Motivation
It is envisioned that future tactical computing environments will be comprised of a large number of processing nodes. Some nodes will be wireless intelligent sensors designed to serve a single purpose, while others may support a broad range of applications and require support for user interaction. The power, speed, instruction set and memory requirements for nodes will depend upon their intended they are intended to fill. It is anticipated that most nodes must support networking, as there will be little need to process in isolation. These systems will form an interconnected information processing and transmission infrastructure for national defense.

With the fate of nations riding upon it, the security of the computing infrastructure is paramount. Over the past thirty years the vulnerability of computing systems to attack has been well documented yet progress toward their protection has been difficult, and, with increased connectivity, systems are perhaps more vulnerable today than ever before.

More directly, the problem of insecure systems affects the US military in its ability to implement fully capable network-centric warfare (NCW) systems. Today, sensitive, classified information must be physically separated on different machines and networks from unclassified machines and from different levels of classification. The networks and machines are run at "system high" or at the highest classification level of data that may run over them. Besides the increased cost of separate networks and machines, the inability to co-process data at different levels of classification hinders the military from taking advantage of high-value intelligence in tactical or forward-deployed engagements. The end result is the combat soldier does not get access to high-value data in a timely fashion, nor do field commanders have the ability to multiplex and integrate information from different sources with different classification levels.

The ability to store, process, and forward data at multiple levels of classification, including unclassified data and code from untrusted sources on a single platform and over a single network, represents one of the most difficult challenges in secure computing today and a potentially high payoff for both military and civilian applications if successfully achieved. As such, the problem is ripe for DARPA investment given strong technical feasibility.

In this workshop, we hope to shed light on the state of the art in this technical area, key challenges in developing technical solutions, success criteria, and metrics for measuring progress toward our goals.

In particular, we are interested in different approaches to support guaranteed separation and authorized sharing of information in different sensitivity domains that consider hardware, firmware, microcode, and microkernels. For example, architectures that could provide guarantees that unclassified, untrusted data such as Internet traffic (Web, email, chat) and applications, could co-exist on the same platform as Top Secret data and applications with no leakage between. In addition to co-hosting multiple classifications of data, supporting allowed transactions between different classification levels (e.g., unclassified to classified - write up or read down) is desired, as well as the ability to support authorized downgrading (e.g., unclassified data in a SECRET partition to Unclassified partition).

Approaches to be considered include:

• Separation kernels
• Commercial trusted processor modules (TPMs)
• Hardware watchdogs/mediator technology
• Custom/programmable logic
• Alternative processor architecture and instruction sets
• Encrypted processing and storage
• Other