THE “HOLY GRAIL” OF I.T. IN DEFENCE

Defence processes information from many sources: much of it is Unclassified, but much of it is not. This latter set causes Defence the biggest I.T. headache, since it needs to be kept physically separate from all the other information that is being held.
For the different classification levels, Defence maintains separate information networks, separate phone networks, even separate messaging networks. However, most Defence personnel need access to many if not all of these networks, so their desktops are littered with different PCs, terminals and phones, all connected to the relevant network(s) they have access to.
Why not plug the different networks into the same PC? That would let them surf the Internet in one window, while typing up a highly-classified report in another window, and the computer would keep them separate. Wouldn’t it?
America's and Australia’s highest security offices (the National Security Agency, or NSA, and the Defense Signals Directorate, or DSD) say “No”. In fact, most professionals involved with maintaining security agree with them: you can’t trust computers to not accidentally put data from one window into another. Actually, it’s not the computers you can’t trust: it’s the software that the computers are running.
Think about it. Today’s PCs run at around 3 billion instructions per second. That’s 86 trillion operations in one typical work day – and it does all of them the same way every time. It’s not the hardware that makes mistakes, it’s the software. Today’s software is very complex, and has lots of bugs in it. Every day Linux has new patches that you can download. Every week Microsoft releases new patches for Windows and its applications. Does that mean that after the latest round of patches all the bugs have been fixed? Hardly.
And that’s just the accidental problems. What about a deliberate attempt to extract the information from your computer? You can visit a website that silently uploads a malicious program onto your computer, that then searches all of your hard disk for your private information, such as credit card details or passport information, and sends it to… well, anyone. And it doesn’t matter how many firewalls, anti-virus scanners, anti-phishing filters and other anti-malware software you might install, a clever cracker can find a weakness in any of these and steal your information.
No wonder the Security organisations said “No”! So, the current solution is to simply keep the separate classification levels compartmentalised on different machines, and put up with the extra hardware, the extra power usage, the extra maintenance, and the extra sheer physical room all of this takes up.
Until now.
The “Holy Grail” of Defence’s I.T. department has always been a software solution to this hardware problem, but every software attempt has always been met with the question “But are you sure?” In fact, the security agencies of many countries got together and defined a Standard that software would have to meet if it was to maintain the compartmentalisation described above. They set a seven-level scale known as the Common Criteria Evaluation Assurance Level (EAL) scale, and deemed that EAL-4 was barely sufficient to merely allow two adjacent classification levels to be separated against “casual or accidental threats”.
To achieve EAL-4 takes many months of laborious paperwork, essentially reasoning out where the risks might be, and how they are ameliorated. Of course, the larger the amount of software to go through, the larger the effort in paperwork. Did you know that Microsoft’s Windows XP is over 40 million lines of code? Or that Linux is over 200 million? (http://en.wikipedia.org/wiki/Lines_of_code) It is no wonder that XP has never been evaluated to EAL-4, and that there are only a couple of severely cut-down versions of Linux that have been so evaluated!
What about higher levels? To achieve EAL-6 requires much more rigorous examination. In fact, the Standard says that every line of code in the final system has to be mathematically proven to be correct. Not only that, but there cannot be a way for one compartment to even work out what another compartment might be doing by simply noticing (for example) that it itself is taking longer to make its calculations. (As an aside, have you ever wondered why many Defence car parks are underground? It’s so that observers can’t count the cars and wonder what could be happening in the world that means that so many people are working at 3 A.M.!)
And trying to mathematically prove the correctness of 40,000,000 lines of code would take a horde of Ph.D. mathematicians centuries of time – and we already know it is not correct!
So, in 1997 Dan O’Dowd, the CEO and then-CTO of Green Hills Software, Inc in the U.S. (http://www.ghs.com) sat down and designed a new Operating System. One that could be proven to be correct. One that wouldn’t take forever to test. It was small. It was efficient. Above all, it was reliable AND secure. And the first time it was used was as the Flight Control System (FCS) of the B1 Bomber. An FCS needs to be ultra-reliable. (QANTAS recently suffered an in-flight error in an FCS, and many people were hurt.) An FCS needs to do many different things, but cannot let processing for one function dominate the processing of another. In other words, an FCS is a smaller version of what is needed by the ADF, and indeed all Defence organisations around the world.
In 2005, the software was given to the NSA for the purposes of evaluation to EAL-6. It came with (literally) a truckload of documentation, as well as the results of a horde of Ph.D. mathematicians to prove that its 10,000 lines of code were correct. But the claims of what the software did was more stringent than EAL-6 required, so was evaluated to what was termed EAL-6+. And NSA studied the documentation. It studied the software. It studied the proofs. It even gave the whole shebang to some tame code hackers to try to crack it. And after three years of trying to break it, recently NSA agreed it could not be done.
At last, the world has a system that the finest security minds agree is able to maintain the separation of different compartments, even in the face of “a determined and well-funded attack”.
OK, so what now? Does this mean that everyone has to throw out their beloved Linux, or familiar Windows, and learn a new way of doing things? Actually, no. This new OS is so small that it can run on a PC with practically no overhead at all, and then compartmentalise not only different applications (like a Web browser and a word processor), but even different Operating Systems.
That’s right – it will run Windows or Linux as though it was just another program. This means that it can run both Windows and Linux at the same time, or two copies of Windows, or even two of one and three of another, all at the same time! Each OS runs at a different classification level, and you can surf the Internet using Windows, while typing that highly-classified report under your favourite distribution of Linux.