‹§(cid:244)'»„fi¿†‹
`privileges only to small relay programs which are
`(cid:176)fi•“•·»„»›–†·§‹–›‡¿··fi»·¿§ (cid:176)fi–„fi¿‡›'‚•‰‚¿fi»
`specially designed and carefully reviewed. These
`›(cid:176)»‰•¿··§ …»›•„†»…¿†…‰¿fi»”«··§fi»“•»'»…(cid:242)(cid:204)‚»›»
`'trusted' programs
`allow information to cross
`ø‹fi«›‹»…ø(cid:176)fi–„fi¿‡›¿··–'
`•†”–fi‡¿‹•–† ‹– ‰fi–››
`compartment boundaries, so that large pro-existing
`‰–‡(cid:176)¿fi‹‡»†‹(cid:190)–«†…¿fi•»›(cid:244)›–‹‚¿‹ ·¿fi„»(cid:176)fi»(cid:243)»¤•›‹•†„
`applications can be safely accessed from sensitivity
`¿(cid:176)(cid:176)·•‰¿‹•–†›‰¿† (cid:190)»›¿”»·§¿‰‰»››»…”fi–‡›»†›•‹•“•‹§
`levels other than their own. The trusted programs
`·»“»·›–‹‚»fi‹‚¿†‹‚»•fi–'†(cid:242)(cid:204)‚»‹fi«›‹»… (cid:176)fi–„fi¿‡›
`must follow the 'least privilege' principle:
`they raise
`‡«›‹”–··–'‹‚»ø·»¿›‹(cid:176)fi•“•·»„»ø(cid:176)fi•†‰•(cid:176)·»(cid:230) ‹‚»§fi¿•›»
`a privilege only while it is needed for a particular
`¿(cid:176)fi•“•·»„»–†·§'‚•·»•‹ •›†»»…»…”–fi¿(cid:176)¿fi‹•‰«·¿fi
`operation and lower it again immediately afterwards.
`–(cid:176)»fi¿‹•–† ¿†… ·–'»fi •‹ ¿„¿•† •‡‡»…•¿‹»·§ ¿”‹»fi'¿fi…›(cid:242)
`
`to
`
`II.D Command Authorizations
`(cid:215)(cid:215)(cid:242)(cid:220) (cid:221)–‡‡¿†… (cid:223)«‹‚–fi•ƒ¿‹•–†›
`Command authorizations
`are
`the
`sisters
`(cid:221)–‡‡¿†…¿«‹‚–fi•ƒ¿‹•–†›¿fi»‹‚»›•›‹»fi›‹–
`privileges.
`They are given to users, whereas
`(cid:176)fi•“•·»„»›(cid:242)
`(cid:204)‚»§¿fi»„•“»†‹– «›»fi›(cid:244)'‚»fi»¿›
`privileges are granted to programs. Authorizations
`(cid:176)fi•“•·»„»›¿fi»„fi¿†‹»…‹– (cid:176)fi–„fi¿‡›(cid:242)(cid:223)«‹‚–fi•ƒ¿‹•–†›
`allow control over which users are allowed to
`¿··–'‰–†‹fi–·–“»fi'‚•‰‚ «›»fi›¿fi» ¿··–'»…‹–
`invoke which trusted programs.
`By allocating
`•†“–(cid:181)»'‚•‰‚‹fi«›‹»… (cid:176)fi–„fi¿‡›(cid:242)
`(cid:222)§¿··–‰¿‹•†„
`different sets of authorizations to different users, we
`…•””»fi»†‹›»‹›–”¿«‹‚–fi•ƒ¿‹•–†›‹– …•””»fi»†‹«›»fi›(cid:244)'»
`can achieve separation of duties. No single user has
`‰¿†¿‰‚•»“»›»(cid:176)¿fi¿‹•–† –”…«‹•»›(cid:242)(cid:210)–›•†„·»«›»fi‚¿›
`absolute control of the system; rather there are a
`¿(cid:190)›–·«‹» ‰–†‹fi–·–”‹‚»›§›‹»‡(cid:229)fi¿‹‚»fi‹‚»fi» ¿fi» ¿
`number of administrative roles with complementary
`†«‡(cid:190)»fi–”¿…‡•†•›‹fi¿‹•“»fi–·»›'•‹‚‰–‡(cid:176)·»‡»†‹¿fi§
`powers.
`(cid:176)–'»fi›(cid:242)
`
`II.E Audit
`(cid:215)(cid:215)(cid:242)(cid:219) (cid:223)«…•‹
`
`The trusted kernel audits
`system calls, and
`(cid:204)‚»‹fi«›‹»… (cid:181)»fi†»·¿«…•‹› ›§›‹»‡‰¿··›(cid:244)¿†…
`trusted applications can audit
`their own actions
`‹fi«›‹»…¿(cid:176)(cid:176)·•‰¿‹•–†›‰¿†¿«…•‹ ‹‚»•fi–'†¿‰‹•–†›
`using a standard auditing subsystem interface. This
`«›•†„¿›‹¿†…¿fi…¿«…•‹•†„›«(cid:190)›§›‹»‡•†‹»fi”¿‰»(cid:242)(cid:204)‚•›
`auditing cannot be overridden without
`special
`¿«…•‹•†„‰¿††–‹(cid:190)»–“»fifi•……»†'•‹‚–«‹›(cid:176)»‰•¿·
`privilege.
`It will normally be configured to log any
`(cid:176)fi•“•·»„»(cid:242)(cid:215)‹'•··†–fi‡¿··§ (cid:190)» ‰–†”•„«fi»…‹–·–„¿†§
`access denial or
`insufficient privilege
`for
`an
`¿‰‰»››…»†•¿·–fi•†›«””•‰•»†‹(cid:176)fi•“•·»„»”–fi¿†
`attempted operation. Trusted programs can log their
`¿‹‹»‡(cid:176)‹»… –(cid:176)»fi¿‹•–†(cid:242)(cid:204)fi«›‹»… (cid:176)fi–„fi¿‡›‰¿†·–„‹‚»•fi
`actions directly in an easily understood form, so an
`¿‰‹•–†›…•fi»‰‹·§•†¿†»¿›•·§ «†…»fi›‹––…”–fi‡(cid:244)›–¿†
`administrator can track any suspicious behaviour
`¿…‡•†•›‹fi¿‹–fi‰¿†‹fi¿‰(cid:181)¿†§›«›(cid:176)•‰•–«›(cid:190)»‚¿“•–«fi
`involving
`overriding MAC without having to
`•†“–·“•†„ –“»fifi•…•†„
`(cid:211)(cid:223)(cid:221) '•‹‚–«‹‚¿“•†„
`‹–
`decipher long sequences of system calls.
`…»‰•(cid:176)‚»fi ·–†„ ›»fl«»†‰»› –” ›§›‹»‡ ‰¿··›(cid:242)
`
`(cid:215)(cid:215)(cid:242)(cid:218) (cid:223)† (cid:219)¤¿‡(cid:176)·» (cid:221)–†”•„«fi¿‹•–†
`II.F An Example Configuration
`CMWHOST
`SYSTEM INSIDE OUTSIDE
`
`I
`l
`SYSTEM
`SYSTEM
`OUTSIDE
`INSIDE
`
`(cid:221)(cid:211)(cid:201) (cid:216)(cid:209)˝(cid:204)
`
`˝˙˝(cid:204)(cid:219)(cid:211) (cid:215)(cid:210)˝(cid:215)(cid:220)(cid:219) (cid:209)¸(cid:204)˝(cid:215)(cid:220)(cid:219)
`
`(cid:215)†‹»fi†»‹
`
`˝˙˝(cid:204)(cid:219)(cid:211)
`(cid:209)¸(cid:204)˝(cid:215)(cid:220)(cid:219)
`
`˝˙˝(cid:204)(cid:219)(cid:211)
`(cid:215)(cid:210)˝(cid:215)(cid:220)(cid:219)
`
`(cid:215)(cid:215)(cid:242)(cid:223) (cid:211)¿†…¿‹–fi§ (cid:223)‰‰»›› (cid:221)–†‹fi–·
`II.A Mandatory Access Control
`
`are
`enforced
`controls
`access
`Mandatory
`¿fi» »†”–fi‰»…
`‰–†‹fi–·›
`¿‰‰»››
`(cid:211)¿†…¿‹–fi§
`consistently by the operating system - users cannot
`‰–†›•›‹»†‹·§ (cid:190)§ ‹‚»–(cid:176)»fi¿‹•†„›§›‹»‡(cid:243)«›»fi›‰¿††–‹
`choose which information will be regulated. On
`‰‚––›»'‚•‰‚•†”–fi‡¿‹•–†'•··(cid:190)»fi»„«·¿‹»…(cid:242)(cid:209)†
`CMW all
`information has associated with it a
`(cid:221)(cid:211)(cid:201) ¿·· •†”–fi‡¿‹•–† ‚¿›¿››–‰•¿‹»…'•‹‚•‹ ¿
`sensitivity label. The sensitivity label comprises a
`›»†›•‹•“•‹§·¿(cid:190)»·(cid:242)(cid:204)‚»›»†›•‹•“•‹§·¿(cid:190)»·‰–‡(cid:176)fi•›»› ¿
`'classification' and a number of 'compartments'. The
`ø‰·¿››•”•‰¿‹•–†ø¿†…¿†«‡(cid:190)»fi–”ø‰–‡(cid:176)¿fi‹‡»†‹›ø(cid:242)(cid:204)‚»
`operating system labels files, processes and network
`–(cid:176)»fi¿‹•†„›§›‹»‡·¿(cid:190)»·›”•·»›(cid:244)(cid:176)fi–‰»››»›¿†… †»‹'–fi(cid:181)
`connections. In general, to have read access to some
`‰–††»‰‹•–†›(cid:242)(cid:215)† „»†»fi¿·(cid:244)‹– ‚¿“»fi»¿…¿‰‰»››‹–›–‡»
`data, a process must have a sensitivity label which
`…¿‹¿(cid:244)¿(cid:176)fi–‰»››‡«›‹‚¿“» ¿›»†›•‹•“•‹§·¿(cid:190)»·'‚•‰‚
`'dominates' the label of the data. A sensitivity label
`ø…–‡•†¿‹»›ø‹‚»·¿(cid:190)»·–”‹‚»…¿‹¿(cid:242)(cid:223)›»†›•‹•“•‹§·¿(cid:190)»·
`is said to dominate another when its classification is
`•› ›¿•…‹– …–‡•†¿‹» ¿†–‹‚»fi'‚»†•‹›‰·¿››•”•‰¿‹•–†•›
`higher or equal
`to the other's classification, and
`‚•„‚»fi–fi»fl«¿· ‹–‹‚»–‹‚»fiø›‰·¿››•”•‰¿‹•–†(cid:244)¿†…
`when it includes all compartments included in the
`'‚»†•‹ •†‰·«…»›¿··‰–‡(cid:176)¿fi‹‡»†‹›•†‰·«…»…•†‹‚»
`other label. For write access, a process's label must
`–‹‚»fi·¿(cid:190)»·(cid:242)(cid:218)–fi'fi•‹» ¿‰‰»››(cid:244)¿(cid:176)fi–‰»››ø›·¿(cid:190)»·‡«›‹
`exactly equal the data‘s label.
`»¤¿‰‹·§ »fl«¿· ‹‚» …¿‹¿ø› ·¿(cid:190)»·(cid:242)
`
`In practice, classification is generally used to
`(cid:215)† (cid:176)fi¿‰‹•‰»(cid:244)‰·¿››•”•‰¿‹•–†•›„»†»fi¿··§ «›»…‹–
`indicate
`how secret
`or
`sensitive
`data
`is.
`•†…•‰¿‹»
`‚–' ›»‰fi»‹
`–fi
`›»†›•‹•“»
`…¿‹¿
`•›(cid:242)
`Compartments, however, are often used to partition
`(cid:221)–‡(cid:176)¿fi‹‡»†‹›(cid:244)‚–'»“»fi(cid:244)¿fi»–”‹»† «›»…‹– (cid:176)¿fi‹•‹•–†
`data so that access to separate sets of data is given to
`…¿‹¿›–‹‚¿‹¿‰‰»››‹–›»(cid:176)¿fi¿‹»›»‹›–”…¿‹¿•›„•“»†‹–
`different groups of users, e.g., members of different
`…•””»fi»†‹„fi–«(cid:176)›–”«›»fi›(cid:244)»(cid:242)„(cid:242)(cid:244)‡»‡(cid:190)»fi›–”…•””»fi»†‹
`departments in a company.
`The configuration
`…»(cid:176)¿fi‹‡»†‹›•†¿ ‰–‡(cid:176)¿†§(cid:242)
`(cid:204)‚» ‰–†”•„«fi¿‹•–†
`shown in figure 1 below uses compartments to
`›‚–'†•†”•„«fi»(cid:239) (cid:190)»·–'«›»›‰–‡(cid:176)¿fi‹‡»†‹›‹–
`distinguish between data and resources accessible
`…•›‹•†„«•›‚ (cid:190)»‹'»»† …¿‹¿ ¿†…