RECON/GUARD CONFIDENCE TESTS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP95-00972R000100100012-7
Release Decision:
RIPPUB
Original Classification:
C
Document Page Count:
93
Document Creation Date:
December 27, 2016
Document Release Date:
August 21, 2012
Sequence Number:
12
Case Number:
Publication Date:
January 3, 1983
Content Type:
REPORT
File:
Attachment | Size |
---|---|
CIA-RDP95-00972R000100100012-7.pdf | 3.67 MB |
Body:
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
RECON/Guard Confidence Tests
(dtd 3 January 1983)
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
C
Introduction
The purpose of this document is to identify the objectives,
methods, and acceptable results of the RECON Guard program
acceptance test phase.
The tests outlined here will be conducted by government
personnel. Many of the tests will utilize a test Trap-Door
program. This Trap-Door program will be generated by OCR/IAB*and
is specified in this document.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
C.
Objective:
RECON Guard System Acceptance Tests
(Overview)
The objective of the Government acceptance tests is the
determination of the Guard System's ability to perform its
security functions in the presence of normal and abnormal per-
turbation of the expected/standard operating environment.
Security Vulnerability Determination:
. Operational tests
incorrect key insertion/removal
induced errors on on-line and update Guard I/O
modules (i.e., can record incorrectly written on
output tape of update Guard be inadvertently
released?)
establish ideal setting for variable Guard System
parameter
Guard System outage tests
random stop/start during record transmission
h
ot
er induced Guard System errors
Covert signalling channel tests attempt
data by:
modulation of handshake sequence
modulation of error massages
modulation of leqitimate traffic
(intact RECON records)
alteration of record content
. Composite tests
Al] tests will be conducted by or in the presence of designated
Government personnel.
Each test or set of tests will be documented prior to the
Guard System test subphase. This documentation will include the
following:
objective
method
acceptable results
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
System Outage Testing/Operational Testing
objective:
The objective of these tests will be to determine the
reliability and stability of the Guard System under normal and
abnormal/hostile conditions.
Method:
The operational tests will be ongoing during the entire
acceptance testing phasa. These operational tests will include
such actions as would be encountered during operation of the
Guard System. These actions will include the following:
1. Random unplugging of On-Line and Up-Date Guard.
2. Random switching/rem.val of AGB's
a. during operation periods
b. between operation periods
3. Disruption of Security Officer Interface system
a. by random/intermittent power-down
b. incorrect keyboard entries
c. etc.
4. Inducement of tape errors for Up-Date Guard.
5. Other disruptive events.
Successful Results:
The Guard System should continue its security function under
all circumstances. Regardless of the disruptive tests applied,
the Guard System should not permit any unauthorized release of
information.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
C- C
Hardware Component Verification Test
Objective:
The objective of this test is to ensure, as thoroughly as
possible, that no clandestine hardware (i.e., tap devices) is
included in the Guard System hardware set. This hardware set
includes the On-Line Guard SBC's, the Up-Date Guard SBC's, all
AGB's, and Security Officer Interface hardware.
Method:
The method applied for this test will be visual inspection.
More elaborate methods (i.e., IR) will be possible only if an
appropriate system is available. Inspection of microprocessor
chips will entail magnification and comparison (visually) with
proper chip layout description.
Successful Result:
A one-to-one comparison of SBC components and, where possible.
chip layout inspection for computer-on-chip components will be
deamed acceptable.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
Handshake Sequence Modulation
Objective:
The objective of this test will be the transmission of
clandestine information by selective interrupt of HAS-Guard and
RECON-Guard software communications sequence in a codable
repetitive manner. The communication sequence will be interrupted
(error condition) in such a way as to encode the test character
string.
Method:
The handshake interrupt will be attempted both from the 370
(RECON System) operator console and (if practical) from small
embedded in RECON trap door software routines. Modulation of
error interrupts will use the following techniques:
1. time lapse between error interrupts
2. device interrupt error type
3. # interrupts/time period
4. use of CANCEL and STATUS acknowledge
The receiving station for this test will be on the outbound (HAS)
side of the On-Line Guard device.
Acceptable Results:
The Or.-Line Guard device should abort all transmission
(execute a channel shutdown), prior to the receipt of the full
test sequence at the outbound receiving station.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Error Messaqe Modulation
dbjective:
The objective of this test is to use error messages to
transmit clandestine informat;on through the On-Line Guard device
to the COINS network.
Method:
The Trap-Door program will be used to generate and transmit
error messages to the COINS network. These error messages will
be transmitted via the operator control mode of the Trap-Door
prcgram. A predetermined test character sequence will be the
cbject of this method.
Acceptable Results:
The On-Line Guard device should terminate channel activity
prior to output of the full test character sequence.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Alteration of Records
Objective:
The objective of this test will be the transmission of
clandestine information through the On-Line Guard device by
overlaying such information on legitimate outbound RECON records.
Method:
The Trap-Door program will insert predetermined character
strings into authenticated RECON records. These records will
then be transmitted to the On-Line Guard dcvice for output to the
COINS network.
Acceptable Results:
The On-Line Guard device should detect all such unauthoriz?d
alterations of the legitimate RECON records. The On-Line Guard
should then block transmission of the altered records and inform
the audit and alarm devices.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
11 V W _ .._ . _ _ Ll_1 1_ I 1
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Legitimate Traffic Modulation
Objective:
The objective of this test will be the transmission of a
designated character string by the use of properly authenticated
records. This test will attempt to open a covert signaling channel
with legitimate message traffic.
Method:
Transmit 26 properly authenticated, "correct" records to HAS.
Then, as part of the same response retransmit the 25th, 15th, 21st,
8th, 1st, 22nd, 5th, 2nd, 5th, 5th, 14th, 8th, 1st, 4th, then end of
response. If possible, the first 26 records should be the shortest
available.
Successful Result:
The Guard will immediately recognize a direct channel attack and
shut down on the receipt of the 27th record. (Actually, if it did,
it would be in error of some kind.)
Also, allowable response set limit, or retransmission limit
should be exceeded and cause Guard cutoff.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
RECON Test (Trap-Door) Program
Objective:
The objective of the RECON acceptance test Trap-Door program
will be the introduction of security relevant errors and pertur-
bation into the Guard-RECON-HAS function. The Trap-Door program
should allow the 370 system (RECON host) operator to control.
error condition generation from the control console. Also, the
Trap-Door program should have the capability to automatically
generate RECON system errors.
Function:
1. Change contents of RECON record by the following methods:
a. single bit change in RECON record
b. overlay of character string in RECON record text
2. Transmit selected error messages by:
a. insertion in response record set
b. direction from operator console
3. Transmit response record set
a. response record set should include altered records
b. response record set transmission should be under
console operator control
4. Automatic execution mode
a. program should automatically loop through any
combination of above functions
b. selected functions will be determined by operator
at initiation of automatic execution mode
5. Simulate RECON system outages
a. transmit CANCEL messages under operator control
b. transmit CANCEL messages via automatic loop
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
1
c. transmit status acknowledgement messages under
operator control
d. transmit status acknowledgement via automatic
loop
The RECON test program should have a control structure which
permits execution of all five of the above functions by two
separate modes. These control modes are:
1. Automatic function execution mode
2. Operator-controlled function execution mode
Automatic Function execution mode will be RECON test program
-initiation of operator-selected functions in a loop method.
Execution will be stopped by a preset timer, loop parameter, or
operator intervention. The operational scenario will be as
follows:
a. operator parameter entries
(1) functions to be executed
(a) order of execution
(b) random order of execution
(2) stop parameters
(a) time
(b) # of execution loops
(c) infinite loop (stopped by operator
intervention)
Operator-controlled function execution mode will be RECON test
program execution of specific operator-selected functions. The
operational scenario-will be as follows:
a. operator parameter entries
(1) functions to be executed
(2) # of executions
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
COMMUNITY RECON ERROR GENERATOR
This paper outlines the specifications of an error generating
program developed as part of an effort to test the ability of the
RECON GUARD device to detect and flag RECON records which have been
altered since the assignment of a 'CHECKSUM' (by the UPDATE GUARD
device). The program operates in an IBM batch environment and is
written in the IBM ASSEMBLER language. The purpose of the program
is to intercept and alter a COMMUNITY RECON output file prior to
being received by an ONLINE GUARD device for channeling back to
the COMMUNITY RECON user.
The program has been designed to be inserted into the
COMMUNITY RECON job stream after the final output data set has
been created but before sending the output to the ONLINE GUARD
device. Through the use of Control card input the program can
alter any or all of five (5) output records. The records that
can be affected are:
1) the FIRST-CARD
2) the 1st RECON record
3) the MIDDLE RECON record
4) the LAST RECON record
5) the LAST-CARD
.The program accepts any of 7 Control card formats in any order. The
number of Control cards has been limited (arbitrarily) to 20. Each
type of format can be used any number of times.(limited to a total
of 20 Control cards) and the same record can be altered with several
different Control cards. The 7 general 'commands' are:
1)
USERID --
change
the userid on the FIRST-CARD
2)
AGENCY --
change
the originating agency on the FIRST-CARD
3)
REQNUM --
change
the 4 digit request number on the
FIRST-CARD and LAST-CARD
4)
BIT -- flip a single bit in the RECON record
5)
BYTE -- alter a character in RECON record to EBCDIC 'FF'
6)
STRING -- Add, Replace or Delete a string (up to 20
characters
7) ORDER -- Place copies of specified RECON records from
the set after the last legitimate RECON record
but before the LAST-CARD.
UNCLASSIFIED
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
For the purpose of RECON record manipulations , 23 subfields were
selected to provide the capability for altering different parts of
the RECON records. These subfields were assigned 2-6 character
acronymns for use on the Control Cards. These 'field specifications'
give the ability to select particular fields. Of particular interest
for this test are the D1, D2 and CW fields which affect dissemination
and the CS field which affects the CHECKSUM Itself. The complete list
of allowable field acronyms follows.
DF -- document format
DNSB1 --
DNSB2
--
DNSB3A
--
DNSB3B
--
ITEM
--
PAGE
--
DT
--
CL
--
D1
--
D2
--
CW
--
PD
--
EX
--
TD
--
PR
--
MG
--
SN
--
SC
--
CY
--
KW
--
TI
--
CS
--
of
number subfield 1
to
to
to 2
it
of
of 3
''
?'
t 3
to
to
of
if
to
type
classification
dissemination 1
dissemination 2
code word
publication date
exemption category
todate
processing date
management field
series periodic set
subject code in subject periodic set
country code in
keywords
title
checksum
UNCLASSIFIED
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
PAGE 3
The format of the Control cards is as follows.
COMMAND- COLUMNS CONTENTS
USERID 1-6 USERID
7 -
8-22 new userid
AGENCY 1-6 AGENCY
7 -
8-11 new agency
REQNUM 1-6 REQNUM
7 -
8-11 new request number
BIT 1-6 BIT
7 F or M or L (first, middle or last)
8-13 field specification (acronym for which
part of the RECON record to alter)
BYTE 1-6 BYTE
7 ForMorL
8-13 field specification
STRING 1-6 STRING
7 ForMorL
8-13 field specification
14 A or D or R (add,delete or replace)
15-34 string to add,replace with or delete
(in case of delete the contents of
the string are ignored -- the I of
characters in the string will be the
number of characters deleted from the
RECON record)
--OR--
BLANK (set field to blanks)
--OR--
ZERO (set field to binary zeros)
ORDER 1-5 ORDER
.7 -
8-80 continuous sequence of 2 digit numbers
UNCLASSIFIED
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
_ .... _ . .. 1 .1 . 11 1 .
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
PAGE 4
(pax 36) representing an ordering of RECON
records from the output set to be placed
after the legitimate records but prior to
the LAST-CARD.
(ex. 20051920 -- copy the 20th RECON record
in the set and place it after the last
RECON record in the set. Follow this with
the 5th, 19th and 20th records (spelling
the word TEST).)
Theoretically the program can handle any file size passed
in. For practical purposes however, an input file size limit of 1000
records should be observed. The program will output the altered
records to a data set picked up by the spanned record formatter
Utility. It will also output a hardcopy count of processed control
cards and any error messages that were generated due to improper
Control cards.
UNCLASSIFIED
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Notes on Legitimate Traffic Modulation
STAT
29 January 1983
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Introduction
Legitimate Traffic Modulation is one of the most formidable
security problems encountered when data bases containing multi-
level security and compartmentd information is exposed (connected)
to untrusted network access. At first glance, an LTM type
clandestine attack would appear to offer an unlimited, uncontrol-
lable bandwidth, since LTM involves the transmission of legal
output but in a way as to encode information.
All covert signalling/timing channels can be fully exploited
if tradeoffs on normal system/network operations and throughput
are prohibited. The following discussion will suggest an approach
to severely limiting the LTM available bandwidth, while defining
the operational constraints on the target system.
This note contains a brief discussion of Legitimate Traffic
Modulation (LTM). The techniques could be employed for any new
remotely accessed data bases where security is of prime concern.
With some enhancement of the Guard system the initial scenarios
could be employed for existing data bases. The sequence proof
(encrypted data base) scenarios could not be applied to existing
systems without extensive modification.
The-sequence proof scenarios would require a verified,
off-line, data base encryption peripheral. The Guard Device
prototype design could possibly serve this function with minor
modification. Properly accessed encrypted data bases may be a
solution to LTM.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
(3) patterns to be detected
(a) alphabet strings: with unique msg.
types
(b) trailer strings: all previously
encountered msg. types
(c) buffer deleted when (above) clandestine
code probabilities are encountered
4. Buffered response set will be scrambled
a. order of response msgs. will be changed randomly
b. order of response msgs. will be changed by pre-
determined algorithms
c. this appears to be most effective LTM countermeasure
(1) ease of implementation
(2) effectiveness
(3) can be standard output sequence function not
requiring code ident (as in (3) above)
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Legitimate Traffic Modulation (LTM)
alphabet msg. string
sequence coded msgs.
Legitimate-sequences
A. Attack requirements:
1. sequence must be pre-ordered and known by receiver
(attack method t..s sequence integrity dependent)
1. limit length of response sequence
(reduce channel bandwidth)
a. property of LTM attack
(1) must have nonunique msg. types in trailer
portion of response set, or
(2) must have known spacings of unique msg.
types in trailer portion
3. detector function
a. the principal detector function will be code
detection
(1) various methods exist for this
(1) entire response msg set must be buffered
prior to output
(2) alphabet string detection
(a) each 1 to n string of msgs. will be
examined with the resultant trailer
sequence
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
(Sequence Proof) LTM Channel
A. Trap door program function
From the set of responses
1. scan response set for records with
a. appropriate characters in predetermined
string field
b. appropriate characters in predetermined
sequence character field
2. transmit related records (this activates LTM
channel)
Response Set records must have
proper character strings in 2
(determined by transmit trap
char strin )door program
known by clandestine receive
program
3. receive program decodes clandestine message from the
received response set
B. Constraints on defensive measures
1. Must not disrupt communication link throughput rate
2. Must'not decrease response set received
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
I. Solution
A. Requirements for attack:
1. trap door program must know contents of records
which will be transmitted
2. location of data and sequence information fields
and/or pointers must be known to transmitter and
receiver
3. trap door program must select, from response set,
those records having proper characters in the
predetermined data and sequence fields
1. encrypted data base 'with header and trailer
information stripped on output (trap door cannot
know information released)
2. limit response set size
C. Solution (using Guard concept) when query capability
is required:
1.(a) queries could search on header information only
(header would contain key words for query search).
Thus severely restricting the amount of characters
usable by a trap door program
(b) or incoming query (search parameters) encrypted
with appropriate key (or single key if 1 key
scenario is used)
(c) thus query can only search/hit on appropriate
records (if multi-key scenario is used)
Enter:
1.
auth
and
and save
auth (at
store
update
encryption results
device)
2.
now
from
no way to
internal
tell
trap
what output
door. Thus
will be
trap
door
cannot select sequence or
character
string of response set for output because
it cannot know what will be output
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Exit: 1. decrypt at (online device)
2. authenticate as before
3. scramble response set
4. Guard determines destination and strips
headers and trailers (only encrypted
text is passed after decryption by Guard)
5. Guard checks contents of response set
(i.e., response set must contain more
than 1 record, and response set must
contain no identical records)
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
..... 1. .1 . 11. 1 .......w. L , 1I 11 --_ . . . .,a..L . ... .
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
As discussed in part C.2, above, an encrypted data base will
prevent a trap door program from knowing which data is trans-
mitted. This is because encryption/decryption of text is done
off line (outside of operating space of the.data base or the
target system). No plain text data arriving at the Guard is
transmitted (headers are stripped). No encryption data is trans-
mitted (encrypted text changed to plain text at Guard before
transmission). Thus the Guard also functions as an encryption
device. Although not applicable to the present RECON system, new
data bases employing this scenario with a Guard Device concept
may be protectable in this manner.
This communication suggests an approach to controlling a
covert signalling channel utilizing LTM. The proper use of
encryption and response record sequence sampling on the bandwidth
of a LTM type attack can be severely limited. It is hoped that
the above discussion can stimulate dialog leading to more complete
solutions to the LTM problem.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
LUNr'1I)LNT1A1.r
OS/ISSG
Draft Evaluation Report
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21: CIA-RDP95-00972R000100100012-7
L
ROUTING AND RECORD SHEET
SUBJECT: (Optional)
Testing of the RECON GUARD Prototype
FROM: NO.
DATE
5 JUL 1984
TO: (Officer designation, room number, and
DATE
building)
OFFICER'S
COMMENTS (Number each comment to show from whom
RECEIVED
FORWARDED
INITIALS
to whom. Draw a line across column after each comment.)
1. RECON Project Officer
Chuck,
PATG/ISRD/ORD
726 Ames Building
7111
Attached is the RECON GUARD
2.
Prototype Test Report, which I
showed you last week.
a co
of this to
py
3
as a draft.
I intend to submit this same
4
memo to go from the Director of
Security to and
Claire Rice
ere ore
lease
,
, p
5
consider this official between
you and me but not the official
OS response
6.
.
7.
8.
9.
10.
11.
12.
13.
14.
15.
FORM 61 O USE PREVIOUS
1-79 1 EDITIONS
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
2 4 JI i*! 19,84
MORANDUM FOR: RECON Project Officer
AE'
Processing and Analysis Technology Group,
Information Systems Research Division,
Office of Research and Development
Industrial systems branch,
Information Systems Security Group, OS
25X1
25X1
SUBJECT: Testing of the RECON GUARD Prototype
1. Between 14 May and 11 June 1964, Information Systems
Security Group performed testing of the RECON GUARD prototype
hardware which was developed by Sytek, Incorporated, under con-
tract to the Office of Research and Development. The objective
of this Project was to demonstrate the feasibility of the
GUARD-Device concept and its applicability to the problem of
connecting classified Agency data oases to external networks.
Preliminary examination of the test results, indicate that the
GUARD performs this function. I recommend, therefore, that the
GUARD Device be certified as :laving passed the tests described
in attachment A.
2. Testing was performed using the Guard Test System
(GTS) which emulated a Host Access System (HAS). Use of the
GTS allowed for easier manipulation and verification of the
data tnan if using a live COINS HAS. Additionally, testing was
performed using only a 2,000 record test RECON data base. It
is most important to note treat extensive testing with a live
network and a live data base must take place before a GUARD-
Device can hold the trusted position of protecting classified
Agency data rrom unauthorized exposure to an external network.
J. It is also noted that the GUARD cannot control what
nappens to data before data enters RECON via the Update Guard,
waile data is scored in the RECON data oase, or nrri~r data is
released from RECON via the On-line Guard.
4. The boundary of effect of the GUARD system is defined
to be these entry and exit points. There are currently no
known Trojan Horses or crap-doors in the MVS, JES3 or RECON
systems. Since RECON GUARD, as it is presently configured
does not address the Trojan un?-g? issue, tine GUARD system must
be assessed on this basis.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
5. Testing was intended to address the trustworthiness of
the GUARD as a gateway to allow tae release of authorized data
and to prevent the release of unauthorizea data. It did not,
25X1 for instance, consider issues such as throughput.
25X1
25X1
All currently planned testing nas been accomplished.
Attacnnents:
A. RECON GUARD Test Plan (Attached)
B. RECON GUARD Test Results (Pending)
r if:in 1!T1;1{
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
RECON GUARD TEST PLAN
The tests outlined in the following pages were performed
based upon several assumptions. The GUARD must be operated
wit'nin these constraints for the test results to remain valid.
These assumptions are as follows:
10 One AGB1 is dedicated to each site for this test (i.e.,
State, DIA, and NSA).
Individuals at each site are cleared system nigh and
identified to the network; terminals are physically
located in system .lion approved areas.
Sufficient physical and personnel security standards for
system high processing are afforded co the GUARD hardware
and the Security Officer Interface Device (SOLD).
The GUARD cannot control what happens to data oefore data
enters RECON via the Update Guard, while data is stored
in the RECON data base, or after data is released from
RECON via the Online Guard. The boundary of effect of
the GUARD system is defined to oe these entry and exit
points.
Testing was performed.using identical secret keys for the
multiple sites.
Testing was performed using the Guard Test System (GTS)
which emulated a Host Access System (HAS). Use of the
GTS allowed for easier manipulation and verification of
the data than if using a live COINS HAS.
A Trap-Door program was utilized to allow for limited
data manipulation of RECON records. Releasable RECON
records could probably be created within the RECON data
base given the knowledge of the appropriate secret key,
sufficient time, systems knowledge, and accessibility.
Testing was performed using only a 2,000 record test
RECON Data base.
There are currently no known Trojan Horses or trap-doors
in the MVS, JES3 or RECON systems. Since the GUARD as it
is presently configured, does not address the Trojan
Horse issue, the GUARD system must be assessed on tnis
basis.
1 See the glossary of definitions on the following page.
C t>- 5c 5 ~ ? ~ I ,! " I
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
-
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21: CIA-RDP95-00972R000100100012-7
The following definitions will be used throughout this
document:
A record or a RECON record is defined to oe a collection
of data which meets the format requirements for entrance
to RECON, or such a collection of data after it has ueen
marked for distribution to specified communities.
A secret key or key and initial value consists of a
cryptographic type of numeric key value and initial value
used by the DES algorithm to encrypt or decrypt a given
data stream. Both the secret key and the category expres-
sion reside in an erasaoT programmable read only memory
(EPROM) that is located on one or more Authentication
Generator Board (AGB).
An authenticator is a digital signature attached to a
record. It is either a blank field called a null authen-
ticator or it is a field of the record containing a value
calculated for the record witn an algorithm such as DES
using the record itself and a secret Key. Authenticators
are used to control release and distribution of RECON
records.
A category can be identified for a record by specific
fields of the record. A boolean function called a
category expression is associated with each releasable
data set. If the category expression when applied to a
given record evaluates to "TRUE," then the authenticator
is computed with the secret key associated with that
category expression.
A record is a candidate for release oy the GUARD or the
GUARD is authorized to re ease a record it and only it
tnere is a category expression and secret Key within the
GUARD which is associated with the record.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21: CIA-RDP95-00972 R000100100012-7
EXAMINE CODltiu OF SOFTWARE
Review and confirm teat Theorems and Corollaries are valid in
the "GUARD System Verification Report," dated 3 May 1984.
.Review and confirm "vmulti p1" master, dated li May 1984.
Review and confirm "vupislv p1" (outer block of code that runs
on the Update Guard Input Slave Board), dated 11 May 1984.
Review and confirm "vupdate pl" master, dated 11 May 1984.
Review and confirm "vassembly al", dated 11 May 1984.
Review and confirm "vagbmod al", dated 4 January 1984.
Review and confirm "vagb pl" (outer block of code tnat runs on
the AGB), dated 4 January 1984.
Evaluate security relevant material from "Guard System
Operation and Maintenance" report, dated to April 1984.
Evaluate security relevant material from "RECON IV Users
Manual," dated April 1980.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
VERIFY FUNCTIONAL OPERATION OF GUARD
1. Develop 20 test queries.
2.0 Run the test queries directly tnrough the RECON Test Data
Base without interfacing with the GUARD.
3. Run the test queries through the GUARD System utilizing all
possible AGB's and sites (nine runs per query).
4. Compare the results of the test runs to ensure functional
operation of the GTS and ensure that improper release or
spillage has not taken place.
SECURITY VULNERABILITY DETERMINATION
Operational Tests
1. Incorrect EPROM insertion/removal.
2. Induced errors on the Update Guard (JDG).
a. Write to an output tape where the records from the
input tape exceed the length of the output tape.
b. Invalid record test requiring improperly formatted
input tapes.
1) A record too short.
2) A record longer than the UDG buffer (2048 oytes).
3) A record with an incorrect checksum.
4) A record that already has an authenticator.
5) A record with a category expression unknown to the
UDG.
6) A record that goes off the end of the input tape.
7) A record with incorrect tape parity.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
. Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
c. Configuration test illustrating UDG's reaction to
changes in slave board configuration and placement.
1) Remove output slave processor board.
2) Start system with drives off load-point and offline.
3) Start system with drives powered off.
d. Manipulation of alarm system and auditing device
connection.
1) Unplug the alarm cable before starting UDG.
2) Unplug the audit cable before starting UDG.
3) Unplug the alarm cable while UDG is running.
4) Unplug the audit cable while UDG is running.
e. Abnormal AGB data EPROM contents.
1) Improper checksum.
2) Corrupted secret key.
3) Corrupted initial value.
4) Corrupted stocx plain text.
5) Corrupted cyphertext.
f. Abnormal tape contents.
1) A tape without IBM labels.
2) A tape wittl improper IBM labels.
Abnormal tape procedures.
1) Attempt to combine multiple input tapes given a
single output tape.
2) Take drives offline.
3) Alter tape position by hand.
4) Put write ring on input tape.
5) Remove write ring from output tape.
CONF='D NT!At
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
3.
Induced errors on Online Guard (OLG).
a.
Manipulation of alarm system and auditing device
connection.
?
1)
Unplug the alarm cable before starting OLG.
2)
Unplug the audit cable before starting OLG.
3)
Unplug the alarm cable while OLG is running.
4)
Unplug the audit cable while OLG is running.
b.
Random start, stop and power disruption.
GUARD System Outage Tests
1.
Random start/stop during record transmission.
a.
b.
c.
Power off the protocol converter during record
transmission.
Reset GUARD during record transmission.
Power off GUARD during record transmission.
2.
Random unplugging of Online Guard.
a.
b.
During record transmission.
After system configuration but prior to query
submission.
3.
Random switching/removal of AGB's.
a.
b.
c.
Removal of AGB during record transmission.
Insertion of new AGB after system configuration but
prior to query submission.
Insertion of new AGB during record transmission.
4.
Disruption of Security Officer Interface Device.
a.
b.
c.
By random/intermittent power down.
Incorrect keyboard entries.
Preparation of EPROM on a EPROM ourner wi-iicci is not a
part of the SOLD.
5.
Inducement of tape errors for Update Guard.
a. Tape too short for specified records.
o Random manipulation of alarm, audit device, etc.
c. Invalid data.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
\.__".ii''T l$_tL' V i',i 1
2.
6.
Manipulation
with multiple category expressions.
with multiple category expressions and secret
4. i-Iultiple AGB's with same category expression and secret key.
No AGB.
Single AGB
Single AGB
keys.
Multiple AGB's
Multiple AGB's
Multiple AGB's
with different category expressions.
with same secret key.
with different secret keys.
8. Random manipulation of AGB's from one site and office/
organization identification from another site.
9. General manipulation of AGB sites, secret keys and release'
categories.
Trap - Door Program
1. Manipulate data without modifying authenticator.
2. Modify only authenticator.
3. Modify both authenticator and data.
4. Attempt to manipulate data in such a way to achieve same
checksum.
5. Attempt to manipulate data in such a way to achieve same
authenticator.
v. Modify data, attempt to release, then return data to
original condition.
7. Modify data and/or authenticator, determine ana append new
checksum.
J. Modify data and/or authenticator, determine and append new
authenticator.
C~lT to , rti, r_ 1
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
N: f'- 17:
r ? L
Covert Signalling Channel Tests Attempt to Transmit Data:
1. Modulation of handshake sequence.
0. Time lapse Detween error responses.
b. Device Interrupt error.
c. Number of interrupts/time period.
d. Use of CANCEL and STATUS acknowledge requests.
2. Modulation of error messages through manipulation of records
via the trap door program.
3. Modulation of legitimate traffic (intact RECON records).
8
rn~, {r 1T1rN iTI A I
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Configuration Diagrams
Guard Test System
(GTS)
Comprising:
(a) Momentum Haw RECON/HAS Emulator
(b) LocalNet System Components
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
GUARD Test
GUARD Test
System
System
User Side
Data Side
Emulator
Online
Emulator
(HAS)
(Recon)
Security
GUARD
Sends querys to
Responds to querys
Security Guard in
in emulation of
format outlined
in Security GUARD
JES and Recon as
Interface Control
outlined in Secur-
Document.
ity GUARD Inter-
face Control Doc.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
COINS
NETWORK
GTS
COMMAND
CONSOLE
C30
IMP
LNET
LOCA
50 50
-I
M. HDEN
NO COINS
CONNECTION
LOCAL
NET
20/
200
T-MUX
GUARD
TEST
SYSTEM
MOMEN-
TUM HAW)
UNIX)
6TS
ACTIVITY
MONITOR
(OPTIONAL)
CONSOLE
INTERACTIVE
PRINTER
LOCALNET
50"0
CABLE KIT
(RG59U)
BLDG. GCO3
LOCAL-
NET
20/100
T-BOX
LOCAL-
NET
100
20/100
T-BOX
SECURITY
OFFICER
INTERFACE
(SOID)
7 LAt =
20/ 100
T-BOX
N[. ECAL-
T
20 / 100
T-BOX .
ONLINE
GUARD
I
AUDIT
PRINTER
ONLINE
GUARD 2
(RESPONSE
COUNTER)
AUDIT
PRINTER
ONLINE
GUARD 3
(MULTIPLE
LOW SIDE)
AUDIT
PRINTER
ANALYST
TERMINALS
/-- \
GUARD ~ GUARD TEST SYSTEM (GTS) CONFIGURATION
SYTEK, INC.
STAND ALONE - Figure 1
aONCAAI~
2' 2 200
TMUX
UPDAT
KEY:
RECON
DATA
BASE
RG 59U CABLE
HAND CARRY STEP
(TAPES OR PROMS)
TERMINALS LOCATED
- -~ BLDG GH44
2 CONNECTIONS MIN.
PER ACTIVE ONLINE GUARD
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
GUARD Test
System
User Side
Emulator
Online
JES
(HAS)
Security
and
GUARD
RECON
Sends querys to
Security Guard in
format outlined
in Security GUARD
Interface Control
Document.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
NO COINS
CONNECTION
LOCALNET
50/50
BL. H
QLENQ
LOCAL-
LOCAL,
NET
'NET
20/100
COINS I C30
20/
T-BOX
NETWORKI IMP
200
T-MU
NETAL
20/100
6TS
T-BOX
COMMAND
CONSOLE
ACTIVITY
MONITOR
(OPTIONAL)
BLDG. GC03
AUDIT
PRINTER
ONLINE
GUARD
I
AUDIT
PRINTER
ONLINE
GUARD 2
(RESPONSE
COUNTER)
r LOW SIDE)
SECURITY
OFFICER
INTERFACE
RECON
DATA
BASE
ONLINE
GUARD 3
(MULTIPLE
^\
20/100
ET -A
T-BOX
ILO -
NET
120/ 100
T-BOX X.
KEY:
ANALYST
TERMINALS
GUARD ~ GUARD TEST SYSTEM (GTS) CONFIGURATION
SYTEK, INC.
RECON System Connected, GTS Simulates COINS - Figure 2
~S D
SYSTEM
MOMEN-
TUM HAWK
UNIX)
7
LOOCAA
20/
200
TMUX
LOCALNET
50/
CABLE KIT
'('0
I
(RG59U)
CONSOLE
INTERACTIVE
PRINTER
UPDAT
RG 59U CABLE
HAND CARRY STEP
(TAPES OR PROMS)
TERMINALS LOCATED
2 CONNECTIONS MIN.
PER ACTIVE ONLINE GUARD
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
GUARD Test
System
Data Side
Online
Emulator
HAS
(Recon)
Security
GUARD
Responds to querys
in emulation of
JES and Recon as
outlined in Secur-
ity GUARD Inter-
face Control Doc.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
LOCALNET
I 50/50
CBL. HQEND
COINS
NETWORK
COMMAND
CONSOLE
C30
IMP
LOCAL,''
N E T
20/
8 200
T-MUX
LOCAL-
NET
20/ 100
T-BOX
LOCAL-
NET
20/100
T-BOX
O
CAAI
GUARD
N
TEST
SYSTEM
2'
20/
MOMEN-
TUM HAWK
TMUX
SECURITY
OFFICER
UNIX)
INTERFACE
6TS
(SOID)
ACTIVITY
MONITOR
LOCALNET
(OPTIONAL) 50/10
CABLE KIT
(RG59U)
LOCAL-
CONSOLE
NET
INTERACTIVE
20/ 100
PRINTER
T-BOX
BLDG. GCO3
NO L-
20/ 100
T-BOX.
ONLINE
GUARD
I
AUDIT
PRINTER
ONLINE
GUARD 2
(RESPONSE
COUNTER)
AUDIT
PRINTER
HONLINE
GUARD 3
(MULTIPLE
LOW SIDE)
AUDIT
PRINTER
ANALYST
TERMINALS
r-\
GUARD 4 GUARD TEST SYSTEM (GTS) CONFIGURATION
SYTEK, INC.
NO RECON
I CONNECTION
UPDAT
KEY:
c_ -t
RE CON
DATA
BASE
RG 59U CABLE
HAND CARRY STEP
(TAPES OR PROMS)
TERMINALS LOCATED
BLDG GH44
2 CONNECTIONS MIN.
PER ACTIVE ONLINE GUARD
COINS Network Connected, GTS Simulates RECON - Figure 3
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7 6-0-069
LocalNet`M
Broadband
Network
Technology
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Linking today
with tomorrow.
As a manager with responsibility for
data communications decisions, you are
faced with three key issues when you
evaluate a local area network. The first
is growth. Your network must have the
capacity to handle your current needs,
plus whatever the future may bring-
including video and voice transmission,
links to other local networks, and gate-
ways to long-distance networks.
The second issue you must face is your
sizable investment in existing equipment.
The network you select must be compati-
ble with all of it.
The third issue is the certainty of
change Your network must be able to
accommodate whatever the future may
bring-whether it be new vendors, new
transmission standards, or even new
information technologies.
In addition to these fundamental issues,
there are other very important considera-
tions-the physical means by which in-
formation is transmitted, for example.
Systems which use telephone cable or
point-to-point coaxial cable can create
wiring nightmares that become an
enormous barrier to growth-and some-
times actually make growth impossible.
Cost control is another consideration.
For some network technologies, the in-
cremental cost of expansion is very high.
With leased lines, for example, you have
no way to avoid costly rate increases, or
even predict them!
LocalNet is totally vendor-independent, so
all the devices you own can communicate
with one another
The LocalNetTM Solution
The Broadband Approach. With Local-
NetTM, Sytek has created a technology
that resolves all these issues, and pro-
vides you with a spectrum of cost-effec-
tive data communication services-for
today and tomorrow.
LocalNet is a broadband local area
network that can simultaneously accom-
modate communication between over
20,000 separate user devices (computers,
terminals, digital sensors, etc.), all on a
single coaxial cable of the type used by
the cable television (CATV) industry.
Moreover, when LocalNet is operating at
its maximum (25.4 Mb/sec), 74% of the
cable s capacity is still available for
other services, such as video and voice.
The LocalNet transmission technique is
compatible with midsplit, subsplit and
dual cable installations: and you can
locate nodes anywhere within a radius
of 50 kilometers.
LocalNet is totally vendor-independent,
which means that all the computers,
terminals or other devices you now own
can communicate with each other, it also
means you have complete freedom to
select new vendors and new equipment
in the future
LocalNet supports a broad spectrum
of devices with widely varying data rates,
from low-speed terminals with serial inter-
faces (synchronous or asynchronous) to
high-speed host computers with parallel
interfaces.
Practical Considerations. LocalNet
makes planning the distribution of data in
a building, college campus, or industrial
complex as straightforward as planning
the distribution of electricity Since the
coaxial taps into the network are industry-
standard and inexpensive, they can be
pre-installed to accommodate whatever
requirements the future may bring.
Once in place, LocalNet is physically
rugged and reliable. Since it uses stan-
dard CATV hardware, LocalNet provides
proven reliability-and its topology is
such that damage to one outlet or cable
has no effect on the rest of the network.
Technology
Distributed Intelligence. In LocalNet, the
intelligence resides within the network
A Packet Communication Unit (PCU) is
associated with each user device or group
of devices The PCU 'packetizes digital
input from a user device, and converts it
to analog (radio frequency) output for the
network. It also handles all intelligent
data communications functions, such as
network access, formatting, addressing,
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
_,'AA Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7 .~....
and error checking. Since network control
or management by a central computer is
not required, LocalNet can be imple-
mented without diminishing the capacity
of existing computers.
LocalNet PCUs provide a broad range
of user services and functions, such as
protocol translation and virtual terminal
support. LocalNet PCUs implement the
upper six layers of the Open Systems
Interconnection Reference Model, cur-
rently being standardized by the Inter-
national Standards Organization (ISO).
This architectural layering provides for
ease of expansion, ease of support, and
the standardization of external interfaces.
The primary techniques used by Local-
Net to support multiple data streams on
a single CATV cable are packet switching,
CSMA CD (Carrier Sense Multiple Access
with Collision Detection) and FDM
(Frequency Division Multiplexing).
Packet switching allows many PCUs to
exist on the same cable, and only con-
sume bandwidth while actually sending
data CSMA;CD is a "listen while talk"
contention management technique which
allows multiple nodes to efficiently share
one frequency channel. FDM permits
multiple frequencies on the same cable.
The Products. LocalNet products are
divided into three families: The LocalNet
20 family provides economical low speed
(128 kblsec) networking for devices with
serial interfaces, both synchronous and
asynchronous The LocalNet 40 family is
designed for relatively high speed (2Mb/
sec) devices with parallel interfaces.
LocalNet 50 products implement op-
tional higher level functions such as
access control, monitoring, failure isola-
tion, and security LocalNet 50 products
also handle inter-network linking func-
tions and long-distance gateways. Pro-
ducts from all three families can co-reside
on the same cable, along with a broad
spectrum of other services.
The Company
About Sytek. Sytek offers a wide variety
of network-related services, including the
specification of local area networks sys-
tern architecture design, and Prime con-
tracting for turnkey local area network
installations In essence, Sytek's level of
involvement can vary according to your
individual requirements
Sytek is affiliated with General Instru-
ment Corporation, the world's largest
supplier of CATV equipment. Sytek's
With LocalNet, multiple nodes share one frequency channel, and multiple channels share the
same coaxial cable A bridge permits interchannel communication
LocalNet products are serviced at over
250 locations nationwide through General
Instrument's Data System Group.
Towards an Intelligent Networking En-
vironment. LocalNet can become the
foundation for a total intelligent networking
environment, which includes such func-
tions as data communications, security,
energy management, voice, and tele-
communications, as well as video. With
LocalNet, you can plan for installation
of equipment that hasn t been dreamed
of today No other local area network
gives you more freedom in managing
today, and preparing for tomorrow.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21: CIA-RDP95-00972R000100100012-7 -
Sytek, Inc.
1225 Charleston Road
Mountain View, CA 94043
(415) 966-7330
0000-0001 4183
? Sytek, Inc. 1983
Printed in U.S.A.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
. Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Additional Applications
for
Trusted Domain Machine (TDM)
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
MULTI-SYSTEM DATA TERMINAL DESIGN
USING AUTHENTICATORS
R.K. Bauer
1. ~NTBQQU~T~4
Often Government personnel require access to multiple EDP sys-
tems, each classified at a different level. Use of separate ter-
minal equipment for each system is inefficient, expensive and
often leads to an explosion of terminals and interconnecting
cables. Use of a single terminal,"while more convenient, poses
the danger of information spillage. Classified information may
still be present within the terminal when it is connected to an
unclassified EDP host after a classified work session. This
problem is of concern for terminals which include internal
storage and especially for those which incorporate permanent
storage media such as disks, tapes and nonvolatile memory.
Currently these terminals must be "sanitized" after use in a
classified environment in order to completely expunge any classi-
fied information residue. Such sanitization procedures are
inconvenient, make demands upon the operator and require trust in
their correct function.
Rather than ban the use of storage terminals, a solution is
sought which not only allows their use, but exploits their
storage features. It is convenient for such terminals to pertorm
a data transfer function. Information selected from an unclassi-
fied system is stored within the terminal and later transferred
onto a classified system to aid work performed there. Selective
information transfer to systems at the same or higher classifica-
tion level is a distinct advantage and represents no security
risk. However the reverse of this process represents information
downgrade or compromise, and must be prevented.
This paper describes a solution approach based upon data marking
with authenticators. The approach utilizes special marking and
filtering devices and specialized terminals which isolate the
keyboard from the display, local memory, storage and computation
facilities. The design makes extensive use of hardware security
features and is far less complicated (and more trustworthy) than
solutions employing multilevel secure operating systems in the
terminal.
Sytek, Inc. - 1 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
I---l''. _-1 L ..... _. L 11._ ll ..... .. _11-1 1 .1,__ i
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
2. i?BTa.,M88K~~I~i..BtlA-ZL~BNS
Markers and filters are interposed between all EDP equipment and
the communications medium which they use for intercommunication.
The markers indelibly mark data packet classification level prior
to their entry into the communications medium. The filters
effectively block high level data which their host may not view.
The communications medium underlying the markers and filters may
be point-to-point cabling, a local area network, or even a satel-
lite link. Its exact nature is unimportant, only that it is cer-
tified to carry the highest level of classified information
presented' by any attached host EDP system. The markers and
filters must also be protected at this level.
Figure 1 shows two EDP hosts operating at different security lev-
els and a terminal which may access either host. Data which
leaves either EDP host is labeled with its classification level
by the attached marker. To ensure that the label and data will
not be altered, it is sealed with an authenticator. This guaran-
tees to the receiving filter that the packet and its level are
authentic and have not been altered or otherwise manipulated dur-
ing transit or storage. The authenticator is a cryptographic tag
computed over the entire data packet contents and its level,
based upon a secret key. The process is analogous to encryption,
but rather than producing scrambled data, produces the authenti-
cator. The authenticator can be validated by any filter having
the correct key. Any single bit alteration in the data, level or
key will produce a drastically different authenticator. Algo-
rithms suitable for encryption are easily used for this purpose.
DES in cipher block chaining mode is used by the RECON Guard,
although stronger algorithms are as easily employed.
Filters are able to recalculate the authenticator for data pack-
ets presented to them using the secret key and levels which it
stores. It notes if it is authorized for the classification
level indicated by the label in the data packet, recomputes the
authenticator using the key and compares the result with the ori-
ginal authenticator appended on the data packet. If they match
the data is passed, otherwise it is blocked. The level and
authenticator on acceptable data packets can either be stripped
or left intact by the filter as is convenient. If any of the
following conditions exist, the data packet is not passed:
1. The filter is not authorized' for the classification level
indicated by the data packet.
2. The data in the data packet was altered
3. The classification level marking in the data packet was
altered
4. The authenticator in the data packet was altered
5. The data packet authenticator is absent
Point 1 is the means by which viewing rights are controlled.
Unlike the marker, the filter may accommodate several
Sytek, Inc. - 2 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
UNCLASSIFIED
EDP
HOST
DATA
rl
(DATA LEVEL AUTH
;-------------r-----------t------------------------------------------------------I-----------I---------
Routing
Security
Perimeter
L
MARKER
UNCL
MARKER
SECRET
EDP
HOST
DATA
FILTER
UNCL
FILTER
UNCL
A
TERMINAL
FILTER
UNCL
--------------- t-------- i----------------------- ------ -------------------------
DATA
UNCL A
COMMUNICATIONS MEDIUM
FIGURE 1: DATA PACKET MARKING & FILTERING
DATA SECRET A
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
classification level/key pairs depending upon the EDP host's
viewing rights. For example, a Top Secret host may have keys for
Unclassified, Confidential, Secret and Top Secret allowing it to
view data packets with any of these markings. Points 2-4
represent inadvertent or intentional tampering with the data
packet during transmission or storage in the terminal. All such
tampering is detected (barring cryptanalysis of the authenticator
calculation algorithm or key compromise) and data packet delivery
prevented. Point 5 covers loss of authenticator and misrouted
information from the communications medium. It is also useful
for designating unreleasable data packets.
We will now explain how data can be moved from the Unclassified
EDP host to the Secret Host and how reverse movement is blocked.
The terminal establishes a session with the Unclassified EDP host
ana attempts to move data into the terminal storage. This is
successful. The marker marks the data Unclassified, and the ter-
minal filter is authorized at that level. The terminal filter
leaves the level and authenticator intact, protecting the data
and level from undetectable alteration while within the terminal.
The terminal now establishes a session with the Secret EDP host
and attempts to forward the data. This also is successful. The
terminal filter forwards the outbound packet without examination
or modification. Any discrepancies are detected by the Secret
host's filter upon receipt of the data packet. Alternately, the
terminal may have a direct, outbound only connection to the com-
munications medium for this purpose. The outbound only require-
ment stems from the need to filter all incoming data packets to
the terminal.
Similarly Secret data can be moved, with level markings and
authenticators intact, into the terminal. However, this data
cannot be exported to the Unclassified system because it will be
blocked by the Unclassified host filter which is not authorized
at that level. If the terminal operator alters the level in the
packet, the filter would block transmission as the authenticator
would be incorrect. Similar manipulations are also detected by
changes in authenticator.
3 ? ~~~~~~~M~~1r1 ~fMiMlMi.IY
Unfortunately there is an additional complication not covered by
Figure 1. This is the issue of new data entry at the terminal.
The difficulty is in determining the proper level at which the
terminal marker(s) should operate. Some terminal data entry is
essential if for no other reason than to issue logon sequences
tor the various EDP hosts, formulate data base queries, enquire
concerning query status etc. Obviously such information must be
unclassified when directed to an unclassified system, but may
contain sensitive information when queries are directed to a
classified system. For some applications it may be possible to
use "canned" logon sequences and queries with precalculated
Sytek, Inc. - 4 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
- Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
authenticators. However this is an application specific
solu-
tion, greatly restricts operator flexibility and invariably
leads
to future alteration. Another application specific approach
uses
markers
which can recognize data at different classification
lev-
els.
This rather unsatisfactory solution requires rigidly
con-
trolled
formats, a great deal of trust in software correct
func-
tion, and has little flexibility.
Most generalized approaches rely upon the operator to correctly
label keyboard entered data. Approaches differ in the degree of
operator support provided and in the level of operator trust.
The approach illustrated in Figure 2 allows the operator to
switch select the classification level of data entered, which has
interesting sanitization implications.
The keyboard is memoryless and strongly isolated from the rest of
the terminal. This eliminates the need for sanitization when the
operator switches from a higher to lower classification marking.
Through a user selectable control sequence, the keyboard may
instruct the local computer or send control information onto the
communications medium. The keyboard controller module is respon-
sible for directing keystrokes to the local computer or marker as
specified by the user. It also prevents transfer of data (clas-
sified or otherwise) from the local computer into the keyboard
subsystem. Keystrokes destined for the marker and remote hosts
are directed to the dedicated marker where they are labeled
according to the operator selected switch position. These pack-
ets are sealed with an authenticator prior to transmission.
The terminal computer and display subsystem connects to the com-
munications medium via its own filter which allows it to receive
and forward data packets. Incoming data packets from the commun-
ications medium are screened to ensure they are viewable by the
terminal. Incoming data packets passed by the filter have their
level markings and authenticator intact. These marked packets
may be stored, processed or displayed as specified by the opera-
tor via the keyboard, and otherwise intermixed with unmarked and
unsealed data. Data directed from the display subsystem to a
remote host is forwarded by the filter without examination or
modification to the communications medium. However the display
subsystem and filter have no provisions for marking packet level
or appending authenticators. Therefore only previously marked
and sealed data received by the terminal can be delivered to its
destination. Only these packets will have correct authenticators
and be passed by remote host filters.
Depending upon the communications interface, multiple simultane-
ous connections can be supported, even to EDP hosts running at
different security levels. Since the operator must correctly
label the security level of keyboard entered data, all displayed
data must be clearly marked with its classification level.
Visual segregation of multilevel data is readily accomplished via
separate display windows, colors, or type fonts for each
Sytek, Inc. - 5 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
COMPUTER
STORE
~1 I U
COMMUNICATIONS
MED I UM
MARKER
CONTROLLER
FIGURE 2: TERMINAL BLOCK DIAGRAM WITH KEYBOARD INPUT
MARKED AT OPERATOR-SELECTED LEVEL
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
different level. Equally important is gg&&CQt and GQj18JCZE
display of classified information. Obviously, inaccurate display
of data and its sensitivity level might confuse the operator,
causing improper marking of keyboard entered data. This condi-
tion is true even when only single level is displayed, making
display hardware and software security relevant.
4. ~aLEa~~a~Q~.cQ~Sau~aa~~~
The previous sections raised substantial security requirements
which are levied upon the terminal architecture and subsystems in
addition to normal functional requirements. These security
requirements affect terminal design as strongly as functional
requirements and influence make/buy decisions. This section
traces further the impact of security upon terminal implementa-
tion. Implementation impacts of terminal keyboard and display
requirements are discussed followed by a discussion of the
marker/filter implementation.
4.1 T~~IDia3,~GQUSidx~u
A major requirement is suitable isolation of the keyboard and
display subsystems. Recall that all outbound keyboard input is
labeled and sealed according to the classification level switch
position. Restricting this to keyboard input not only limits the
rate at which data might be compromised but makes a clear impres-
sion as to the source of data so labeled. The best isolation is
accomplished in hardware by completely separating the circuitry
for the two subsystems. Suitable "one-way" communication between
the two subsystems could be implemented by a specific hardware
protocol. Verification of correctness is accomplished by design
review and inspection of actual hardware circuit board traces.
Accurate and complete display of classified information is
another important issue. The display software and hardware must
be able to recognize data packet format, extract the appropriate
classification level label, and accurately display all the data
in the packet in the appropriate color, font or in the appropri-
ate window. Isolation of this functionality from the general
local computer is important to ease verification of these proper-
ties, giving rise to the special controller module shown in Fig-
ure 2. This controller hardware directly controls the physical
aspects of the display and is programmable. The display control
software must verified to properly manipulate the hardware in
response to commands to display classified data.
Most of the other terminal requirements center upon the support
of and interface to the marker/filter subsystem. Because markers
and filters must be protected to the same extent as the communi-
cations medium, it is desirable to physically co-locate them. In
this approach the terminal must support communications to a
marker/filter subsystem which is not necessarily located next to,
Sytek, Inc. - 7 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
.. 1. _- _. _... L _.. 11....1E ._ _..~..,. ... : _ .. 11 L_.1 __.1 .... _ ._,... _ .... ~ :,.
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 CIA-RDP95-00972R000100100012-7
or within the terminal enclosure. These communications must pro-
vide a trusted path over which the terminal may set the marking
level in the marker. Alternately the marker and terminal can be
co-located. This eases the interface chores between the terminal
and marker and allows switch selection of marking level. However
the marker must be secured and will likely require a special
enclosure.
4.2
This subsystem is the heart of the approach and embodies little
risk due'to extensive experimentation conducted during the RECON
Guard program. This program resulted in the implementation and
security verification of a prototype marker/filter system for use
in the RECON environment. Evaluation of its suitability for pro-
tecting sensitive RECON data base records while providing common
network access to others has been successfully completed.
This prototype equipment is well adapted for use in this applica-
tion. Each filter or marker is implemented by three separate
processing environments, each supported by its own microproces-
sor. Two microprocessors independently interface to the pro-
tected data base machine and the network communications proces-
sor. The third microprocessor performs all security processing.
The security processor is supported by an encryption peripheral
which computes authenticators based upon the secret keys it
stores. The hardware design ensures all high to low data
transfer is mediated by the security processor. The simplicity
of the security task, freedom from interface concerns and
software verification ensure that the security processor software
is correct and secure.
5.
~?~88~TG8Lw8~~LiG~+T4i~
The ideas in the previous sections solve an immediate problem.
Government intelligence analysts often draw upon a variety of EDP
systems to prepare intelligence reports. While the analyst's
primary EDP system may be highly classified, a wide range of less
restricted supportive material may be available at other agencies
which would be of tremendous value in report preparation. As an
extreme example, dial up access to unclassified medical and/or
newspaper data bases is useful. The goal is to allow information
extraction from these other sources while maintaining complete
confidence that classified data within the terminal is not leaked
during the connection.
Figure 3 shows a configuration of networks, hosts, terminals,
markers and filters which support this application. Local agency
resources (Hosts A&B and terminals a&b) are interconnected via a
local area network. The local agency network is connected to an
interagency network, allowing connection to Host D at another
agency and connection to a dial-out modem for accessing an
Sytek, Inc. - 8 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
LOCAL AGENCY
HOST C
N.Y. Times
Data Base
M
0
M3
N
D
E
U
M
F6
FIGURE 3: PRACTICAL USE OF MARKERS & FILTERS
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
unclassified data base.
Table I describes viewing, forwarding and creation rights for the
different hosts and terminals in Figure 3. The first table
column (MAY VIEW OR STORE) lists the level of packets which may
be input and optionally stored by the host or terminal. In our
example there are five categories of data packet: unclassified
(U), secret (S), top secret category 1 (TS1), top secret category
two (TS2), and unmarked, which is data with no level marking or
authenticator.
Table I:
Host and Terminal Capabilities for Figure 3
MAY VIEW
OR STORE
MAY
FORWARD
MAY
CREATE
Term a
U,S,TSI,TS2,
unmarked
-
U,S (Ml)
Term b
U,S,TS1,
TS2, (F3)
U,S,TSI,TS2
U,S,TS1 (M2)
Host A
U,S,TSI,TS2,
unmarked
U,S, (Fl)
-
Host B
U,S,TSl,TS2,
unmarked
U,S,TS1 (F2)
-
Host C
Host D
U (F6)
U,S (F7)
-
U (M3)
The second column details forwarding capabilities. Terminals and
hosts with direct outbound connections to a network may release
or forward any data they contain. Data packet forwarding by ter-
minals and hosts whose outbound connections are mediated by a
filter is limited to appropriately marked data packets. Finally
the last column shows data packet marking or creation capabili-
ties. Only markers can mark and seal a data packet. Some mark-
ers apply a fixed level, others allow the operator to select the
marking level. Throughout the table, filter and marker identif-
iers in parenthesis show which marker or filter is active in sup-
plying a capability or imposing a restriction.
Filters four and five do not appear in table I and could be
removed in some instances as shown by the long dashed line in
Figure 3. They are introduced to provide a greater degree of
local control and security confidence. The short dashed line
delineates local "zones of control." Filter 4, under the local
agency's physical control, provides a high degree of confidence
that only unclassified and secret data will be allowed to leave
Sytek, Inc. - 10 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
the local agency. The filter in this configuration closely
resembles the RECON guard.
Consider a connection between Terminal b and Host D at the other
agency. Even though Terminal b can view all data and can even
create Top secret data restricted to the local agency (TS1),
filter F4 allows only unclassified and secret transmissions to
host D. On the other hand all data contained in host D is
releasable and is marked TS2 by M4 which is passed by filters F5
and F3 allowing its use by the terminal. TS2 marked data could
then be forwarded by the terminal to either of its local hosts
during a later connection.
As a second example, consider a connection between Terminal b and
Host C, the New York times data retrieval system. Retrieved
information is marked unclassified by M3 and released by F5 and
F3. Queries from terminal b are marked unclassified by M2 with
its switch in the U position. Queries thus marked are released
by F4 and F6 before they are received by Host C. Should the
operator mistakenly set the terminal marker to secret (S), the
query would be blocked by F6. Similarly a missetting at TS1
would be blocked by F4. Marked data released from terminal B's
computer/display unit would be similarly filtered. Unmarked data
from the computer/display would be blocked by F4.
6. CONCLU91QN
Practical solution of the multi-system terminal problem is possi-
ble using authenticators. Data is permanently marked as to its
classification level and released only to systems with the
appropriate viewing rights. Terminals may communicate with and
view data from several systems operating at different security
levels simultaneously. Solution implementation maximizes use of
existing terminal equipment and capitalizes on readily available
security technology, to yield a low risk, near term solution
approach.
Sytek, Inc. - 11 -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
Sytek TR-84010
June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
GUARD SYSTEM FINAL REPORT
SYTEK TR-84010
June 14, 1984
sytek
1225 Charleston Road
Mountain View, CA 94043
(415) 966-7300
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
1. 1L V 1L 1. _L 1
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
GUARD SYSTEM FINAL REPORT
SYTEK TR-84010
June 14, 1984
STAT
Prepared For:
Office of Research and Development
Washington, D.C. 20505
SYTEK, Inc.
1225 Charleston Road
Mountain View, CA 94043
I
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
1. "INTRODUCTION ............................................. 1
1 . 1 Keywords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. SIGNIFICANT ASPECTS OF THE GUARD SYSTEM PROJECT.......... 3
2.1 Hardware Domain Isolation ........................... 3
2.2 Processor per Domain Architecture ................... 3
2.3 Data Protection Using Cryptographic Sealing......... 4
2.4 Adherence to-Dissemination Policy.. ................. 4
2.5 New Informal Verification Techniques................ 4
2.6 Guard Test System Developed, ........................ 4
3. SYSTEM FUNCTIONAL OVERVIEW ............................... 5
3.1 Security Officer Interface Device ................... 5
3.2 Update Guard ........................................ 5
3.3 Online Guard .... ..........".......................... 6
3.4 Guard Test System. .................................. ?7
4. DEVELOPMENT .............................................. 8
4.1 Software ............................................ 8
4.2 Hardware Architecture ............................... 8
4.3 Software Architecture ............................... 9
4.4 Development Environment............................. 10
5. ON SITE TEST ENVIRONMENT ................................. 12
5.1 Guard Test System ................................... 12
5.2 Update Guard to Guard Test System Connection........ 12
6. VIRTUES REALIZED ......................................... 13
6.1 No Compromise in Security......... ... ............... 13
6.2 Ease of Software Modification.... 00000000000*0000000 13
6.3 Legitimate Traftic Modulation....................... 14
7. VERIFICATION ............................................. 15
7.1 Verification Technology............................. 16
7.1.1 The Guard System Verification Approach....... 16
7.1.2 Verification Review Board... ........ oo..oo... 20
7.1.3 Designing for Verification ................... 21
7.2 Project Management Issues ........................... 22
8. LtasONS LEARNED .......................................... 24
8.1 Project Management .................................. 24
8.2 Customer Coordination and Cooperation ............... 24
8.3 Means to Test the Guard System ...................... 25
8.4 Hardware Debugging .................................. 25
8.5 Establishment of Development Environment............ 26
9. CONCLUSION ............................................... 27
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
1. ;RTEQD TION
This document comprises the final report of the RECON Guard
System prototype guard device development and implementation
effort (Contract No. 81F77U4u0). The program has successfully
demonstrated all aspects of data security that were attempted.
Following the conclusion. of Customer confidence testing, the
Guard program demoastrated the feasibility and design of a com-
bined hardware and software device that insures data security is
maintained when a sensitive data base is connected to a user com-
munity over a network.
The concept is not dependent on either the network or data
base used in the demonstration project; rather it may be employed
in any situation where data is transmitted from one point to
another.
This technology represents an important advancement in the
arena of computer information and data security. The success of
this technology provides the means to revolutionize procedures
used historically to insure that improper access to sensitive
information is prevented. The Guard technology now allows the
automated sharing of multilevel information among various levels
of users with assurance that no information marked at a certain
level will be disseminated to a destination level that is inap-
propriate.
As demonstrated by this project, the desired security policy
is enforced without the need to trust existing computer systems
and associated application programs. It has been demonstrated
that the additional security provided by the Guard System tech-
nology may be applied to systems without disruption of current
operating procedures.
SYTEK TR-84010 - 1 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
1.1 Keywords
? RECON
? COINS
? Guard System
* Data Security
? Multilevel Data Sharing
? Information Dissemination
? Processor Per Domain Architecture
? Hardware Kernal
? Hardware Isolation
? Cryptographic Sealing
? Authenticator
* Verification
? Security Policy
* Guard Test System
? Legitimate Tratfic Modulation
j SYTEK TR-84010 - 2 - June 14. 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
2. NI ILA.N CTN TNE__GSIABD_E? PRQJECT
2.1 Idware Do _aain_lso ation
The Guard System architecture realizes three separate
domains which accomplish the isolation of the sensitive data base
from the user network connection. Two domains are used to inter-
face to the world external to the Guard System. One domain,
termed the User Side, deals exclusively with the Guard System's
communication with the network connection. Another domain,
termed the Data Side, deals exclusively with the Guard System's
communication with the the Data Base connection.
To enforce the security aspects of the Guard System, the
User and Data Side domains possess absolutely no means of commun-
icating with each other. Rather than rely on software techniques
to accomplish domain separation, the Guard System domain separa-
tion is completely enforced through its hardware architecture.
Since there is no communication between the User Side and
Data Side domains, there exists no condition under which the
software of the User Side and Data Side could alone or in concert
be written such that a compromise in security would be possible.
As a result, the User Side and Data Side software may be written
in any way that is convenient without the need of verification.
For this reason, these two domains may contain 'untrusted'
software without the possibility of compromising security.
The third domain is trustea in that it is responsible for
the enforcement of the chosen security policy. This domain,
termed the Master, communicates with the untrusted User Side and
Data Side connections and will pass information from one
untrusted domain to the other only it it has determined that the
passing information will not violate the security policy. The
Master domain must undergo verification (described later) due to
its security critical function.
2.2 Processor per Domajn_Architec re
The major hardware architectural innovation stems from the
realization of the three isolated domains by separate micropro-
cessor single board computers. Separate software runs indepen-
dently on each processor, and within the Guard System, each pro-
cessor communicates exclusively with the Master processor board.
The processor per domain architecture affords absolute
,separation of domains unlike attempts in the past where only one
processor under software control attempted to enforce isolation.
SYTEK TR-84010 - 3 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
2.3 Data Protection Us in _Crrypto91apbj:cSealing
The integrity of sensitive information passing from the data
base to the network user is protected by a form of cryptographic
sealing that insures data has not been previously tampered with
following entry into the data base. Sensitive data is marked
with a cryptographic seal prior to entry into the data base. In
this demonstration project the marking function was accomplished
off-line using magnetic tapes, however, this need not be an off-
line process.
2.4 d e Dgg t-aissemination Policy
The combined etfect of verification of security critical system
software (verification demonstrates adherence to the security
policy), and the use of cryptographic sealing of record contents,
prevents the dissemination of records that are not approved for
release by the Security Officer.
2.5 aia_Inf ormal Veri gatiog_Technigues
A new software verification technique was employed that
assures the proper security function of software written for
security critical processors. The technique begins with defini-
tion of the system security policy which is: "Information
indelibly marked for distribution to specified communities is
disseminated only to those communities." A clear and concise
explanation of the verification technique may be found in the
Guard System Verification Report, SYTEK TR-84009, and later in
this document.
2.6 g u a r d_T .stY.sgLn~gYgl op e d
An external test environment was developed which allows full
testing of the Guard System's operational and security charac-
teristics. The GTS is capable of emulating functions of RECON
and COINS in each of tnree different configurations:
? Emulation of RECON only.
? Emulation of COINS only.
? Emulation of both RECON and COINS.
SYTEK TR-84010 - 4 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
3. SYSTEM FU-QT AL_QVERVIELI
The object of the Guard System is to indelibly mark records
witn information that controls to whom the records may be dissem-
inated or released. This is accomplished by three major subsys-
tems:
? SOID - Security Officer Interface Device
? UDG - Update Guard
? OLG - Online Guard
3.1 Security Officer Intel face vice
The SOID is used by a security officer to establish releas-
able Categories based on the content of several key fields con-
tained in the records. The security officer will select two
numeric quantities called the Key and the Initial Value (IV)
which are used to compute a unique checksum or thenticAtoX-for
each record added to the data base. The Key is 56 bits in
length, and the IV is 64 bits in length. The Authenticator for
each individual record is a function of the Key, IV, and the
entire contents of the record. The Authenticator is 64 bits in
length. Only the security officer has knowledge of the Key and
IV.
The information entered by the Security Officer and pro-
cessed by the SOID is written into programmable read only memory
(PROM) semiconductor devices which are then installed into a spe-
cial purpose single board computer called the Authenticator Gen-
erator Board (AGB). The AGB's are within the trusted Master
domain.
3.2 Update Guard
The UDG uses an appropriate set of SOID produced data proms
each containing a Category Expression, Key, and IV, to compute
and append unique Authenticators to each record presented via an
input magnetic tape. The UDG will determine which (if any)
categories specified by the security officer match in turn the
specific contents of each record. If a matching category is
found, it is then permissible to mark that record for release
based on that category. The marking is accomplished by applying
a chain encryption algorithm to the record using the secret Key
and IV from the appropriate SOID data prom. If any particular
record matches no category of the set produced by the SOLD, a
null authenticator is appended to the record. Each record pro-
cessed by the UDG is written to an output tape that is subse-
quently loaded into the data base.
I SYTEK TR-84010 - 5 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
3.3 Online Guard
The OLG accepts queries from prospective network users and
passes them on to the data base machine. All record responses
are subject to the filtering action of the OLG and one of two
possible actions will occur:
? RECORD RELEASE - Only if all of several conditions are met.
? RECORD DENIAL - If any of several conditions are not met.
The following are conaitions that must be met in order to
permit record release:
1. The OLG must contain at least one SOID data prom that has a
Category Expression matching the contents of the record's key
fields.
2. If one or more matches are found, the Authenticator for each
matching category is recomputed using the record's contents
and each respective Key and IV.
3. The computed Authenticators are compared with the Authentica-
tor contained in the record. If one and only one match
exists, the record may be released.
Conditions that lead to record denial include:
1. If no matches occur amongst the set of Category Expressions
contained in the OLG, a record is attempting to pass which the
security officer has determined may not be released over the
network connection.
2. If a matching category expression is found, and the computed
Authenticator does not match the Authenticator contained in
the record, the contents of the record have been altered at
some point between the UDG attaching the Authenticator and
presentation to the OLG device. This implies record tampering
either while entering into the data base, while in the data
base, or on its way out of the data base to the OLG separating
the data base from the user network.
If a record is releasable, it is sent on to the network
user. If a record is not releasable, it is written to a monitor
device for security reasons and no indication of any kind is sent
to the network user.
1 SYTEK TR-84010 - 6 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
3.4 Guard Test Systern
The GTS consists of a set of programs written in the C
language running on a Momentum Hawk Unix system built around the
Motorola 68000 microprocessor.
The GTS possesses the ability to emulate either the user
network connection, the data base connection, or both at the same
time. The GTS employs a menu driven user interface and performs
the following functions:
? Operator transmission of any byte value to either the User or
Data sides of the guard.
? Operator creation of disc files containing user queries and
data base responses. This includes all IBM JCL and record
formats as observed during actual connection to the data base
machine.
? Automatic monitoring and display of all data into and out of
each of the Guard System's User Side and Data Side connec-
tions.
? Execution of operator specified test suite or command files.
All individual GTS command operations may be orchestrated to
execute automatically under GTS control and repeat continu-
ously for some operator specified time.
? When simulating the user network connection, the operator may
submit properly formed data base queries and observe responses
actually supplied by the Government's data base machine. Of
course the Guard System will be performing its required
filtering tunction.
? When simulating the data base connection, the operator may
supply IBM JCL and data base records contained in GTS disk
files to the Guard System for processing and possible release
to an actual user network connection and data base query.
I SYTEK TR-84010 - 7 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
4. DEVELOPMENT
Guard system development began in 1982 with the completion
of"the Security Guard Device Functional Specification [1], April
1982, and the RECON Security Guard System Software Design Specif-
ication [2], January 1983.
4.1 Software
Software for seven different single board computers (SBC's)
was designed, coded, and tested:
* Update Guard Input Slave
? Update Guard Master
? Update Guard Output Slave
? Online Guard User Side
? Online Guard Master
? Online Guard Data Side
? Authenticator Generator Board
Software for the Guard Test System was designed, coded, and
tested.
4.2 Hardware Aritecture
With only one exception, the Guard System was built with
off-the-shelf hardware. A special board was designed and built
by Sytek called the Authenticator Generator Board (AGB) as no
commercially available equivalent existed.
The Security Officer Interface Device (SOID) consists of a
Wicat S/150 self-contained Unix microcomputer with attached prom
programmer for the creation of AGB data proms.
Both the UDG and OLG are built with Intel 86/12A single
board computers (SBC's) contained in a Multibus chassis. In
addition to the Intel SBC's, each chassis may contain several
AGB's which perform the chain encryption function.
An important concept of the Guard System hardware architec-
ture is the separate domains enforced in hardware. The three
domains in each of the UDG and OLG are as follows:
Online Guard: Untrusted Trusted Untrusted
User Side Master
AGB's
SYTEK TR-84010 - a -
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
Update Guard: Trusted Trusted Untrusted
Input Slave Master Output Slave
AGB's
The Master may transfer data to or from any other processor,
however no other processor may transfer data to or from any other
processor. Thus, for example, in the OLG, there is no way that
the User Side or Data Side may communicate with any other proces-
sor except the Master. Since the Master is considered a trusted
processor and the software executed by the processor is veritied,
absolute data security is enforced.
All communications between processors occurs via the Mul-
tibus chassis into which all processor boards are placed. As a
result of simple electrical modifications to the User Side, Data
Side, Input Slave, and Output Slave, Intel 86/12A boards, they
have no capability of initiating a bus request which is required
in order to communicate with other processors. Each of these
boards may respond to a request across the bus, however only the
Master is capable of initiating such a request. The AGB was
designed and manufactured by Sytek to have no facility to make
bus requests.
The purpose of the separate domains is to make possible the
interconnection of the dissimilar environments of the user net-
work connection and data base connection while insuring absolute
security. Since the User and Data side processors are not
trusted processors in that nothing they do can cause a compromise
in security, the software is free to be written in whatever way
necessary to accomplish the connections to their outside environ-
ments.
The UDG Input Slave is considered to be a trusted environ-
ment. It requires verification due to the need for unpacking
data base records from an IBM format tape prior to presentation
to the Master for possible authentication.
4.3 Software Ax-c itectu e
Each SBC contains all of its software programmed into pro-
grammable read only memory (PROM) held on board. Each SBC is
selt-contained, and there is no operating system or disc storage
devices in the Guard System.
All processors operate independently of each other and are
responsible for managing their own ability to communicate with
the outside world and the Master processor where appropriate.
I SYTEK TR-84010 - 9 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
The software of each SBC is written in the Pascal language
with some extensions written in 8086 assembly language where
necessary. Pascal was chosen as it possesses properties that,
when applied, aid in software verification.
The following Pascal constructs prove useful in writing
software for systems that are to be verified:
? Block structured language.
? Restrictions on variable access.
? Structured data types.
? Ownership levels.
Great care was taken in the design of software that resides on
trusted processors as such software is requires verification.
From the beginning the need for verification was a primary con-
sideration in the design of the OLG and UDG Masters, and the AGB.
As a result of careful application of Pascal constructs and
attention to programming style by those writing actual software,
the trusted processors could be argued against their comprehen-
sive set of security assertions with relative ease.
Had the software design and programming effort on trusted
processors not been performed with verification strongly in mind,
it would be difficult, it not impossible, to assert and verify
the required security properties of the Guard System.
A fundamental design property of the Guard System is the
separation of domains into trusted and untrusted environments.
All security related properties of the Guard System are entrusted
to the secure domain of the Master and AGB's. Interconnection of
the Guard System to the external environment (the sensitive data
base and the user network) is performed within the two untrusted
domains of the User Side and Data Side processors. Since no
actions occurring in the untrusted domains can possibly cause a
compromise in security, the software on these processors may be
written in any way that is convenient and that permits proper
function. Typically the task of connecting to external environ-
ments is not a simple one. It is always a desirable goal to
minimize the amount of a system that requires verification.
Verification can be a slow and costly activity which, nonethe-
less, is required of a system serving a security critical func-
tion.
4.4 evelopmgnt Environment
All Guard System software was developed on a VAX 11-750
operating under Berkeley 4.1 Unix. The majority of the source
code for all SBC's was written in Pascal in order to aid in
verification tasks. Some assembly routines were written where
necessary.
SYTEK TR-84010 - 10 - June 14. 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
All source code is maintained under source control provided
by VAX-Unix. The source control provided facilities for tracking
changes in source and insured a locking mechanism for source
integrity while under development.
A cross compiler, cross assembler.-and cross linker were
employed to enable complete software development in the multi
user environment of the VAX. Operations on the VAX culminate
with a downloadable object module suitable for use in a micropro-
cessor development environment.
Readied code modules would then be transmitted to an Intel
MDS/ICE-86 microcomputer development and emulation computer.
Debugging occurred on the MDS and ultimately the code sent from
the VAX is programmes into proms to be installed on the appropri-
ate SBC. All code is executed from on-board proms as there is no
disc storage or operating system in use.
While the development environment described provided good
controls, there were also drawbacks in the particular tools
employed. The cross compiler was found to have bugs that were
circumventea by choosing other equivalent Pascal syntax that
accomplished the same original goal. The chosen cross compiler
and associated software ran particularly slow and proved annoying
during rapid code development. As a result of the cross compila-
tion process, all higher level language symbols used in the
source code were lost by the time debugging was possible in the
MDS environment and thus examination of referenced memory proved
tedious. Due to the size of the code on each board, and the lim-
itations of the KIDS, even a simple code change will require the
time consuming process of reprogramming up to eight proms.
i SYTEK TR-84010 - 11 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
5. ON SIZE TEST ELVjRONMENT
Two tools developed by Sytek and incorporated on site have
prdved invaluable in enabling integration and Government confi-
dence testing.
5.1 ward- Test S,yste
The GTS described earlier has provided a means to completely
test all functions of the Guard System without direct connection
to eitner the user network connection or the data base connec-
tion. In fact, acceptance testing of the Guard System's security
function was conducted using the GTS to drive the Guard prior to
the Government provision of either a user network or data base
connection.
Tools contained within the GTS have aided in the discovery
of actual data base system characteristics during Guard System
integration efforts.
The GTS has allowed Government confidence testing to proceed
without the need for both the user network and the Government
data base to be connected to the Online Guard at the same time,
or at all.
5.2 Update Guard to Guard Test System Connection.
The provision for special direct connection between the UDG
and the GTS was developed to enable actual records authenticated
to be included in the GTS collection of response records, as well
as to be loaded into the actual Government test data base.
By having identical records on the GTS during data base emu-
lation, the very same records used during network emulation may
again be usea.
I SYTEK TR-84010 - 12 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
6. VIRTUE -AL.IZEL)
6.1 No Compo se in_.Secur.ity
The Guard System underwent numerous tests in attempts to
violate its security properties. Tests were independently per-
formed by Sytek personnel, the Government COTR, an impartial
Government representative (J. P. Anderson Co.), and the
Government's own security staff. At no time during testing did
the Guard System fail its security function.
Tests performed include, but were not limited to:
? Abnormal communications protocols.
? Abnormal record sequences.
? Abnormal record formats.
? Abnormal Guard System configurations.
? Record size boundary conditions.
? Tampering with record key field contents.
? Altering valid record message contents.
? Altering the Authenticator within records.
? Embedding messages in valid records.
In each and every case, the Guard System performed its secu-
rity function correctly without deviation.
6.2 Ease of Sg ft17.gX&_Qdif jcAtion
The modular design of the Guard System afforded separation
of logically dissimilar functions. This separation of function
and distributed processor per domain architecture isolated
changes necessary during testing and integration to a subset of
the entire Guard System.
In the case of all processors, structured design and coding
practices enable straightforward software changes. The most
volatile software environment during integration and testing con-
cerned the OLG Data Side which interfaces to the Government's
data base.
In order to connect to the Government data base, the Guard
System was required to appear as an IBM remote job entry (RJE)
station consisting of a card-reader/printer-punch device. All
emulation of such a device was performed by the untrusted Data
Side slave processor. Many iterations were required during
integration to adjust the Data Side's ability to converse in
acceptable IBM JCL language commands. As each new JCL quirk was
discovered, changes to the Data Side code were trivial to imple-
ment.
A SYTEK TR-84010 - 13 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-009728000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
During integration it was found that the format of linear
data base records read from the IBM input tape into the UDG dif-
fered from the format of linear records returned in IBM format
from the Government's data base machine. This discrepancy was
discovered as valid releasable records were not being released by
the Guard System due to the difference in record formats. The
Guard System was again demonstrating its security function. A
simple correction was made in both the Update and Online Guards
to provide for this difference.
Due to the modular and structured design of the Guard System
software, when the two different formats of the DN.SO field sur-
faced, a correction to accommodate both field formats was
minimal. Due to the organization of the Guard System software,
and the methods employed in the verification effort, there was
virtually no effect to the software verification resulting from
this change.
When an operational Host Access System (HAS) exists, any
changes found necessary during integration will have no effect on
any trusted software, or the untrusted Data Side.
6.3 Legitimate Traf ,c_ ooduiation
Legitimate traffic modulation is a technique where an
attempt may be made to pass information by encoding the informa-
tion in what otherwise is normal system operation. For example,
a status return line could be modulated to encode information
represented by the timing of the status request and return, or
the number of times a particular status is returned with respect
to another particular status.
The Guard System has been designed to limit the bandwidth of
legitimate traffic module to such an extent that it is impracti-
cal to attempt to pass information in this manner. It would be
far more practical for someone who desires to pass information to
physically copy or remove the information from one environment,
and carry it to the other environment. Classical security pro-
cedures deal well with physical movement of sensitive informa-
tion.
SYTEK TR-84010 - 14 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
7. VERIULATION
The verification of the Guard System is a rigorous review of the
system which demonstrates that it meets particular security
requirements. Verification demonstrates that Na system specifi-
cation is consistent with (i.e. enforces) a certain security
model, or that a lower level specification corresponds to (is a
correct refinement of) a higher level specification." [14] In
the case of the Guard System, the trusted software is shown,
through intermediate levels, to satisfy the system security
requirements.
While massive reports are often produced to document the
verification effort (e.g. [10]), the true, intangible product of
verification is a degree of assurance that the implementation of
the system is consistent with the security requirements of that
system. Trade-offs must be made for each application, e.g.
between system development cost (including verification) and
degree of assurance. No general purpose verification methodology
has been identified which is optimal for all applications, for
all security policies, and for all budgets. What Sytek has
attempted to do for the Guard System is specify the optimal
verification methodology for the particular application.
The verification of the Guard System was jnfQgmal. Informal
verification demonstrates the consistency between each level of
specification in precise prose. This is in contrast to formal
verificatiof, where the specifications are structured to allow
mathematical analysis, and formal, mathematical techniques are
used for the verification.
The verification was performed in three Phases. In Phase It
subpolicies were defined for each of the online and Update
Guards, and these subpolicies, taken together, were shown to
imply the overall system security policy. Phase II further
refined these subpolicies into sets of assertions about the
behavior of the trusted software, and these assertions were shown
to imply the corresponaing subpolicies. Phase III then showed
that the trusted software satisfied the corresponding assertions,
completing the demonstration that the Guard System implementation
(in the form of software) enforces the system security policy.
The following sections discuss various aspects of the verit-
ication effort for the Guard System, and verification technology
in general, as outlined below:
* Verification Technology
? Project Management Issues
The section regarding verification technology addresses the
approach taken to the Guard System verification. The strengths
and weaknesses of the approach taken are discussed in this
A SYTEK TR-84010 - 15 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
I l
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
section, along with the impact of the verification upon the
overall system implementation. The section pertaining to manage-
ment issues highlights those aspects of project management for
the Guard System which were affected by the verification effort,
and emphasizes some considerations for future projects requiring
verification.
7.1 Verificatii n Technology
Verification technology refers to the analytical method of veri-
fying a system. This section, then, addresses the verification
method used for the Guard System. The strengths and weaknesses
of the method used are discussed here, along with the impact of
the verification upon the overall system implementation.
First, the approach taken to the verification of the Guard
System is described. The issues of an informal (precise prose)
verification, hardware isolation of the trusted domain, and the
phased approach to verification are discussed here. The sections
which follow this section describe the strengths and weaknesses
of the methodology used, and of the resulting verification argu-
ments.
7.1.1 The Guard_System Verification App ac
There are tnree key aspects to the approach taken to verifying
the Guard System. The first aspect, already mentioned briefly,
is the informal metnoaology (arguments stated in precise prose)
used to demonstrate the consistency between the top level specif-
ications and the security policy, and between succeeding levels
of specifications. Note that in this context, the software
source code is a low level specification for the Guard System.
The second key aspect to the Guard System verification is
the hardware isolation of the trusted domain. By isolating the
trusted domain, which contains the software critical to enforcing
the system security policy, only the software in that trusted
domain needs to be verified. By isolating the trusted domain in
hardware, instead of in software, it requires little effort to
demonstrate that the isolation of domains is maintained.
The third of the three key aspects to this verification
effort is the phased approach. This approach refined the system
security policy into lower level specifications, which were then
shown to be consistent with the Guard System software. This
approach was necessary because of the difficulty of directly
demonstrating the correspondence between the top level specifica-
tion and the code, as is done in the typical verification
approach.
The Typical Verification ADDLo I
In order to understand the significance of these three aspects
with regard to the verification, it is important to understand
the typical verification approach. The following figure shows a
`i SYTEK TR-84010 - 16 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
model of the typical verification approach.
SECURITY
POLICY
II
II
\/
I I
FUNCTIONAL I SECURITY I
REQUIREMENTS I MODEL I
I I I ~I
II /\
II II
II II
\/ \/
I I
I FORMAL I
I TOP LEVEL SPECIFICATION I
I I
I SOURCE CODE I
I - - -I
v
OBJECT CODE
Design Verification
Spec-code Correspondence
Figure 1. Typical Verification Approach
As the figure illustrates, the typical verification approach
attempts to directly demonstrate the correspondence between the
top level specification and the source code. Veritication that
the source code corresponds to this higher level specification
"is very difficult with available tools and usually requires con-
siderable human intervention." [14] Thus it either requires con-
siderable resources, or (more often) the demonstration of
correspondence is weak.
The typical approach is effective for assuring that the top
level specification is consistent with the system security pol-
icy, but weak in assuring that the actual implementation (as
represented by the source code) corresponds to the top level
specification, and therefore also to the system security policy.
Analogous to the adage that a chain is only as strong as its
weakest link, the code-to-policy verification is only as strong
as the code-to-specification verification, which has been shown
ja SYTEK TR-84010 - 17 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
to be relatively weak for the typical approach.
Th-2--g-gard-,$-Yftg-m~V-e-K-if'-cA-t-i-QD Approach
A more balanced approach was taken for the Guard System verifica-
tion. As shown in the figure below, two parallel processes occur
in tnis approach.
SECURITY REQUIREMENTS SOFTWARE DESIGN
DECOMPOSITION DECOMPOSITION
SYSTEM SECURITY
POLICY
FUNCTIONAL SPECIFICATIONS
v / I
SECURITY SUBPOLICIES Assertions => Subpolicy => System Security
Policy
Figure 3. Three Phases of Verification
By retining the system security policy into intermediate forms,
the wide gap between the top level specification and the source
code of the typical verification is narrowed. Phase I showed
that the subpolicies, derived from the system security policy and
the functional specifications, were consistent with the security
policy. Phase II further showed that the assertions, derived
from the subpolicies and the detailed design specifications, were
consistent with the subpolicies and therefore also with the sys-
tem security policy itself.
Finally, Phase III demonstrated that the source code was
consistent with the assertions, and therefore was also consistent
with the system security policy. This final phase was effective
because the intermediate security policy, as reflected in the
assertions, was designed to satisfy the security policy within
the limits of the software design, i.e. because it was designed
to apply directly to the source code.
Eva uati t eGuard__kystgm VeL1U.Q.4tj n TecbDi_Ua
A comparison between the typical verification and that done for
the Guard System emphasizes two points. The design verification
for the Guard System was not automated nor strictly algorithmic,
as for formal verification, so human error could be significant.
Precise prose was attempted in the Guard design verification
(Phases I & II) to prevent ambiguity and reduce human error, but
this technique is still prone to such error. The verification
that the code satisfied the security policy (Phase III) provided
greater assurance for the Guard System approach, however, since
the verification arguments are generally simple and clear to the
reviewer.
Since the weakest link in the Guard System verification
chain is stronger than the weakest link in the typical verifica-
tion chain, the overall chain is stronger. The advantages of the
Guard verification technique can be summarized as follows:
? The Guard verification technique provides clear correspon-
dence to the code level.
? The Guard technique emphasized the system security require-
ments throughout the design and implementation of the Guard.
11 SYTEK TR-84010 - 19 - June 14, 1984
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Declassified in Part - Sanitized Copy Approved for Release 2012/08/21 : CIA-RDP95-00972R000100100012-7
Guard System Final Report
? The verification at each level was consistently demon-
strated, improving the overall credibility of the verifica-
tion from policy to implementation.
It is important to remember that the Guard System verification
approach was selected based on this particular application.
Specifically, the small size and simplicity of the system enabled
this approach to be successful, as well as economically feasible.
For other applications, it would be important to maintain a bal-
anced approach; perhaps a combined methoaology of formal design.
verification (using automated tools) and an informal verification
from the code to a refined security policy specification. As
more tools become available, an automated verification to the
code level would be desirable.
7.1.2 Verification $yj