DESIGN AND ASSURANCE STRATEGY FOR THE NRL PUMP

Such systems suffer a host of disadvantages: They cost too much, lack user-friendly features and development environments, take too much tim e to evaluate and certify, and do not scale well for secure distribute d computing. This lack of satisfactory security solutions is disturbin g in light of the trend toward open and distributed computing, which i ncreases a system's vulnerability to attack. The authors propose basin g security solutions instead on a multiple single-level security archi tecture, which uses commercial (nonsecure) products for general-purpos e computing and special-purpose high-assurance devices to separate dat a at different security levels. A multiple single-level architecture i s a viable and practical solution to distributed multilevel secure com puting. The keystone of this architecture is a trusted device that ''p umps'' data from a low security level to a higher one. The authors des cribe the software design and assurance argument strategy for this dev ice, the Network NRL Pump, which can be used in any multilevel secure distributed architecture.