A traditional security system consists of a red processor which handles unencrypted data and a black processor which handles encrypted data. This type of system with separate processors permits a high level of assurance that red data cannot be mixed with black data. This type of system also ensures that only the red processor can access the red resources and the black processor can only access the black resources. In order to simplify the system design and lower the cost of the system, it is desirable to implement a security system which consists of a single processor and the use of an off-the-shelf operating system such as Windows NT.TM..
When red and black processes and resources are combined into a single processor, several problems arise that must be resolved. One problem is data separation between red data and black data. A second problem involves access control both for red and black resources and for any particular resource at a particular time. The third problem involves denial of service.
In order to provide data separation a security system must ensure that the red data cannot be mixed with the black data. In addition, the security system must have the ability to have multiple secure and non-secure channels. This causes the additional problem of ensuring that red data on one channel is kept separate from red data on another channel.
The access control problem requires a security system to ensure that only the proper functions are permitted to access specific resources. Only red data functions are permitted to access red resources and only black data functions are permitted access to the black resources. In addition, the security system must guarantee that only one function can access a resource at any given time. This is further complicated when different functions are permitted to access a given resource depending on the state of the system.
To solve the denial of service problem, a security system must have a mechanism to remove the ability to access a resource after the access has been granted. In some systems, it is possible for some functions to access resources only during specific states of the system. For example, in some systems a bypass function can access the resources while the system is in the clear mode. In any other state of operation, the system must limit the ability of the function to access the resource. This is necessary so that the ability to access resources can be removed in the event of a security problem being detected.
What are needed are a method and apparatus which solve these problems in a single processor fail-safe environment.