Purple Penelope was a demonstration secure system created by the Defence Research Agency (DRA) in the UK. Its aim was to show that the security functionality of Windows NT could be extended to support users handling classified information.
Purple Penelope [1] implemented the Domain Based Security model [2] [3] which was developed for the UK Ministry of Defence by DRA to take advantage of using Commercial Off The Shelf (COTS) software to implement secure systems.
Within a security domain access controls are designed to stop users from accessing material without a need-to-know and to prevent them making mistakes when handling classified data, while controls over sharing information between security domains are more stringent and defend against attacks and hold the users to account for their actions. The model calls for discretionary security labelling and role based access controls within a domain and user-sanctioned release of information from the domain coupled with application oriented accounting and audit.[4]
Purple Penelope extended Windows NT and the Microsoft Office application suite.[5] The main features were a system of discretionary labelling and a trusted path for authorising security critical actions.
The discretionary labelling mechanism added security labels to files, application windows and the clipboard. The user's desktop display was augmented with a stripe across the top of the screen. This showed the security label of the application window that had focus and the security label of the clipboard. When data was copied to the clipboard the clipboard label was set to that of the source application window. When data was copied from the clipboard the destination application window's label "floated up" to the label of the new data. The user was free to change the label of a window or the clipboard at any time.
User's also had access to a shared file store. Files in the shared file store were labelled and when they were opened by an application the application's window label was set to that of the file. The shared file store could not be written directly by an application. The user was able to copy files to the shared file store but they were required to confirm the action using a trusted path interface that was inaccessible to applications.
The software created by the Purple Penelope project was licensed to Argus Systems where it was developed into a product called Deep Purple.[6] [7]
The software also laid the foundation for QinetiQ's SyBard Suite product.[8] [9]
The work on the cross-domain guard led to the production of DERA's SWIPSY firewall toolkit.[10] [11]
Purple was derived from the colour associated with joint operations in the UK MOD at the time.[12]
Penelope was the name of the wife of Odysseus who tricked her suitors by weaving a burial shroud during the day and unpicking it at night. This slow progress was thought to reflect the state of secure system development at the time.