Mathematics, technology, and trust: Formal verification, computer security, and the U.S. Military

IEEE Annals of the History of Computing

Volumn 19, Issue 3, 1997, Pages 41-59

  Mackenzie, Donald ^a   Pottinger, Garrel ^b  

^a UNIVERSITY OF EDINBURGH   (United Kingdom)

^b Digicomp Research Corp   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

MATHEMATICAL MODELS; TIME SHARING SYSTEMS; COMPUTER SYSTEMS; CRYPTOGRAPHY; HISTORY; TECHNOLOGY;

BELL LAPADULA MODEL; SECURITY KERNEL; DEDUCTIVE VERIFICATION; FORMAL VERIFICATION; INTERTWINING;

SECURITY OF DATA;

EID: 0031173082     PISSN: 10586180     EISSN: None     Source Type: Journal    
DOI: 10.1109/85.601735     Document Type: Article

References (145)

1. See, e.g., General Accounting Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks. Washington, D.C.: General Accounting Office, 1986, GAO/AIMD-96-84.
2. For a good description of batch operation and of the shift to time-sharing, see A.L. Norberg and J.E. O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency. Minneapolis, Minn.: Charles Babbage Institute, Oct. 1992, chapter 1 and appendix 1; an amended version of this report has been published as Transforming Computer Technology; Information Processing for the Pentagon, 1962-1986. Baltimore, Md.: Johns Hopkins Univ. Press, 1996.
3. For a good description of batch operation and of the shift to time-sharing, see A.L. Norberg and J.E. O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency. Minneapolis, Minn.: Charles Babbage Institute, Oct. 1992, chapter 1 and appendix 1; an amended version of this report has been published as Transforming Computer Technology; Information Processing for the Pentagon, 1962-1986. Baltimore, Md.: Johns Hopkins Univ. Press, 1996.
4. K.L. Wildes and N.A. Lindgren, A Century of Electrical Engineering and Computer Science at MIT, 1882-1982. Cambridge, Mass.: MIT Press, 1985, p. 348. Project MAC had wider aims, captured in the alternative version of the acronym, Machine-Aided Cognition, for which see, e.g., Norberg and O'Neill, Transforming Computer Technology, and P.N. Edwards, The Closed World: Computers and the Politics of Discourse in Cold War America. Cambridge, Mass.: MIT Press, 1996.
5. K.L. Wildes and N.A. Lindgren, A Century of Electrical Engineering and Computer Science at MIT, 1882-1982. Cambridge, Mass.: MIT Press, 1985, p. 348. Project MAC had wider aims, captured in the alternative version of the acronym, Machine-Aided Cognition, for which see, e.g., Norberg and O'Neill, Transforming Computer Technology, and P.N. Edwards, The Closed World: Computers and the Politics of Discourse in Cold War America. Cambridge, Mass.: MIT Press, 1996.
6. K.L. Wildes and N.A. Lindgren, A Century of Electrical Engineering and Computer Science at MIT, 1882-1982. Cambridge, Mass.: MIT Press, 1985, p. 348. Project MAC had wider aims, captured in the alternative version of the acronym, Machine-Aided Cognition, for which see, e.g., Norberg and O'Neill, Transforming Computer Technology, and P.N. Edwards, The Closed World: Computers and the Politics of Discourse in Cold War America. Cambridge, Mass.: MIT Press, 1996.
7. See, for example, J.B. Dennis, "Segmentation and the Design of Multiprogrammed Computer Systems," J. ACM, vol. 12, pp. 589-602, esp. 599, 1965.
8. Norberg and O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency; K.C. Redmond and T.M. Smith, Project Whirlwind: The History of a Pioneer Computer Bedford, Mass.: Digital Press, 1980; C. Baum, The System Builders: The Story of SDC. Santa Monica, Calif.: System Development Corporation, 1981; Edwards, The Closed World.
9. Norberg and O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency; K.C. Redmond and T.M. Smith, Project Whirlwind: The History of a Pioneer Computer Bedford, Mass.: Digital Press, 1980; C. Baum, The System Builders: The Story of SDC. Santa Monica, Calif.: System Development Corporation, 1981; Edwards, The Closed World.
10. Norberg and O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency; K.C. Redmond and T.M. Smith, Project Whirlwind: The History of a Pioneer Computer Bedford, Mass.: Digital Press, 1980; C. Baum, The System Builders: The Story of SDC. Santa Monica, Calif.: System Development Corporation, 1981; Edwards, The Closed World.
11. Norberg and O'Neill, A History of the Information Processing Techniques Office of the Defense Advanced Research Projects Agency; K.C. Redmond and T.M. Smith, Project Whirlwind: The History of a Pioneer Computer Bedford, Mass.: Digital Press, 1980; C. Baum, The System Builders: The Story of SDC. Santa Monica, Calif.: System Development Corporation, 1981; Edwards, The Closed World.
12. H.H. Goldstine, The Computer from Pascal to von Neumann. Princeton, N.J.: Princeton Univ. Press, pp. 253, 306-307, 314, 1972.
13. W.H. Ware, personal communication to D. MacKenzie, 17 Oct. 1996.
14. W.H. Ware, "Security and Privacy in Computer Systems," AFIPS Conf. Proc., Spring Joint Computer Conf. Washington, D.C.: Thompson Books, vol. 30, pp. 279-282, at p. 279, 1967.
15. B. Peters, "Security Considerations in a Multi-Programmed Computer System," AFIPS Conf. Proc., Spring Joint Computer Conf. Washington, D.C.: Thompson Books, 1967, vol. 30, pp. 283-286, at p. 283, 1967.
16. E.W. Pugh, L.R. Johnson, and J.H. Palmer, IBM's 360 and Early 370 Systems. Cambridge, Mass.: MIT Press, pp. 362-363, 1991.
17. Peters, "Security Considerations," p. 283.
18. Peters, "Security Considerations," p. 283.
19. Peters, "Security Considerations," pp. 283 and 285, emphasis in original.
20. W.H. Ware, personal communication to D. MacKenzie, 17 Oct. 1996.
21. W.H. Ware, ed., Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security. Santa Monica, Calif.: Rand Corporation, Feb. 1970, R-609. Originally classified "confidential," the report was declassified in Oct. 1975. The quotations are from Ware's foreword to the version reissued by Rand in Oct. 1979 and from p. 18 of the latter.
22. Ibid., pp. 36, 8, and 29, respectively.
23. R. Schell, telephone interview by G. Pottinger, 10 Oct. 1993.
24. W.H. Ware, personal communication to D. MacKenzie, 21 Oct. 1996.
25. J.P. Anderson, Computer Security Technology Planning Study. Bedford, Mass.: HQ Electronic Systems Division, U.S. Air Force, 1972, ESDF-TR-73-51, vol. 1, pp. 3 and 33.
26. Ibid, footnote 9, footnote 14.
27. R.R. Schell, "Computer Security: The Achilles' Heel of the Electronic Air Force?" Air Univ. Rev., vol. 30, pp. 16-33, at pp. 28-29, Jan.-Feb. 1979.
28. G. Pottinger, Proof Requirements in the Orange Book: Origins, Implementation, and Implications, typescript p. 39, Feb. 1994.
29. Anderson panel, op. cit., p. 15.
30. W.L. Schiller, Design of a Security Kernel for the PDP-11/45. Bedford Mass.: Electronic Systems Division, Dec. 1973, ESD-TR-73-294; Schell, "Computer Security," op. cit., p. 28; Wildes and Lindgren, A Century, op. cit., p. 300.
31. W.L. Schiller, Design of a Security Kernel for the PDP-11/45. Bedford Mass.: Electronic Systems Division, Dec. 1973, ESD-TR-73-294; Schell, "Computer Security," op. cit., p. 28; Wildes and Lindgren, A Century, op. cit., p. 300.
32. W.L. Schiller, Design of a Security Kernel for the PDP-11/45. Bedford Mass.: Electronic Systems Division, Dec. 1973, ESD-TR-73-294; Schell, "Computer Security," op. cit., p. 28; Wildes and Lindgren, A Century, op. cit., p. 300.
33. R.R. Schell, "Computer Security: The Achilles Heel of the Electronic Air Force?" Air Univ. Rev., vol. 30, pp. 16-33, at p. 31, Jan.-Feb. 1979.
34. P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn, "Retrospective on the VAX VMM Security Kernel," IEEE Transactions on Software Engineering, vol. 17, pp. 1,147-1,165, at p. 1,159, 1991, emphasis in original.
35. Schell interview, op. cit.
36. Schell "Computer Security," op. cit., p. 29.
37. Ware report, op. cit., p. 48.
38. C. Weissman, "Security Controls in the ADEPT-50 Time-Sharing System," Proc. FJCC, vol. 5, pp. 119-131, quotation at p. 122, 1969.
39. Anderson panel, op. cit., vol. 1, p. 4.
40. K.G. Walter, W.F. Ogden, W.C. Rounds, F.T. Bradshaw, S.R. Ames, and D.G. Shumway, Primitive Models for Computer Security. Bedford, Mass.: Air Force Electronic Systems Division, 25 Jan. 1974, AD-778 467.
41. D.E. Bell and L.J. LaPadula, Secure Computer Systems: Mathematical Foundations. Bedford, Mass: Air Force Electronic Systems Division, Nov. 1973, ESD-TR-73-278, vol. 1; L.J. LaPadula, personal communication to D. MacKenzie, 29 Oct. 1996; M.D. Mesarovic, D. Macko, and Y. Takahara, Theory of Hierarchical, Multilevel, Systems. New York: Academic Press, 1970.
42. D.E. Bell and L.J. LaPadula, Secure Computer Systems: Mathematical Foundations. Bedford, Mass: Air Force Electronic Systems Division, Nov. 1973, ESD-TR-73-278, vol. 1; L.J. LaPadula, personal communication to D. MacKenzie, 29 Oct. 1996; M.D. Mesarovic, D. Macko, and Y. Takahara, Theory of Hierarchical, Multilevel, Systems. New York: Academic Press, 1970.
43. D.E. Bell and L.J. LaPadula, Secure Computer Systems: Mathematical Foundations. Bedford, Mass: Air Force Electronic Systems Division, Nov. 1973, ESD-TR-73-278, vol. 1; L.J. LaPadula, personal communication to D. MacKenzie, 29 Oct. 1996; M.D. Mesarovic, D. Macko, and Y. Takahara, Theory of Hierarchical, Multilevel, Systems. New York: Academic Press, 1970.
44. D.E. Bell and L.J. LaPadula, Secure Computer Systems: A Mathematical Model Bedford, Mass: Air Force Electronic Systems Division. Nov. 1973, ESD-TR-73-278, vol. 2, p. 15.
45. Anderson panel, op. cit., vol. 2, p. 62.
46. D.E. Bell and L.J. LaPadula, Secure Computer Systems: A Mathematical Model, op. cit., vol. 2. p. 17.
47. D.E. Bell and L.J. LaPadula, Secure Computer System: Unified Exposition and Multics Interpretation. Bedford, Mass: Air Force Electronic Systems Division, Mar. 1976, ESD-TR-75-306, p. 17.
48. Ibid., 94, pp. 19-21.
49. Ibid., pp. 64-73.
50. Schell, "Computer Security," op. cit., p. 29.
51. P. Naur and B. Randell, eds., Software Engineering: Report of a Conference Sponsored by the NATO Science Committee. Brussels: NATO Scientific Affairs Division, p. 120, 1969.
52. E. Peláez, A Gift From Pandora's Box: The Software Crisis. PhD thesis, Univ. of Edinburgh, 1988.
53. Peters, "Security Considerations," op. cit., p. 285.
54. C.E. Landwehr, "The Best Available Technologies for Computer Security," Computer, vol. 16, pp. 86-100, at p. 96, 1983.
55. Anderson panel, op. cit., 10.
56. R.J. Feiertag. A Technique for Proving Specifications Are Multi-Level Secure. Menlo Park, Calif.: SRI Computer Science Laboratory, Jan. 1980, CSL-109.
57. L. Robinson and K.N. Levitt, "Proof Techniques for Hierarchically Structured Programs," Comm. ACM, vol. 20, pp. 271-283, 1977.
58. P.G. Neumann, R.S. Boyer, R.J. Feiertag, K.N. Levitt, and L. Robinson, A Provably Secure Operating System: The System, Its Applications, and Proofs. Menlo Park, Calif.: SRI Computer Science Laboratory, May 1980, CSL 116.
59. R.J. Feiertag and P.G. Neumann, "The Foundations of a Provably Secure Operating System (PSOS)," National Computer Conference. New York: AFIPS, 1979, pp. 329-343.
60. P. Neumann interviewed by A.J. Dale, Menlo Park, Calif., 25 Mar. 1994.
61. Neumann et al., op. cit., p. 2.
62. Landwehr, "Technologies for Computer Security," op. cit., p. 96.
63. Landwehr, "Technologies for Computer Security," op. cit., p. 97.
64. Jelen, "Information Security," op. cit., pp. III-83 to III-91.
65. D.E. Bell, "Concerning 'Modelling' of Computer Security," IEEE Computer Society Symp. Security and Privacy, 1988, pp. 8-13, at p. 12.
66. D.E. Bell, Secure Computer Systems: A Refinement of the Mathematical Model. Bedford, Mass.: Air Force Electronic Systems Division, Apr. 1974, ESD-TR-73-278, vol. 3, pp. 29 and 31.
67. This example is taken from G. Pottinger, Proof Requirements in the Orange Book, op. cit., p. 46.
68. We draw these examples from Feiertag and Neumann, "Foundations of PSOS," p. 333.
69. A term used, e.g., by G.H. Nibaldi, Proposed Technical Evaluation Criteria for Trusted Computer Systems. Bedford, Mass.: Mitre Corporation, Oct. 1979, M79-225, p. 9.
70. B.W. Lampson, "A Note on the Confinement Problem," Comm. ACM, vol. 16, pp. 613-615, 1973.
71. Schiller et al., "Design of a Security Kernel," op. cit., p. 7; C.E. Landwehr, "Formal Models for Computer Security," Computing Surveys, vol. 13, pp. 247-278, at p. 252, Sept. 1981.
72. Schiller et al., "Design of a Security Kernel," op. cit., p. 7; C.E. Landwehr, "Formal Models for Computer Security," Computing Surveys, vol. 13, pp. 247-278, at p. 252, Sept. 1981.
73. Bell and LaPadula, Unified Exposition and Multics Interpretation, pp. 67ff.
74. See, e.g., M. Schaefer, B. Gold, R. Linde, and J. Scheid, "Program Confinement in KVM/370," ACM 77: Proceedings of the Annual Conference. New York: Association for Computing Machinery 1977, pp. 404-410; J.T. Haigh, R.A. Kemmerer, J. McHugh, and W.D. Young, "An Experience Using Two Covert Channel Analysis Techniques on a Real System Design," IEEE Transactions on Software Engineering, vol. 13, pp. 157-168, 1987.
75. See, e.g., M. Schaefer, B. Gold, R. Linde, and J. Scheid, "Program Confinement in KVM/370," ACM 77: Proceedings of the Annual Conference. New York: Association for Computing Machinery 1977, pp. 404-410; J.T. Haigh, R.A. Kemmerer, J. McHugh, and W.D. Young, "An Experience Using Two Covert Channel Analysis Techniques on a Real System Design," IEEE Transactions on Software Engineering, vol. 13, pp. 157-168, 1987.
76. See, e.g., J.K. Millen, "Security Kernel Validation in Practice," Comm. ACM, vol. 19, pp. 244-250, 1976.
77. M.A. Harrison, W.L. Ruzzo, and J.C. Ullman, "Protection in Operating Systems," Comm. ACM, vol. 19, pp. 461-471, at p. 470, 1976.
78. Schaefer et al., "Program Confinement in KVM/370," op. cit., p. 409.
79. See D. Kahn, The Codebreakers. London: Sphere, 1973; and J. Barnford, The Puzzle Palace: A Report on America's Most Secret Agency. Boston: Houghton Mifflin, 1982.
80. See D. Kahn, The Codebreakers. London: Sphere, 1973; and J. Barnford, The Puzzle Palace: A Report on America's Most Secret Agency. Boston: Houghton Mifflin, 1982.
81. G.F. Jelen, Information Security: An Elusive Goal. Cambridge, Mass.: Harvard Univ., Center for Information Policy Research, June 1985, P-85-8, pp. III-43, I-II.
82. Ibid., I.11.
83. Norberg and O'Neill, Transforming Computer Technology.
84. Anderson panel, op. cit., vol. 1, p. 4, parenthetical remark in original.
85. Jelen, Information Security, op. cit., pp. i and II-74 to II-75.
86. Jelen, Information Security, op. cit., p. II-75.
87. S.T. Walker, interviewed by G. Pottinger, Glenwood, Md., 24 Mar. 1993.
88. Jelen, Information Security, op. cit., p. II-79.
89. Walker interview, op. cit.
90. "A Plan for the Evaluation of Trusted Computer Systems," type-script, 22 Feb. 1980, reprinted in Jelen, Information Security, op. cit., pp. V-2 to V-9.
91. Walker interview.
92. Ibid.
93. Walker, quoted by Jelen, Information Security, op. cit., p. II-81.
94. Admiral B.R. Inman, as interviewed by G. Jelen, as quoted in Jelen, Information Security, op. cit., p. II-81.
95. S.T. Walker, personal communication to D. MacKenzie, 22 Aug. 1996.
96. F.C. Carlucci, Department of Defense Directive 5215.1, "Computer Security Evaluation Center," 25 Oct. 1982, reproduced in Jelen, Information Security, op. cit., pp. V-11 to V-17.
97. G.H. Nibaldi, Proposed Technical Evaluation Criteria for Trusted Computer Systems. Bedford, Mass.: Mitre Corporation, Oct. 1979, M79-225, p. 37.
98. S.T. Walker, "Thoughts on the Impact of Verification Technology on Trusted Computer Systems (and Vice Versa)," Software Engineering Notes, vol. 5, p. 8, July 1980.
99. W.D. Young and J. McHugh, "Coding for a Believable Specification to Implementation Mapping," IEEE Computer Society Symp. Security and Privacy, pp. 140-148, at p. 140, Washington, D.C., 1987, emphasis in original.
100. Department of Defense, Trusted Computer System Evaluation Criteria. Washington, D.C.: Department of Defense, Dec. 1985, DOD 5200.28-STD, pp. 19, 26, 40, and 50.
101. R.S. Boyer and J.S. Moore, "Program Verification," J. Automated Reasoning, vol. 1, pp. 17-23, at p. 22, 1985.
102. Neumann interview, op. cit.
103. Pottinger, Proof Requirements in the Orange Book, op. cit.
104. T.C.V. Benzel, "Verification Technology and the A1 Criteria," Software Engineering Notes, vol. 10, pp. 108-109, at p. 109, Aug. 1985.
105. For descriptions of them, see M.H. Cheheyl, M. Gasser, G.A. Huff, and J.K. Millen, "Verifying Security," Computing Surveys, vol. 13, pp. 279-339, Sept. 1981.
106. Walker interview, op. cit.
107. C. Weissman, personal communication to G. Pottinger, 18 Dec. 1993.
108. Ibid.
109. C. Weissman, "Blacker: Security for the DDN. Examples of A1 Security Engineering Trades," IEEE Computer Society Symp. Research in Security and Privacy, pp. 286-292, at p. 289, 1992. This paper was presented by Weissman to the 1988 IEEE Symp. Research and Privacy, but "not published at that time because of a four year rescission of publication release," ibid., p. 286.
110. C. Weissman, "Blacker: Security for the DDN. Examples of A1 Security Engineering Trades," IEEE Computer Society Symp. Research in Security and Privacy, pp. 286-292, at p. 289, 1992. This paper was presented by Weissman to the 1988 IEEE Symp. Research and Privacy, but "not published at that time because of a four year rescission of publication release," ibid., p. 286.
111. Ibid., p. 289.
112. Weissman electronic mail, op. cit.
113. Weissman, "Blacker," op. cit., p. 291.
114. National Research Council, System Security Study Committee, Computers at Risk: Safe Computing in the Information Age. Washington, D.C.: National Academy Press, 1991, p. 195.
115. S. Lipner, personal communication to G. Pottinger, 22 Oct. 1993.
116. P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn, "Retrospective on the VAX VMM Security Kernel," IEEE Transactions on Software Engineering, vol. 17, pp. 1,147-1,165 at p. 1.147, 1991.
117. Ibid., p. 1,163.
118. Lipner, personal communication, op. cit.
119. Karger et al., "A Retrospective," op. cit., p. 1,163.
120. Lipner, personal communication, op. cit.
121. Karger et. al., "A Retrospective," op. cit., p. 1,163.
122. Lipner, personal communication, op. cit.
123. C. Bonneau, telephone interview by G. Pottinger, 20 Nov. 1993.
124. Ibid.
125. National Research Council, Computers at Risk, op. cit., p. 143.
126. Bonneau interview, op. cit.
127. National Research Council, Computers at Risk, op. cit., p. 154.
128. Walker interview, op. cit.
129. Benzel, "Verification Technology," op. cit., p. 108.
130. Karger et al., "A Retrospective," p. 1,156.
131. Common Criteria for Information Technology Security Evaluation. Cheltenham, Gloucesteshire, U.K., IT Security and Certification Scheme, 1996.
132. Walker interview, op. cit.
133. Pottinger, Proof Requirements in the Orange Book, op.cit., pp. 16-17.
134. D.D. Clark and D.R. Wilson, "A Comparison of Commercial and Military Computer Security Policies," IEEE Computer Society Symp. Security and Privacy, pp. 184-194, Apr. 1987.
135. K.J. Biba, Integrity Considerations for Secure Computer Systems. Bedford, Mass.: Air Force Electronic Systems Division, 1977, ESDTR-76-372.
136. C.E. Landwehr, C.L. Heitmeyer, and J. McLean, "A Security Model for Military Message Systems," ACM Trans. Computer Systems, vol. 2, pp. 198-222, 1984.
137. J. McLean, "A Comment on the 'Basic Security Theorem' of Bell and LaPadula," Information Processing Letters, vol. 20, pp. 67-70, 1985.
138. J.A. Goguen and J. Meseguer, "Security Policies and Security Models," Proc. Berkeley Conf. Computer Security. Los Alamitos, Calif.: IEEE CS Press, 1982, pp. 11-22.
139. T. Fine, J.T. Haigh, R.C. O'Brien, and D.L. Toups, "Noninterference and Unwinding for LOCK," Computer Security Foundation Workshop, Franconia, N.H., 11 June 1989. For a description of LOCK, see National Research Council, Computers at Risk, op. cit., pp. 251-252. LOCK is now known as the Secure Network Server, and the Honeywell division responsible for it is now the Secure Computing Corporation.
140. T. Fine, J.T. Haigh, R.C. O'Brien, and D.L. Toups, "Noninterference and Unwinding for LOCK," Computer Security Foundation Workshop, Franconia, N.H., 11 June 1989. For a description of LOCK, see National Research Council, Computers at Risk, op. cit., pp. 251-252. LOCK is now known as the Secure Network Server, and the Honeywell division responsible for it is now the Secure Computing Corporation.
141. C.T. Sennett, Formal Methods for Computer Security. Malvern, Worcestershire, U.K.: Defence Research Agency, 1995, typescript, p. 2.
142. National Research Council, Computers at Risk, op cit.
143. See, e.g., General Accounting Office, Information Security, op. cit.
144. Anon, "Microsoft Admits Limited NT Security," Computing, 4 July 1996, p. 3.
145. P. Mellor, Boeing 777 Avionics Architecture: A Brief Overview. London: City Univ. Centre for Software Reliability, 1995, typescript.