The IX Multilevel-Secure Unix System (1992)

The IX Multilevel-Secure UNIX System

M. D. McIlroy and J. A. Reeds

Adapted from CSTR #163, AT&T Bell Laboratories, 1992

A collection of papers about the IX system, a simple but comprehensive multilevel-secure operating system with mandatory access control, based on the research v10 UNIX system.

The IX security model centers on processes, files and channels (not on ``subjects'' and ``objects''). The system calculates security-classification labels dynamically, so that outputs are classified as highly as the inputs from which they were derived. The label mechanism is mandatory; not even the superuser can subvert it.

A structured privilege mechanism allows system and security administrators to bend the rules in an orderly way for purposes such as maintenance or document declassification. Privilege may be suballocated in parts of the label space so that projects may administer their own security.

A private-channel mechanism guarantees freedom from eavesdropping or spoofing, (e.g. password dialogs) with external sources.

All documents are in PostScript format.

Multilevel Security in the UNIX Tradition. An overview of the IX system and important utilities. 19 pages. Adapted from Software--Practice and Experience 22 (1992) 673-694. A few typos and PostScript portability issues were corrected in this paper and the next, February 5, 2005.

The Design of IX. Detailed specification of the security behavior of the kernel. 32 pages.

A Tour of IX. Some examples of the use of security labels and of privilege in IX . 11 pages.

Multilevel Windows on a Single-Level Terminal. The workings of mux , a windowed-terminal handler, that can run differently classified sessions in different windows. 3 pages. Adapted from Proc. UNIX Security Workshop , Usenix Association, Portland (1988) 32-34.

Secure IX Network. A discussion of the major security features of IX and how they could be extended to a network of secure computers. 8 pages. Reprinted from J. Feigenbaum and M. Merritt, Distributed Computing and Cryptography , DIMACS Series in Discrete Mathematics and Computer Science, Volume 2 (1991) 235-244, by permission of the American Mathematical Society.

Security mechanisms in IX. Presentation for a Dartmouth seminar (2005). 28 slides.

Appendix

The jargon of IX that differs from that of UNIX. 2 pages.

Manual Pages. Revisions to UNIX v10 manual to reflect IX functionality. 50 pages.

Modified September 21, 2005