ESTHER@mar.ed.ray.com ("Esther PARIS: x2022, x1398, x2451, or x2607") (05/21/91)
Hello Everyone! Thanks to all the great Internet folks who have given me so much feedback about how to declassify a SECRET Apollo disk! I really appreciate your time and effort. Here's the status/plan of attack to date: 1. disk is still locked up 2. We're running our software-based experiments on another OS 10.3 machine that has a spare small disk with no users on it. 3. We've tried all kinds of advice we've received from people, to no avail. 4. Our particular requirement, that goes beyond DoD directive 5200.28 is that we have to be able to read from the disk and show that it's been overwritten with unclassified or random patterns. In particular, we're tasked with doing three passes of overwrites, (all 1s, all 0s, all of a third number), and after EACH PASS doing a low level read of the disk to show that there's all 1s (after first pass), all 0s (after 2nd pass) and all of the third number (after third pass) on every spot on the disk. This is to prove our procedure. We have to develop the procedure, document it, demonstrate it to ourselves, invite in the Defense Investigative Service Gurus, have them witness a dry run of the program on the spare unclassified disk, have them approve the procedure, than follow that procedure on our SECRET disk. 5. We have gratefully acknowledged all the ideas about FBS and DEX for the declassification part of the procedure! This has been very helpful information! ****** 6. We're still looking for a way to do the low level read of the disk so that we can prove the overwrites have occurred. We have tried using the special files found in /dev/dsk and/or /dev/rdsk. These have not helped us to date as when you scan them (ie, run this shell script against the files: #!/bin/sh case $# in 0) DISK=/dev/rdsk/W0d1s1 ;; 1) DISK=$1 ;; *) echo 'usage: scandisk [device]' 1>&2 ; exit 1 ;; esac od -x $DISK | sed -e ' /5555 5555 5555 5555 5555 5555/d /^\*/d ' and hope to see some lines other than the boot block of the disk). It hasn't mattered how much data I have written to my spare disk, the scan of the disk shows the same results. We are running with OS 10.3, in the Aegis environment with systype = sys5.3 7. In the meantime, we're trying to shake down a method of putting the Maxtor 760-MB disk onto a PC with an ESDI disk controller and formatting/declassifying the thing from DOS. We here from our security office that Norton Utilities can be used to software-declassify a PC hard disk. We're trying to find an ESDI disk controller we can borrow (I can't ask the only person who has one here until Friday), or find out if the disk controller from the Apollo that's now diskless and unclassified could be put into the classified AT clone we have in the same room as the safe with the disk. 8. I can't just take the disk to any other machine with an ESDI disk controller or any old SUN because I can only put the disk onto a machine that itself is classified at SECRET or above. Additional ideas still welcomed! Esther Paris, 508/490-2022, Esther@mar.ed.ray.com ---- and ----- Bill Short, 508/490-3931, BShort@mar.ed.ray.com Raytheon EDL
griffith_j@APOLLO.COM (John G. Griffith) (05/22/91)
Esther: Here is the entire text of the declassification procedure. I hope it is helpful. As a side note, Ray Moran of the DIS (San Francisco Office) is looking at this procedure with the goal of certifying it under a DIS program. I understand that once he certifies it, it will be accepted for use throughout the US. DECLASSIFICATION OF APOLLO EQUIPMENT Apollo does provide users who use Apollo equipment with the capability to perform device and memory declassification procedures. Users who wish to declassify subsystems on Apollo equipment can use the facilities of the Diagnostics Executive (DEX) product to perform declassification of all device types. At sites where declassification occurs often, users can create DEX command files to automatically perform the procedures outlined below, or specify any other procedure deemed necessary and approved by the Accrediting Authority. RANDOM ACCESS MEMORY The standard requirement to declassify random access memory in systems processing up to and including TOP SECRET data is to cycle the power to it twice (turn off, wait 1 minute, turn on, wait for startup-diagnostics to complete, turn off). There is no backup memory power for RAM in Apollo systems, so this method will cause randomization and initialization of all random-access memory locations. In the event that more sensitive information is being processed, or if the accrediting agency is more stringent, other methods may be required. One requirement in existance for sensitive information is that every physical memory location be over-written 1000 times with random or unclassified bit patterns. This requirement, or variations on it, can be satisfied using the Diagnostic Executive (DEX) program. The memory diagnostic module will support declassification by permitting the user to overwrite every location in memory a user-specified number of times. The procedure is provided below: 1. Obtain the Mnemonic Debugger (MD) prompt. This can be done by issuing the 'SHUT' display manager or boot shell command or by powering the node up while in Service mode. 2. > EX DEX the computer will respond with identification information, then the DEX prompt; DEX> 3. Declassify the area of memory above the DEX software: DEX> RUN MEM 100 -PASS 100 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555 @ { DEX will insert some identification information here } _> $00FF00FF $FF00FF00 $FFFFFFFF 0 $AAAAAAAA $55555555 4. DEX will then list the memory configuration of the system and ask if you want to restrict the address range to be tested. Enter 'N' for no. 5. DEX will then warn you that it cannot test certain ranges of memory, then starts the test on the remainder of memory available. This is because those parts of memory are occupied by DEX and the memory test programs: ENTERING "MEM.DEX.1" %WARNING: CANNOT TEST RANGE $01000000 TO $010007FF - (MEM.DEX/MCR) %WARNING: CANNOT TEST RANGE $01000800 TO $010447FF - (MEM.DEX/MCR) ... Note the lowest and the highest address in this list (in this case, $01000000 and $010447FF). 6. When the test completes, relocate the DEX system to the highest available memory locations: DEX> RELOC -HIGH 7. Repeat step 3. 8. In response to the query regarding restricting the address range, either answer 'N' as before, or save some time by restricting the memory to be tested to just those areas previously occupied by DEX: RESTRICT ADDRESS RANGE (Y, N) <N>: Y RESTRICTION BY BOARD # OR ADDRESS RANGE (B, R, N) <B>: R LOW RANGE ADDRESS TO TEST <$0>: $01000000 { using above data } HIGH RANGE ADDRESS TO TEST <$0>: $010447FF { using above data } LOW RANGE ADDRESS TO TEST <$0> : .. .. Note that the address range $01000000 TO $010007FF cannot be cleared using this method. This area of physical memory is reserved for the mnemonic debugger work space, and therefore is not available for use by either the operating system or any user. Because of its' restricted use, there is little or no risk that classified information will be stored in that memory page. The MD command TE will cause this area to be overwritten, and powering the node down will cause this page of memory to be 'randomized'. MAGNETIC REMOVABLE MEDIA It is recommended that media in this category, including 1/2" magnetic tape, floppy diskettes, and cartridge tapes, be either declassified using an NSA-approved degaussing device, or be destroyed in accordance with the appropriate service and/or DoD regulation(s). The use of a approved degaussing device is much more economic, saves wear and tear on the system peripherals, and is considered to present less of a security risk than using program-driven declassification tools. The procedure below outlines a DEX procedure to declassify floppy diskettes. Similar procedures can be performed on 1/2" tape magnetic tape and cartridge tape media, if necessary. The Diagnostic Executive (DEX) can be used to declassify floppy diskettes in accordance with Department of Defense Directive 5200.28. The procedure to accomplish this is consists of Four phases: Declassification, Verification, Formatting, and Re-Involing. The Declassification phase is accomplished as follows: 1. Obtain the Memnomic Debugger (MD) prompt. This can be done by issuing the 'SHUT' display manager or boot shell command or by powering the node up while in Service mode. 2. > EX DEX the computer will respond with identification information, then the DEX prompt; DEX> 3. DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $FFFF 4. DEX will warn you that the operation will destroy the contents of the disk, and ask you if you want to continue. Enter 'Y'. DEX will then execute the diagnostic. Ignore any bad spot errors reported. When complete, DEX will issue the DEX prompt. 5. Repeat steps 3 and 4, changing the pattern written to 0: DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $0 6. Repeat steps 3 and 4, changing the pattern argument to any random value: DEX> RUN FLP 10 -ENTIRE -NOBADSPOTS -WRITE -RANDOM The diskette has now been declassified. The verification phase is described after the declassification instructions for winchesters and storage devices. WINCHESTER AND STORAGE MODULE DEVICES Like memory and floppy diskettes, Winchester and Storage Module Devices can be declassified using the Diagnostic Executive (DEX) utility if the procedure is approved by the Accrediting Authority. The procedure below meets the requirements of DoD Directive 5200.28. The user should be warned that some Accrediting Authorities WILL NOT accept any form of declassification and require that the device be destroyed. The procedure for declassification of a winchester disk or storage module follows: 1. Obtain the Mnemonic Debugger (MD) prompt. This can be done by issuing the 'SHUT' display manager or boot shell command or by powering the node up while in Service mode. 2. > EX DEX the computer will respond with identification information, then the DEX prompt; DEX> 3. Start the DEX write/read/verify test. For information on how to specify different disk devices on a multi-disk system, read the DEX manual, or use the DEX help facility to determine the arguments required. DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $FFFF {-controller x -drive y} 4. DEX will warn you that the operation will destroy the contents of the disk, and ask you if you want to continue. Enter 'Y'. DEX will then execute the diagnostic. Ignore any bad spot errors reported. DEX will also provide warnings that the test is skipping bad block tracks. These can be ignored, since they are not writable by users. When complete, DEX will reissue the DEX prompt. 5. Repeat steps 3 and 4, changing the pattern written to 0: DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -PAT $0 6. Repeat steps 3 and 4, changing the pattern argument to any random value: DEX> RUN WIN 10 -ENTIRE -NOBADSPOTS -WRITE -RANDOM The disk has now been declassified. ( Note that this test writes the full sector address in the first 6 bytes of each sector each pass. ) VERIFICATION OF DECLASSIFICATION Every Apollo-supported disk supports an exercisor test which accepts manual commands for certain common operations. This test can be used to randomly read and display sectors or tracks from a declassified disk. In addition, a compare function is supported to aid in detecting disk sectors that contain unknown values. The test number to execute varies from machine type to machine type. The following table provides the test number for each of the machine types currently supported: Node Type Sau Test # DN560T, DN570T, DN580T,DN590T /sau6 502 DN3500/4000/4500 /sau7 108 DN3000/3010/3050 /sau8 108 DN10000 /sau10 502 To verify the contents of any track on the disk, execute the following command at the DEX prompt: {For a Sau7/8 machine:} DEX> RUN WIN 108 -ENTIRE -NOBADSPOTS -WRITE -PAT $0 {-controller x -drive y} DEX will load the test and display some identification, then ask the following questions: **************************** WARNING! WARNING! **************************** THE PARAMETERS YOU HAVE CHOSEN WILL DESTROY DATA ON THE DISK. DO YOU WISH TO CONTINUE? (Y, N) <N>: Y(CR) As indicated above, answer with a 'Y' and a return. DEX will then execute the exerciser test. This test first displays the current disk parameter set and explains how to get help. In general, to view a disk sector, the command sequence follows: COMMAND [GO]: clear (cr) CLEARED THE COMMAND TABLE COMMAND [GO]: seek (cylinder) (head) (cr) COMMAND ACCEPTED COMMAND [GO]: read s (start sector) (# of sectors) (cr) COMMAND ACCEPTED COMMAND [GO]: print i (# of bytes per sector to print) (# of sectors) (cr) COMMAND ACCEPTED COMMAND [GO]: (cr) This sequence will permit you to examine any sector or sectors on the disk. RE-FORMATTING AND RE_INVOLING THE DISK At this point, the disk is useless as all information and programs on it have been written over. In order to continue, the system must be booted off another boot source (i.e., another disk, cartridge tape, floppy disk, or another node on the network). Boot the node from the alternate boot source in accordance with the operations manual, and then execute the INVOL stand-alone utility. The operations required include: Option 1: Initialize a virgin physical volume. For verification options, choose option 3 - Write and reread all blocks on the volume. This Option re-formats and re-initializes the disk so that it can be used in Apollo file systems. Option 8: Initialize OS Paging Area. Required if this is to be a bootable disk. INVOL will complete each option with a request for more to do. After the desired options have been executed, enter 'n' in response to this question. Software can now be installed on the disk in accordance with the installation instructions that accompany the software. --------------------------------------------------------------------------------- Command File Examples: (based on DEX Memory Test version 4.0, October 21, 1987 ) create file /sau_sys/dmem.cmd: ONERR -CONT RELOC -LO -CMD 'DO /sau_sys/dmemlo' DO /sau_sys/dmemlo create file /sau_sys/dmemlo.cmd: ONERR -CONT INPUT -CMD TYPE 'START UPPER MEMORY DECLASSIFICATION' RUN MEM 100 -PASS 3 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555 N TYPE 'UPPER MEMORY DECLASSIFICATION COMPLETE' RELOC -HIGH -CMD 'DO /sau_sys/dmemhi' create file /sau_sys/dmemhi.cmd: ONERR -CONT INPUT -CMD TYPE 'START LOWER MEMORY DECLASSIFICATION' RUN MEM 100 -PASS 3 -BOARD 0 -PAT $FFFFFFFF 0 $AAAAAAAA $55555555 TYPE 'LOWER MEMORY DECLASSIFICATION COMPLETE' TYPE TYPE 'MEMORY DECLASSIFICATION COMPLETE' --- Memory declassification can now be accomplished by entering the following command at the DEX prompt: DEX> DO /sau_sys/dmem -------- John G. Griffith EMAIL: griffith_j@apollo.hp.com Operating Systems Technology Lab, OSSD mit-eddie!apollo!griffith_j Hewlett-Packard, Inc.