Multiple Single-level - Limits of MSL Versus MLS

Limits of MSL Versus MLS

The obvious shortcoming of MSL (as compared to MLS) is that it does not support immixture of various classification levels in any manner. For example, the notion of concatenating a SECRET data stream (taken from a SECRET file) with a TOP SECRET data stream (read from a TOP SECRET file) and directing the resultant TOP SECRET data stream into a TOP SECRET file is unsupported. In essence, an MSL system can be thought of as a set of parallel (and collocated) computer systems, each restricted to operation at one, and only one, security level. Indeed, the individual MSL operating systems may not even understand the concept of security levels, since they operate as single-level systems. For example, while one of a set of collocated MSL OS may be configured to affix the character string "SECRET" to all output, that OS has no understanding of how the data compares in sensitivity and criticality to the data processed by its peer OS that affixes the string "UNCLASSIFIED" to all of its output.

Operating across two or more security levels then, must use methods extraneous to the purview of the MSL "operating systems" per se, and needing human intervention, termed "manual review". For example, an independent monitor (not in Brinch Hansen's sense of the term) may be provided to support migration of data among multiple MSL peers (e.g., copying a data file from the UNCLASSIFIED peer to the SECRET peer). Although no strict requirements by way of federal legislation specifically address the concern, it would be appropriate for such a monitor to be quite small, purpose-built, and supportive of only a small number of very rigidly defined operations, such as importing and exporting files, configuring output labels, and other maintenance/administration tasks that require handling all the collocated MSL peers as a unit rather than as individual, single-level systems. It may also be appropriate to utilize a hypervisor software architecture, such as VMware, to provide a set of peer MSL "OS" in the form of distinct, virtualized environments supported by an underlying OS that is only accessible to administrators cleared for all of the data managed by any of the peers. From the users' perspectives, each peer would present a login or X display manager session logically indistinguishable from the underlying "maintenance OS" user environment.