The motivation, conception and design of a data filter operating in the security classification domain are described. The filter architecture features distinct domains with a separate microprocessor in each. Isolation of the domains is accomplished exclusively by hardware. Sharing between the domains is controlled by trusted software. This architecture facilitates verification and provides flexibility, economy, and high throughput.
A prototype of the filter has been implemented and applied to guarding channels connecting a multicompartmented database to lower level networks. The prototype's operation is fully automatic. It uses secret-key digital signatures associated with each database record to authenticate classification markings and data. A filter security policy has been modeled and the prototype design and implementation have been shown informally to comply.
Future directions in architecture, engineering, application and verification are discussed.
This paper is not (yet) available online.