KSOS-Computer network applications

The need for multilevel security in computer systems has become well known. In the military, lacking such systems makes costs higher than they should be because of the need either to replicate facilities or perform "color changes" (shutting down and purging systems between uses at varying levels) in order to deny less-cleared users access to highly-classified information, and desirable functions which would require the controlled intermixing of data at different security levels are simply not yet done. The Government's concern with such matters is amply reflected in Reference 9. Outside the military, it is clear that most if not all funds transfer systems, for example, would benefit from the other side of the security coin-that is, although the major military threat is compromise of data, the major finanCial threat is alteration of data. In both broad areas, a free-standing multilevel secure operating system would be a distinct -asset. The Kernelized Secure Operating System is meant to be just such a system, and in these terms alone is of considerable interest. This paper, though, will address potential applications of KSOS in areas other than as a free-standing system. Aside from use as a free-standing system,12 it is essentially the case that all other currently-envisioned applications of KSOS will involve intercomputer network environments. Under current consideration at varying levels of intensity are the use of KSOS as a containing operating system for communications subnetwork processors ("packet switches") themselves, Network Front-Ends, Network "Front Doors" (in which case the associated Host plays a "Back-End" roie), mini-Hosts (to support users at terminals), and nodes for the processing of military messages. Although only the last of these has at present been analyzed in considerable detail, all are interesting and all will be touched upon in some detail. KSOS's use in such applications is, as the title suggests, the main theme of this paper. However, it should be obvious that the mere act of inserting a secure component into a network architecture does not mystically make the network itself secure. Therefore, another important consideration which must be addressed is that the broad issue of just how to make a network secure is a complex one, and not nec-