test

Compartmented Mode Workstation Labeling: Encodings Format

Chapter 1 Introduction

The Compartmented Mode Workstation (CMW) Evaluation Criteria, Version 1 [DDS-2600-6243-91] defines minimum security requirements for workstations to be accredited in the Compartmented Mode under the policy set forth in Defense Intelligence Agency Manual 50-4 [DIAM 50-4]. Because of the number of CMWs needed throughout the intelligence community and the need for interoperability among the CMWs, standard encodings of security labels are necessary.

Defining encodings for security labels is a three-step process. First, the set of human-readable labels to be represented must be identified and understood. The definition of this set includes the list of classifications and other words used in the human-readable labels, relations between and among the words, classification restrictions associated with use of each word, and intended use of the words in mandatory access control and labeling system output. Next, this definition is associated with an internal format of integers, bit patterns, and logical relationship statements. Finally, a CMW system file is created to store the encodings. This document emphasizes the second and third steps, and assumes that the first has already been performed.

The encodings are used by a CMW to control the conversion of human-readable labels into the internal format used by the CMW, the conversion from the internal format to a human-readable canonical form, and the construction of banner pages for printed output. Furthermore, though not used directly by the CMW in combining information labels, the encodings values are critical in adjudicating the combinations of different information label components. Encodings must be provided for 1) classifications; 2) other words in information labels, sensitivity labels, clearances, handling channels, and printer banners; and 3) the system and user accreditation ranges and related values.

A companion document, Compartmented Mode Workstation (CMW) Labeling: Source Code and User Interface Guidelines [DDS-2600-6215-91], describes the standard software that operates on the encodings described in this document.

Background

As mentioned above, the encodings control the translation between the human-readable and internal formats of information labels, sensitivity labels, and clearance labels (hereafter called clearance). Human-readable labels consist of a classification followed by a set of words. The words can represent compartments (in information labels, sensitivity label, and clearances), and markings (in information labels only). (The word “compartments” is the intelligence community word most analogous to the word “categories” as used in the National Computer Security Center's Trusted Computer System Evaluation Criteria [DOD 5200.28-STD]. The word “compartments” will be used throughout this paper for consistency with other intelligence community documentation, but conceptually means the same as “categories.”)

The internal form of labels consists of an integer classification value and a set of bits (all labels have compartment bits, whereas only information labels have marking bits), as summarized below.

Table 1–1 Label Summary

Type of Label 

Classification 

Compartments 

Markings 

Information 

Integer 

Set of Bits 

Set of Bits 

Sensitivity 

Integer 

Set of Bits 

(NONE) 

Clearance 

Integer 

Set of Bits 

(NONE) 

Thus, information labels have three components: classification, compartments, and markings, whereas sensitivity labels and clearance have only the first two components.

Given any two labels (information, sensitivity, or clearance), there is a relationship called dominance between them, defined as follows:

In addition to the dominance relationship, there are two other relationships between labels with the same components. Two labels are equal if their classifications are equal and their sets of bits are equal. Two labels are incomparable if each label contains a 1 bit that is 0 in the other label. Stated in terms of dominance, two labels with the same components are equal if each label dominates the other, and two labels are incomparable if neither label dominates the other.

Figure 1–1 shows three labels and their associated compartment or marking bits. As indicated above, L2 dominates L1. L3 is incomparable to either L1 or L2. Finally, all three labels (in fact all possible labels) both dominate and equal themselves.

Figure 1–1 Label Relationships

The context describes the label relationships in the graphic.

The words that follow the classification in the human-readable representation of labels are said to be either normal or inverse. (A third type of word, special inverse, is not covered here. See Defining Prefixes And Suffixes in Chapter 4, Information Label Encodings, and Using Prefixes to Specify Special Inverse Compartment and Marking Bits in Chapter 7, General Considerations for Specifying Encodings.) Adding a normal word to the human-readable representation of a label increases the sensitivity of the label (i.e., increases the number of compartment or marking bits that are 1). Adding an inverse word to a human-readable label does not increase the sensitivity of the label, but instead either decreases or otherwise changes the sensitivity of the label, (i.e., changes at least one bit in the internal form of the label from 1 to 0). Stated in terms of dominance, adding a normal word to a label changes the label into a new label that dominates (is hierarchically above) the original one. Finally, adding an inverse word to a label changes the label into one that is either 1) dominated by the original label, or 2) is incomparable to the original label.

Constructing an Encodings File

The first step in constructing an encodings file is to define a set of labels to be implemented in the CMW. Defining the labels involves:

  1. Determining the long and short names of the classifications and words that comprise information labels, sensitivity labels, and clearances;

  2. Determining a set of rules for combinations of classifications and words;

  3. Determining the minimum classification, handling channels, and any other information associated with compartments and markings that must appear on printer banner pages;

  4. determining the minimum sensitivity level and clearance specifiable on the system; and

  5. Determining the user accreditation range: the set of sensitivity levels that can be used by normal system users.

Then, constructing the encodings for this set of labels involves:

  1. Determining the internal integer representation of classifications;

  2. Determining the internal compartment bit string representations of sensitivity label and clearance words; and

  3. Determining the internal compartment and/or marking bit string representations of information label words.

The rules for combinations of classifications and words are used to:

These determinations influence the selection of the integer and bit string internal representations.

The most important and complicated aspects of constructing the encodings are the rules for well formedness and adjudication, each of which is discussed in more detail below.

Well-Formed Labels

A label is said to be well formed if it follows a specified set of rules regarding the relationships among classifications and words in the same label. The concept of well formedness applies to information labels, sensitivity labels, and clearances. The encodings and their associated software that translates human-readable labels into their internal format enforces the following types of well formedness rules.

  1. A set of “default words” can be associated with 1) the least sensitive clearance and sensitivity label, and/or 2) the least sensitive information label, containing a particular classification. Such words are defined by including the compartment and/or marking bits associated with them in the initial compartments and/or initial markings associated with the classification. See the initial compartments= and initial markings= keywords in Chapter 3, Classification Encodings. For example, if all classified data on a particular system was to be considered NOFORN (meaning No Foreign Dissemination), and NOFORN was an information label word (i.e., has marking bits associated), then NOFORN could be encoded as a default word for all classifications above UNCLASSIFIED, and would therefore automatically appear in all information labels.

  2. A minimum classification can be associated with each word, thereby preventing the word from appearing in the human-readable form of a label with a classification below the minimum. See the minclass= keyword in Chapter 4, Information Label Encodings. For example, the minimum classification that should be associated with some compartments is TOP SECRET.

  3. An “output minimum” classification can be associated with each word, thereby preventing the word from appearing in the human-readable form of a label with a classification below the minimum, even though it can appear in the internal form of the label. See the ominclass= keyword in Chapter 4, Information Label Encodings. For example, release markings do not appear in the human-readable form on the label UNCLASSIFIED, and therefore have an output minimum classification of CONFIDENTIAL.

  4. An “output maximum” classification can be associated with each word, thereby preventing the word from appearing in the human-readable form of a label with a classification above the maximum, even though it can appear in the internal form of the label. See the omaxclass= keyword in Chapter 4, Information Label Encodings.

  5. A maximum classification can be associated with each word, thereby preventing the word from appearing in a label with a classification above the maximum. See the maxclass= keyword in Chapter 4, Information Label Encodings. For example, see the codeword bravo4 in Appendix B, Annotated Sample Encodings.

  6. Any specific set of words can be defined to be in a hierarchy, such that only one word in the hierarchy can appear in a label at a time. The hierarchies among words are defined by the compartment and/or marking bits chosen to represent the words internally. Simply stated, if the compartment and marking bits associated with word W2 dominate but do not equal those associated with word W1, then W2 is in a hierarchy above W1, in which case W1 and W2 can never appear in a label together. See the compartments= and markings= keywords in Chapter 4, Information Label Encodings and Hierarchies of Words in Chapter 8, Enforcing Proper Label Adjudications. For example, see the codewords alpha1, alpha2, and alpha3 in Appendix B, Annotated Sample Encodings.

  7. The presence of any word in a label can require the presence of another word in the same label. See the REQUIRED COMBINATIONS: keyword in Chapter 4, Information Label Encodings. For example, certain subcompartments may require the presence of their main compartment in a sensitivity label.

  8. Some words can be prevented from appearing with other words in the same label, even if the words are not hierarchically related. See the COMBINATION CONSTRAINTS: keyword in Chapter 4, Information Label Encodings. For example, the codeword bravo4 in Appendix B, Annotated Sample Encodings must stand-alone in a label.

Information Label Adjudication

When two pieces of data with separate information labels (e.g., objects, files, part of a window's contents) are merged or combined, the system automatically adjudicates the combination of the two information labels, determining the single information label that properly represents the merged data. This process of adjudicating two information labels is also called combining the labels or floating one label with the second one. The values assigned to classifications and the internal compartment and marking bit representations assigned to information label words determine how the system will adjudicate information labels.

When the system adjudicates the classifications from two information labels, the resulting classification is always the classification with the greater internal integer value. Since all classifications by definition form a strict hierarchy, specifying integer values for classifications that represent the hierarchy, with the most sensitive classifications having the highest values and the least sensitive classifications having the lowest values, will assure the proper adjudication of classifications.

Considerations for the proper adjudication of words is much more complicated. The system adjudicates information label compartment and marking bits by performing a bitwise logical “or” of the bit strings, as shown in Table 1–2.

Table 1–2 Information Label Bit String Combination Example

 

 

Bit Strings 

 

Compartments 

Markings 

Information Label 1 (IL1)  

10100000  

00001111 

Information Label 2 (IL2) 

11010001 

11000000 

Adjudication (IL1 + IL2) 

11110001 

11001111 

Proper adjudication is assured by defining the bit representation of each information label word such that the desired properties are enforced when the words are combined via logical “or.” Table 1–3 shows a number of different possibilities for the adjudication of the combination of words. In this and following figures, (NULL) is used to indicate the absence of any word.

As mentioned above, there are two basic types of words: normal and inverse. Additionally, words can optionally appear in a hierarchy with other words. To support these different types of words, the encodings allow for a great deal of flexibility in the association of human-readable word names with internal bit patterns. Rather than simply assigning names to bits, the encodings allow word names to be associated with specific bit patterns. These bit patterns can include compartment bits, marking bits, or both. The examples shown in Table 1–3 are expanded below, showing how the internal encodings of the words implement the desired adjudication of normal words, inverse words, words in hierarchies, composite words, and a more complex example.

In each example, the relevant bit values associated with words are shown as 1s and 0s. Irrelevant bit positions are denoted with –s. Each example below shows two labels and their combination, in both human-readable and internal forms. (NULL) is used to indicate a label containing no words. The bits shown in the examples below could be compartment bits, marking bits, or a combination of both. From the standpoint of label adjudication, there is no difference between compartment bits and marking bits.

Table 1–3 Label Adjudication Examples

Comment 

IL1 

IL2 

IL1+IL2 

Normal word  

Word1 

(NULL)  

Word1 

Inverse word  

Word2 

(NULL)  

(NULL) 

Both words are normal  

Word1 

Word3 

Word1 Word3 

Both words are inverse 

Word2 

Word6 

(NULL) 

Both words are inverse 

Word2 

Word2 Word6 

Word2 

Hierarchy with Word5 above Word4 

Word4 

Word5 

Word5 

Word9 is a composite of words 7 and 8 

Word7 

Word8 

Word9 

Word12 is a non-hierarchical composite of words 10 and 11 

Word10 

Word11 

Word10 Word11 Word12 

Word13 is inverse and in a hierarchy below Word14 

Word13 

(anything other than Word13) 

Word14 

Normal Words

Normal words are associated with internal bit patterns consisting only of 1s. Normal words can have one or more 1 bits associated with them. The example below is for the simplest and most common case, where a single bit is associated with a word. When such a word is combined with a label containing no words, the resulting label contains just the word.

Word1 

1––––––– 

(NULL) 

–––––––– 

Word1 

1––––––– 

In the following example, two normal words each associated with different 1 bits are combined. The resulting label contains both words.

Word1 

1––––––– 

Word3 

––1––––– 

Word1 Word3 

1–1––––– 

Inverse Words

Inverse words are associated with internal bit patterns containing at least one inverse bit. An inverse bit is a bit whose 0 value is associated with the presence of a word and whose value is 1 unless the word is present in the label. Inverse words can have one or more bits associated with them. The example below is for the simplest and most common case, where a single 0 bit is associated with a word. When a bit is used inversely, its value in a NULL label must be 1. When such a word is combined with a label containing no words, the resulting label does not contain the word.

Word2 

–0–––––– 

(NULL) 

–1–––––– 

(NULL) 

–1–––––– 

In the following example, two inverse words each associated with different inverse (0) bits are combined. The resulting label contains neither of the words.

Word2 

–0–––1–– 

Word6 

–1–––0–– 

(NULL) 

–1–––1–– 

In the example below, two labels containing the above inverse words are combined. Only the inverse word that appears in both labels appears in the resulting combination.

Word2 

–0–––1–– 

Word2 Word6 

–0–––0–– 

Word2 

–0–––1–– 

Hierarchies of Words

Two words form a hierarchy if their associated relevant bits form a hierarchy (i.e., if one set of bits includes the other). Words in hierarchies can be either normal or inverse words. The following example is the simplest case of a hierarchy of two normal words. In this example, as should be evident from the bits, Word5 is hierarchically above Word4. Therefore, when the two words are combined, the result is the higher of the two words, Word5. Two words in the same hierarchy can never appear together in a label.

Word5 

–––11––– 

Word4 

–––1–––– 

Word5 

–––11––– 

Composite Words

This example is very similar to the above example involving Word1 and Word3, with the difference being that this example contains a third word that is the composite of the other two. Word9 is a composite word whose meaning is “the combination of Word7 and Word8.” Such a composite word might be used rather than having the individual words combined to appear in the combination label. In this example, the composite word and the words it combines are a special case of word hierarchies. Therefore, the composite word cannot appear in the same label with either of the words of which it is composite.

Word7 

––––––1– 

Word8 

–––––––1 

Word9 

––––––11 

Non-Hierarchical Composite Words

It is possible to form a composite word without a hierarchy involved. Non-hierarchical composite words are possible for words that have more than one bit associated. In the following example, Word12 is a composite of Word10 and Word11, but has no hierarchical relationship with either word. Therefore, Word12 can appear in the same label with Word10 and Word11. When Word10 and Word11 are combined the resulting label contains all three words.

Word10 

1–––––1– 

Word11 

–1–––––1 

Word12 

––––––11 

A Complex Example

Both normal and inverse words can appear in hierarchies. The example below shows a complex combination of an inverse word and hierarchies. Word13 is a word whose internal representation consists of one normal (1) bit and one inverse (0) bit. Because one of the bits is inverse, its value in any label not containing Word13 will be 1, as shown on the second line of the example. Word14 is a normal word in a hierarchy above Word13. The interesting result of this particular combination of hierarchies and inverse bits is that if Word13 is combined with any label that does not contain Word13, the resulting label contains Word14 instead of Word13.

Word13 

10–––––– 

(any label 

 

without Word13) 

–1–––––– 

Word14 

11–––––– 

Plan of Paper

The remainder of this document specifies how to construct a standard encodings file for CMWs. Chapter 2, Structure and Syntax of Encodings File describes the general structure of an encodings file. Chapter 3, Classification Encodings describes how classifications are specified. Chapter 4, Information Label Encodings describes how the words that make up information labels are specified. Chapter 5, Sensitivity Label, Clearance, Channels, and Printer Banner Encodings describes how the words that make up sensitivity labels, clearances, printer banner and other non-handling caveats for printer banner pages are specified. Chapter 6, Accreditation Range and Name Information Label Encodings describes how the system and user accreditation ranges the information labels of classified names are specified. Chapter 7, General Considerations for Specifying Encodings” discusses general considerations for specifying encodings. Chapter 8, Enforcing Proper Label Adjudications describes how to use the encodings to enforce proper label adjudication. Appendix A, Encodings Specifications Error Messages describes the error messages that can occur from improper encodings specification. Appendix B, Annotated Sample Encodings contains a sample encodings file with annotations to describe what the entries in the file are designed to accomplish. The Glossary is provided to define important terms as they are used in this document. An Index of important terms is provided to facilitate reference.