ESTHER@mar.ed.ray.com ("Esther PARIS: x2022, x1398, x2451, or x2607") (05/21/91)
Hello Everyone!
Thanks to all the great Internet folks who have given me so much feedback
about how to declassify a SECRET Apollo disk! I really appreciate your
time and effort.
Here's the status/plan of attack to date:
1. disk is still locked up
2. We're running our software-based experiments on another
OS 10.3 machine that has a spare small disk with no users on it.
3. We've tried all kinds of advice we've received from people, to
no avail.
4. Our particular requirement, that goes beyond DoD directive
5200.28 is that we have to be able to read from the disk and
show that it's been overwritten with unclassified or random
patterns. In particular, we're tasked with doing three passes
of overwrites, (all 1s, all 0s, all of a third number), and
after EACH PASS doing a low level read of the disk to show that
there's all 1s (after first pass), all 0s (after 2nd pass) and
all of the third number (after third pass) on every spot on the
disk. This is to prove our procedure. We have to develop the
procedure, document it, demonstrate it to ourselves, invite in
the Defense Investigative Service Gurus, have them witness a dry
run of the program on the spare unclassified disk, have them
approve the procedure, than follow that procedure on our SECRET
disk.
5. We have gratefully acknowledged all the ideas about FBS and DEX
for the declassification part of the procedure! This has been
very helpful information!
****** 6. We're still looking for a way to do the low level read of the disk
so that we can prove the overwrites have occurred. We have tried
using the special files found in /dev/dsk and/or /dev/rdsk. These
have not helped us to date as when you scan them (ie, run this
shell script against the files:
#!/bin/sh
case $# in
0) DISK=/dev/rdsk/W0d1s1 ;;
1) DISK=$1 ;;
*) echo 'usage: scandisk [device]' 1>&2 ; exit 1 ;;
esac
od -x $DISK | sed -e '
/5555 5555 5555 5555 5555 5555/d
/^\*/d
'
and hope to see some lines other than the boot block of the
disk). It hasn't mattered how much data I have written to
my spare disk, the scan of the disk shows the same results.
We are running with OS 10.3, in the Aegis environment with
systype = sys5.3
7. In the meantime, we're trying to shake down a method of
putting the Maxtor 760-MB disk onto a PC with an ESDI disk
controller and formatting/declassifying the thing from DOS.
We here from our security office that Norton Utilities can be
used to software-declassify a PC hard disk. We're trying to
find an ESDI disk controller we can borrow (I can't ask the
only person who has one here until Friday), or find out if the
disk controller from the Apollo that's now diskless and
unclassified could be put into the classified AT clone we have
in the same room as the safe with the disk.
8. I can't just take the disk to any other machine with an ESDI
disk controller or any old SUN because I can only put the disk
onto a machine that itself is classified at SECRET or above.
Additional ideas still welcomed!
Esther Paris, 508/490-2022, Esther@mar.ed.ray.com ---- and -----
Bill Short, 508/490-3931, BShort@mar.ed.ray.com
Raytheon EDL
griffith_j@APOLLO.COM (John G. Griffith) (05/22/91)
Esther:
Here is the entire text of the declassification procedure.
I hope it is helpful.
As a side note, Ray Moran of the DIS (San Francisco Office)
is looking at this procedure with the goal of certifying it under a DIS
program. I understand that once he certifies it, it will be accepted for use
throughout the US.
DECLASSIFICATION OF APOLLO EQUIPMENT
Apollo does provide users who use Apollo equipment with the capability to
perform device and memory declassification procedures. Users who wish to
declassify subsystems on Apollo equipment can use the facilities of the
Diagnostics Executive (DEX) product to perform declassification of all device
types. At sites where declassification occurs often, users can create DEX
command files to automatically perform the procedures outlined below, or specify
any other procedure deemed necessary and approved by the Accrediting Authority.
RANDOM ACCESS MEMORY
The standard requirement to declassify random access memory in systems
processing up to and including TOP SECRET data is to cycle the power to it twice
(turn off, wait 1 minute, turn on, wait for startup-diagnostics to complete,
turn off). There is no backup memory power for RAM in Apollo systems, so this
method will cause randomization and initialization of all random-access memory
locations.
In the event that more sensitive information is being processed, or if the
accrediting agency is more stringent, other methods may be required. One
requirement in existance for sensitive information is that every physical memory
location be over-written 1000 times with random or unclassified bit patterns.
This requirement, or variations on it, can be satisfied using the Diagnostic
Executive (DEX) program. The memory diagnostic module will support
declassification by permitting the user to overwrite every location in memory a
user-specified number of times. The procedure is provided below:
1. Obtain the Mnemonic Debugger (MD) prompt. This can be done by issuing the
'SHUT' display manager or boot shell command or by powering the node up while in
Service mode.
2. > EX DEX
the computer will respond with identification information, then the
DEX prompt; DEX>
3. Declassify the area of memory above the DEX software:
DEX> RUN MEM 100 -PASS 100 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555 @
{ DEX will insert some identification information here }
_> $00FF00FF $FF00FF00 $FFFFFFFF 0 $AAAAAAAA $55555555
4. DEX will then list the memory configuration of the system and ask if you
want to restrict the address range to be tested. Enter 'N' for no.
5. DEX will then warn you that it cannot test certain ranges of memory, then
starts the test on the remainder of memory available. This is because those
parts of memory are occupied by DEX and the memory test programs:
ENTERING "MEM.DEX.1"
%WARNING: CANNOT TEST RANGE $01000000 TO $010007FF - (MEM.DEX/MCR)
%WARNING: CANNOT TEST RANGE $01000800 TO $010447FF - (MEM.DEX/MCR)
...
Note the lowest and the highest address in this list (in this case, $01000000 and
$010447FF).
6. When the test completes, relocate the DEX system to the highest available
memory locations:
DEX> RELOC -HIGH
7. Repeat step 3.
8. In response to the query regarding restricting the address range,
either answer 'N' as before, or save some time by restricting the memory to
be tested to just those areas previously occupied by DEX:
RESTRICT ADDRESS RANGE (Y, N) <N>: Y
RESTRICTION BY BOARD # OR ADDRESS RANGE (B, R, N) <B>: R
LOW RANGE ADDRESS TO TEST <$0>: $01000000 { using above data }
HIGH RANGE ADDRESS TO TEST <$0>: $010447FF { using above data }
LOW RANGE ADDRESS TO TEST <$0> :
..
..
Note that the address range $01000000 TO $010007FF cannot be cleared using
this method. This area of physical memory is reserved for the mnemonic
debugger work space, and therefore is not available for use by either the
operating system or any user. Because of its' restricted use, there is
little or no risk that classified information will be stored in that memory
page. The MD command TE will cause this area to be overwritten, and
powering the node down will cause this page of memory to be 'randomized'.
MAGNETIC REMOVABLE MEDIA
It is recommended that media in this category, including 1/2" magnetic
tape, floppy diskettes, and cartridge tapes, be either declassified using an
NSA-approved degaussing device, or be destroyed in accordance with the
appropriate service and/or DoD regulation(s). The use of a approved degaussing
device is much more economic, saves wear and tear on the system peripherals, and
is considered to present less of a security risk than using program-driven
declassification tools. The procedure below outlines a DEX procedure to
declassify floppy diskettes. Similar procedures can be performed on 1/2"
tape magnetic tape and cartridge tape media, if necessary.
The Diagnostic Executive (DEX) can be used to declassify floppy diskettes in
accordance with Department of Defense Directive 5200.28. The procedure to
accomplish this is consists of Four phases: Declassification, Verification,
Formatting, and Re-Involing. The Declassification phase is accomplished as follows:
1. Obtain the Memnomic Debugger (MD) prompt. This can be done by issuing the
'SHUT' display manager or boot shell command or by powering the node up while in
Service mode.
2. > EX DEX
the computer will respond with identification information, then the
DEX prompt; DEX>
3. DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $FFFF
4. DEX will warn you that the operation will destroy the contents of the disk,
and ask you if you want to continue. Enter 'Y'. DEX will then execute the
diagnostic. Ignore any bad spot errors reported. When complete, DEX will
issue the DEX prompt.
5. Repeat steps 3 and 4, changing the pattern written to 0:
DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $0
6. Repeat steps 3 and 4, changing the pattern argument to any random value:
DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -RANDOM
The diskette has now been declassified. The verification phase is described
after the declassification instructions for winchesters and storage devices.
WINCHESTER AND STORAGE MODULE DEVICES
Like memory and floppy diskettes, Winchester and Storage Module Devices can
be declassified using the Diagnostic Executive (DEX) utility if the procedure is
approved by the Accrediting Authority. The procedure below meets the
requirements of DoD Directive 5200.28. The user should be warned that some
Accrediting Authorities WILL NOT accept any form of declassification and require
that the device be destroyed.
The procedure for declassification of a winchester disk or storage
module follows:
1. Obtain the Mnemonic Debugger (MD) prompt. This can be done by issuing the
'SHUT' display manager or boot shell command or by powering the node up while in
Service mode.
2. > EX DEX
the computer will respond with identification information, then the
DEX prompt; DEX>
3. Start the DEX write/read/verify test. For information on how to specify
different disk devices on a multi-disk system, read the DEX manual, or use the
DEX help facility to determine the arguments required.
DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $FFFF {-controller x -drive y}
4. DEX will warn you that the operation will destroy the contents of the disk,
and ask you if you want to continue. Enter 'Y'. DEX will then execute the
diagnostic. Ignore any bad spot errors reported. DEX will also provide
warnings that the test is skipping bad block tracks. These can be
ignored, since they are not writable by users. When complete, DEX will
reissue the DEX prompt.
5. Repeat steps 3 and 4, changing the pattern written to 0:
DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $0
6. Repeat steps 3 and 4, changing the pattern argument to any random value:
DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -RANDOM
The disk has now been declassified.
( Note that this test writes the full sector address in the first
6 bytes of each sector each pass. )
VERIFICATION OF DECLASSIFICATION
Every Apollo-supported disk supports an exercisor test which accepts manual
commands for certain common operations. This test can be used to randomly
read and display sectors or tracks from a declassified disk. In addition,
a compare function is supported to aid in detecting disk sectors that contain
unknown values.
The test number to execute varies from machine type to machine type. The
following table provides the test number for each of the machine types currently
supported:
Node Type Sau Test #
DN560T, DN570T,
DN580T,DN590T /sau6 502
DN3500/4000/4500 /sau7 108
DN3000/3010/3050 /sau8 108
DN10000 /sau10 502
To verify the contents of any track on the disk, execute the following
command at the DEX prompt:
{For a Sau7/8 machine:}
DEX> RUN WIN 108 -ENTIRE -NOBADSPOTS -WRITE -PAT $0 {-controller x -drive y}
DEX will load the test and display some identification, then ask the
following questions:
**************************** WARNING! WARNING! ****************************
THE PARAMETERS YOU HAVE CHOSEN WILL DESTROY DATA ON THE DISK.
DO YOU WISH TO CONTINUE? (Y, N) <N>: Y(CR)
As indicated above, answer with a 'Y' and a return. DEX will then execute the
exerciser test. This test first displays the current disk parameter set and
explains how to get help. In general, to view a disk sector, the command sequence
follows:
COMMAND [GO]: clear (cr)
CLEARED THE COMMAND TABLE
COMMAND [GO]: seek (cylinder) (head) (cr)
COMMAND ACCEPTED
COMMAND [GO]: read s (start sector) (# of sectors) (cr)
COMMAND ACCEPTED
COMMAND [GO]: print i (# of bytes per sector to print) (# of sectors) (cr)
COMMAND ACCEPTED
COMMAND [GO]: (cr)
This sequence will permit you to examine any sector or sectors on the disk.
RE-FORMATTING AND RE_INVOLING THE DISK
At this point, the disk is useless as all information and programs on it have been
written over. In order to continue, the system must be booted off another boot
source (i.e., another disk, cartridge tape, floppy disk, or another node on the
network). Boot the node from the alternate boot source in accordance with the
operations manual, and then execute the INVOL stand-alone utility. The operations
required include:
Option 1: Initialize a virgin physical volume.
For verification options, choose option 3 - Write and reread all blocks on the volume.
This Option re-formats and re-initializes the disk so that it can be used in Apollo
file systems.
Option 8: Initialize OS Paging Area.
Required if this is to be a bootable disk.
INVOL will complete each option with a request for more to do. After the desired options
have been executed, enter 'n' in response to this question.
Software can now be installed on the disk in accordance with the installation instructions
that accompany the software.
---------------------------------------------------------------------------------
Command File Examples: (based on DEX Memory Test version 4.0, October 21, 1987 )
create file /sau_sys/dmem.cmd:
ONERR -CONT
RELOC -LO -CMD 'DO /sau_sys/dmemlo'
DO /sau_sys/dmemlo
create file /sau_sys/dmemlo.cmd:
ONERR -CONT
INPUT -CMD
TYPE 'START UPPER MEMORY DECLASSIFICATION'
RUN MEM 100 -PASS 3 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555
N
TYPE 'UPPER MEMORY DECLASSIFICATION COMPLETE'
RELOC -HIGH -CMD 'DO /sau_sys/dmemhi'
create file /sau_sys/dmemhi.cmd:
ONERR -CONT
INPUT -CMD
TYPE 'START LOWER MEMORY DECLASSIFICATION'
RUN MEM 100 -PASS 3 -BOARD 0 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555
TYPE 'LOWER MEMORY DECLASSIFICATION COMPLETE'
TYPE
TYPE 'MEMORY DECLASSIFICATION COMPLETE'
---
Memory declassification can now be accomplished by entering the
following command at the DEX prompt:
DEX> DO /sau_sys/dmem
--------
John G. Griffith EMAIL: griffith_j@apollo.hp.com
Operating Systems Technology Lab, OSSD mit-eddie!apollo!griffith_j
Hewlett-Packard, Inc.