Private desktops and shared store

Abstract

Modern interconnected computer systems handling classified information can be built using mainstream COTS software platforms. The technique provides each user with a private desktop in which to work, along with services for sharing data. Within a desktop, the user is helped to label their data. When data is shared, labelling prevents accidental compromise, but other measures defend against other forms of compromise. Purple Penelope is a prototype that extends Windows NT security to support this approach. It adds discretionary labelling, easy-to-use role-based access controls and effective accounting and auditing measures to shared files.