Multics Technical Bulletin                                MTB-664
Design Documentation

To:       Distribution

From:     Pozzo

Date:     07/02/84

Subject:  Design Documentation for the TCB

1 ABSTRACT

     The   Criteria   requires  design   documentation  that
     describes how  the TCB enforces the  security policy of
     the  system,  as  described  in the  DTLS.   It further
     requires  a  complete and  accurate description  of the
     interface   between  the   TCB  modules   and  the  TCB
     protection  mechanisms.   This  document  identifies an
     interim plan  towards satisfying this  requirement.  It
     further describes  what needs to be  done to completely
     fulfill the requirements set out by the Criteria.  This
     MTB, in addition to  informing the Multics community of
     its contents, serves as  formal notification to the DOD
     Security Evaluation Team, informing them of Honeywell's
     plans for  both an interim  and final plan  for Multics
     design documentation.

Comments should be sent to the author:

via Multics Mail:
   Pozzo.Multics on either MIT Multics or System M.

via US Mail:
   Maria M. Pozzo
   Honeywell Information Systems, inc.
   575 Tech Square
   Cambridge, Massachusetts 02139

via telephone:
   (HVN) 261-9364, or
   (617) 492-9364

_________________________________________________________________

Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.


MTB-664                                Multics Technical Bulletin
                                             Design Documentation

2 THE TRUSTED COMPUTING BASE

The TCB  is that portion  of the system  (hardware, software, and
firmware),  whose  protection  mechanisms  enforces  the  sytem's
security  policy.  For  Multics, the software  that is considered
the TCB is ring zero, ring one and privileged applications.  (See
detailed list in Section 4).

3 DESIGN DOCUMENTATION

Design documentation which satisfies the  Criteria for a level B2
system,  consists of  Multics PLMs (Program  Logic Manuals), SDNs
(System   Designers  Notebooks)   and  MTBs   (Multics  Technical
Bulletins)  for the  entire TCB.  Currently,  these documents for
many of the areas are outdated and some do not exist.

The  following  plan  will   provide  design  documentation  that
accurately describes the TCB as  it is currently implemented and,
coupled with  the Configuration Management  Strategy, will assure
that this doumentation is kept current.

It is intended to provide  accurate design documentation for each
area  of the  TCB.  The format  of this documentation  will be as
follows:

        *  An initial chapter which describes what the subsystem
           does, the classes of information it handles, how that
           information can  be  manipulated,  and an overview of
           how the subsystem interfaces  internally and with the
           rest of the TCB.

        *  A chapter specifying the security policy  enforced by
           the  subsystem  as  well  as  a  description  of  the
           security-relevant portion.

        *  Remaining chapters that detail the  internal  modules
           and interfaces of the subsystem.

In addition,  an overview of  the entire TCB will  be provided to
serve  as   an  introduction  to   this  entire  set   of  design
documentation.

4 INTERIM PLAN

The  interim  plan  will  provide  the  first  two  chapters,  as
described above,  for MR11, as well  as the introductory overview
of  the entire  TCB.  The  following detailed  list describes the
area to  be covered and  the effort required  for completing both


Multics Technical Bulletin                                MTB-664
Design Documentation

the  interim  plan  and the  final  plan.  Note  that  the effort
required is in  terms of man-months, and that  the interim effort
is part of the final effort, not an addition to it.

Subsystem                                        Interim   Final
_________                                        _______   _____

Message Segments and Mailboxes                   0.25      1.00
Storage System (incl.  Salvagers)                0.50      2.50
System Initialization                            DONE      DONE
Programming Standards                            DONE      DONE
RCPRM                                            1.00      1.00
Security Control (Directory Control)             1.00      2.00
Volume Backup Dumper                             0.25      1.00
Hierarchy Backup Dumper                          0.25      1.50
Hardcore IO (IOI)                                0.25      1.00
System and User Control                          0.50      2.00
Interprocess Communication                       0.25      0.50
Traffic Controller                               0.50      3.00
IO Daemon - misc IO modules                      0.50      3.00
Reconfiguration                                  0.25      1.00
Name and Address Space Management                0.50      2.00
Run-Time Environment                             0.75      3.00
Fault and Interrupt Handling                     0.25      1.00
Logical Volume Management (MDC)                  0.50      2.00
System Administration                            0.50      2.00
On-line T&Ds                                     0.50      2.00
Ring-0 Auditing & Logging                        0.50      0.50
Overview of the TCB                              NA        NA
                                                 ______    ______

                                                 9.00      32.50