发明名称 |
Multi-level security system for enabling secure file sharing across multiple security levels and method thereof |
摘要 |
A multi-level security system includes a storage medium partitionable into a plurality of partitions, a file system coupleable to the plurality of partitions, and a plurality of enclaves. Each enclave is assigned a security classification level. Each enclave resides in a different storage partition of the storage medium. Data stored on the storage medium is cryptographically separated at rest on a per-enclave basis. Cryptographic separation occurs at the disk block level, allowing individual blocks to be read and decrypted. The system also includes a reference monitor that enforces a system security policy that governs access to information between the enclaves. The reference monitor allows an enclave having a first classification level to securely read-down to an enclave having a second classification level lower than the first classification level and to write to another enclave having the first classification level. |
申请公布号 |
US9489534(B2) |
申请公布日期 |
2016.11.08 |
申请号 |
US201414522447 |
申请日期 |
2014.10.23 |
申请人 |
Northrop Grumman Systems Corporation |
发明人 |
Hashii Brant D.;Scott Mark O.;Silverman Daniel R.;Wixtrom Lee;Tester Jonathan;Brown Steve A. |
分类号 |
G06F21/62;G06F17/30 |
主分类号 |
G06F21/62 |
代理机构 |
Stetina Brunda Garred & Brucker |
代理人 |
Stetina Brunda Garred & Brucker |
主权项 |
1. A multi-level security system, the system comprising: a storage medium, the storage medium partitionable into a plurality of partitions; a file system coupleable to the plurality of partitions;
a plurality of enclaves each assigned a security classification level, wherein each one of the plurality of enclaves resides in a different storage partition of the storage medium; wherein data stored on the storage medium is cryptographically separated at rest on a per-enclave basis, and wherein cryptographic separation occurs at the disk block level thereby allowing individual blocks to be read and decrypted; wherein every disk block is encrypted using a unique key for each security classification level; and a reference monitor that enforces a system security policy that governs access to information between the plurality of enclaves, wherein the reference monitor allows an enclave of the plurality of enclaves having a first classification level to securely read-down to another enclave of the plurality of enclaves having a second classification level lower than the first classification level and to write to another enclave of the plurality of enclaves having the first classification level. |
地址 |
Falls Church VA US |