Jan 1994

1. At the risk of seeming unduly pedantic (a common failing of mine

--- private to Jim and Don: I'm trying not to roll my eyeballs here),

I think it's important to remind all concerned that we must tread a

delicate line in marketing [projectX] to any DoD customer. My

motivation for this missive was the briefing (excellent briefing, by

the way) that Diane gave last week to Mike [somebodyOrOther], our new

marketeer. During the discussion that accompanied the briefing, there

seemed to be some confusion that I wanted to try to clear up. The

bottom line, in my opinion, is that we should never use the word "MLS"

in our discussions of [projectX]. We must not suggest, even by

implication, that [projectX] can provide MLS protection under any

circumstances --- not even for sensitive but unclassified information.

Tables 1 through 3 of Enclosure (4) to DoD Directive 5200.28, dated

March 21, 1988, make it very clear that a system with unclassified but

sensitive information in it and one or more users not authorized

access to such information is to be considered an MLS system and

requires at least B1 level protection per DoD 5200.28-STD (the Orange

Book). [projectX] is not and can never be considered as capable of

providing B1 level protection. Our private opinions as to the utility

of the Orange Book in the "real world" or the strength of [projectX] in

areas not considered by the Orange Book are irrelevant to our

obligation not to ever even appear to be misleading a DoD customer as

to the capabilities of our product with respect to the letter of the

DoD law.

2. Note that, on a Macintosh, no system can even meet the full set of

Orange Book requirements for class C1. Paragraph 2.1.3.1.1 of the

Orange Book (defining the requirements for C1) states, " The TCB shall

maintain a domain for its own execution that protects it from external

interference or tampering (e.g., by modification of its code or data

structures)." Since the Macintosh operating system does not do that,

it can never meet C1 and no software layered on top of it, e.g.,

[projectX], can legally compensate for that fact. It is a requirement

that is sensible in fact as well as in theory. Access to the

undocumented monitor said to be present in the firmware of all

Macintosh computers provides direct, unmediated access to all physical

resources of the system. Penetration at that level is unstoppable

(and, indeed, can be made undetectable as well). I know from direct

personal experience that that monitor is software-invokable from the

keyboard of my Macintosh.

3. Nothing in this discussion, by the way, should be taken as a knock

on [projectX]. I think it is a fine piece of work and will prove

exceedingly useful in the right circumstances. Informally, many

people have begun to call those circumstances "system high with

labels". DoD Directive 5200.28 makes explicit allowance for that and

defines the operational limitations precisely, in paragraph 5 of

Enclosure 3: "Classified and sensitive unclassified output shall be

marked to accurately reflect the sensitivity of the information. ...

The marking may be automated (i.e., the AIS [Automated Information

System] has a feature that produces the markings) or it may be done

manually. Automated markings on output must not be relied on to be

accurate, unless the security features and assurances of the AIS meet

the requirements for a minimum security class B1 as specified in DoD

5200.28-STD... . If B1 is not met, but automated controls are used,

all output shall be protected at the highest classification level of

the AIS until manually reviewed by an authorized person [N.B.: Not

necessarily just any user!] to ensure that the output was marked

accurately ... ."

4. Note that the implications of my paragraph (2), above, are that it

will require a waiver of paragraph 2.1.3.1.1 of the Orange Book even

to get a Macintosh to the C1 level. (Note also that, according to the

letter of the 5200.28 law, again, C2 --- not even C1 --- is the

minimum protection required for anything other than the dedicated mode

within DoD.) Personally, I feel that [projectX] on a Mac would justify

such a waiver and that it is probable that accreditors will see it

that way too. None-the-less, from a "truth-in-advertising"

perspective (the whole point of this long winded note), potential DoD

customers should be told about that potential problem sometime in our

marketing efforts. We will make no friends if we get the customer

management types all hot and bothered over the [projectX] possibilities

and they later appear foolish because some nit-picking technical type

(like me) throws cold water on the scheme. As I said, I don't think

there is necessarily any long term impediment (assuming I've read the

willingness to grant waivers correctly), but a surprise "technicality"

is not something that endears one to potential customers.

...Matt