Purple Penelope was a demonstration secure system created by the Defence Research Agency (DRA) in the UK. Its aim was to show that the security functionality of Windows NT could be extended to support users handling classified information.
Purple Penelope  implemented the domain based security model  which was developed for the UK Ministry of Defence by DRA to take advantage of using Commercial Off The Shelf (COTS) software to implement secure systems.
Within a security domain access controls are designed to stop users from accessing material without a need-to-know and to prevent them making mistakes when handling classified data, while controls over sharing information between security domains are more stringent and defend against attacks and hold the users to account for their actions. The model calls for discretionary security labelling and role based access controls within a domain and user-sanctioned release of information from the domain coupled with application oriented accounting and audit.
Purple Penelope extended Windows NT and the Microsoft Office application suite. The main features were a system of discretionary labelling and a trusted path for authorising security critical actions.
The discretionary labelling mechanism added security labels to files, application windows and the clipboard. The user's desktop display was augmented with a stripe across the top of the screen. This showed the security label of the application window that had focus and the security label of the clipboard. When data was copied to the clipboard the clipboard label was set to that of the source application window. When data was copied from the clipboard the destination application window's label "floated up" to the label of the new data. The user was free to change the label of a window or the clipboard at any time.
User's also had access to a shared file store. Files in the shared file store were labelled and when they were opened by an application the application's window label was set to that of the file. The shared file store could not be written directly by an application. The user was able to copy files to the shared file store but they were required to confirm the action using a trusted path interface that was inaccessible to applications.
Purple was derived from the colour associated with joint operations in the UK MOD at the time.
Penelope was the name of the wife of Odysseus who tricked her suitors by weaving a burial shroud during the day and unpicking it at night. This slow progress was thought to reflect the state of secure system development at the time.
- Simon Wiseman, Purple Penelope: Extending the Security of Windows NT
- Hayat, Reeve and Boutle, Domain Based Security: Improving Practices
- K J Hughes, Domain Based Security: enabling security at the level of applications and business processes
- Purple Penelope and UK MOD's Emerging Strategy for Information Security
- Wiseman and Whittaker, A New Strategy for COTS in Classified Systems, Procs. 20th National Information Systems Security Conference, Baltimore, Oct 1997
- A Magar, Investigation of Technologies and Techniques for Labelling Information Objects to Support Access Management, DRDC Ottawa CR 2005-166
- NATO and MOD UK Tap Argus for Enhanced NT Security'
- Ross Anderson, Security Engineering, Wiley 2001
- DERA in software give-away
- Directory of Infosec Assured Products
- MIDASS - Management in Domain Based Secure Systems
- Trevor Taylor, Jointery and the Emerging Defence Review, Nov 2009