Abstract
This paper describes the architecture of a prototype multilevel secure windowing system based on the X Window System. The prototype, known as TX, is designed to meet the class B3 architectural requirements of the Trusted Computer System Evaluation Criteria (TCSEC). The architecture and prototype described here demonstrate that high assurance windowing technology is feasible.
The TX architecture is based on the encapsulation of untrusted functionality, such as that contained in an ordinary X server, using a relatively small amount of trusted applications code. The untrusted functionality is then polyinstantiated or replicated once for each active sensitivity level. This leads to a combination of high assurance and complex functionality while reducing the evaluation effort to a tractable level. The architecture of TX is described, and its information flow and visible labeling security policies are discussed. The trade-offs that were made to maintain assurance while achieving other software engineering goals are considered. TX is compared with several other trusted windowing systems.
Get full access to this article
View all access options for this article.