This paper traces the ten plus year history of the Naval Research Laboratory's Pump idea. The Pump was theorized, designed, and built at the Naval Research Laboratory's Center for High Assurance Computer Systems. The reason for the Pump is the need to send messages from a "Low" enclave to a "High" enclave, in a secure and reliable manner. In particular, the Pump was designed to minimize the covert channel threat from the necessary message acknowledgements, without penalizing system performance and reliability. We review the need for the Pump, the design of the Pump, the variants of the Pump, and the current status of the Pump, along with manufacturing and certification difficulties.
This paper describes the security requirements and top level design of a network security device called the Network Pump (NP). The NP provides general purpose, reliable, and secure communications between two system high enclaves operating at different classification levels. This paper is structured as a Security Target as required by the Common Criteria for Information Technology Security Evaluation.