Purple Penelope Explained

Purple Penelope was a demonstration secure system created by the Defence Research Agency (DRA) in the UK. Its aim was to show that the security functionality of Windows NT could be extended to support users handling classified information.

Security Model

Purple Penelope [1] implemented the Domain Based Security model [2] [3] which was developed for the UK Ministry of Defence by DRA to take advantage of using Commercial Off The Shelf (COTS) software to implement secure systems.

Within a security domain access controls are designed to stop users from accessing material without a need-to-know and to prevent them making mistakes when handling classified data, while controls over sharing information between security domains are more stringent and defend against attacks and hold the users to account for their actions. The model calls for discretionary security labelling and role based access controls within a domain and user-sanctioned release of information from the domain coupled with application oriented accounting and audit.[4]

Security Functionality

Purple Penelope extended Windows NT and the Microsoft Office application suite.[5] The main features were a system of discretionary labelling and a trusted path for authorising security critical actions.

The discretionary labelling mechanism added security labels to files, application windows and the clipboard. The user's desktop display was augmented with a stripe across the top of the screen. This showed the security label of the application window that had focus and the security label of the clipboard. When data was copied to the clipboard the clipboard label was set to that of the source application window. When data was copied from the clipboard the destination application window's label "floated up" to the label of the new data. The user was free to change the label of a window or the clipboard at any time.

User's also had access to a shared file store. Files in the shared file store were labelled and when they were opened by an application the application's window label was set to that of the file. The shared file store could not be written directly by an application. The user was able to copy files to the shared file store but they were required to confirm the action using a trusted path interface that was inaccessible to applications.

Legacy

The software created by the Purple Penelope project was licensed to Argus Systems where it was developed into a product called Deep Purple.[6] [7]

The software also laid the foundation for QinetiQ's SyBard Suite product.[8] [9]

The work on the cross-domain guard led to the production of DERA's SWIPSY firewall toolkit.[10] [11]

Name

Purple was derived from the colour associated with joint operations in the UK MOD at the time.[12]

Penelope was the name of the wife of Odysseus who tricked her suitors by weaving a burial shroud during the day and unpicking it at night. This slow progress was thought to reflect the state of secure system development at the time.

Notes and References

  1. Web site: Wiseman . Simon . Purple Penelope: Extending the Security of Windows NT . 24 February 1997 . British Crown.
  2. Web site: Hayat . Zia . Reeve . Jeff . Boutle . Chris . Domain Based Security: Improving Practices.
  3. K J Hughes, Domain Based Security: enabling security at the level of applications and business processes
  4. Web site: Macdonald . Ruaridh . Purple Penelope and UK MOD's Emerging Strategy for Information Security . 28 February 2016 . https://web.archive.org/web/20141020140709/http://www.opengroup.org/security/meetings/sep97/Group.pdf . 20 October 2014.
  5. Web site: Wiseman . Simon R. . Whittaker . Colin J. . A New Strategy for COTS in Classified Systems . 20th National Information Systems Security Conference . Baltimore . October 1997.
  6. Web site: Magar . A. . Investigation of Technologies and Techniques for Labelling Information Objects to Support Access Management . DRDC Ottawa CR . November 2005.
  7. Web site: NATO and MOD UK Tap Argus for Enhanced NT Security . 13 October 1998 . 28 February 2016.
  8. Book: Anderson . Ross J. . Security Engineering: A Guide to Building Dependable Distributed Systems . 2008 . Wiley . Indianapolis, IN . 978-0470068526 . 2nd.
  9. Web site: DERA in software give-away . 15 June 2001 . Worcester News . 28 February 2016.
  10. Web site: The Directory of Infosec Assured Products . October 2010 . CESG.
  11. http://www.selex-comms.com/internet/localization/IPC/media/docs/midass.pdf MIDASS - Management in Domain Based Secure Systems
  12. Trevor Taylor, Jointery and the Emerging Defence Review, Nov 2009