Purple Penelope was a demonstration secure system created by the Defence Research Agency (DRA) in the UK. Its aim was to show that the security functionality of Windows NT could be extended to support users handling classified information.
Purple Penelope  implemented the Domain Based Security model  which was developed for the UK Ministry of Defence by DRA to take advantage of using Commercial Off The Shelf (COTS) software to implement secure systems.
Within a security domain access controls are designed to stop users from accessing material without a need-to-know and to prevent them making mistakes when handling classified data, while controls over sharing information between security domains are more stringent and defend against attacks and hold the users to account for their actions. The model calls for discretionary security labelling and role based access controls within a domain and user-sanctioned release of information from the domain coupled with application oriented accounting and audit.
Purple Penelope extended Windows NT and the Microsoft Office application suite. The main features were a system of discretionary labelling and a trusted path for authorising security critical actions.
The discretionary labelling mechanism added security labels to files, application windows and the clipboard. The user's desktop display was augmented with a stripe across the top of the screen. This showed the security label of the application window that had focus and the security label of the clipboard. When data was copied to the clipboard the clipboard label was set to that of the source application window. When data was copied from the clipboard the destination application window's label "floated up" to the label of the new data. The user was free to change the label of a window or the clipboard at any time.
User's also had access to a shared file store. Files in the shared file store were labelled and when they were opened by an application the application's window label was set to that of the file. The shared file store could not be written directly by an application. The user was able to copy files to the shared file store but they were required to confirm the action using a trusted path interface that was inaccessible to applications.
Purple was derived from the colour associated with joint operations in the UK MOD at the time.
Penelope was the name of the wife of Odysseus who tricked her suitors by weaving a burial shroud during the day and unpicking it at night. This slow progress was thought to reflect the state of secure system development at the time.
- Wiseman, Simon (24 February 1997). "Purple Penelope: Extending the Security of Windows NT" (PDF). British Crown.
- Hayat, Zia; Reeve, Jeff; Boutle, Chris. "Domain Based Security: Improving Practices" (PDF).
- K J Hughes, Domain Based Security: enabling security at the level of applications and business processes Archived June 12, 2004, at the Wayback Machine.
- Macdonald, Ruaridh. "Purple Penelope and UK MOD's Emerging Strategy for Information Security" (PDF). Archived from the original (PDF) on 20 October 2014. Retrieved 28 February 2016.
- Wiseman, Simon R.; Whittaker, Colin J. (October 1997). "A New Strategy for COTS in Classified Systems" (PDF). 20th National Information Systems Security Conference. Baltimore.
- Magar, A. (November 2005). "Investigation of Technologies and Techniques for Labelling Information Objects to Support Access Management" (PDF). DRDC Ottawa CR.
- "NATO and MOD UK Tap Argus for Enhanced NT Security". 13 October 1998. Retrieved 28 February 2016.
- Anderson, Ross J. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems (2nd ed.). Indianapolis, IN: Wiley. ISBN 978-0470068526.
- "DERA in software give-away". Worcester News. 15 June 2001. Retrieved 28 February 2016.
- "The Directory of Infosec Assured Products" (PDF). CESG. October 2010.
- MIDASS - Management in Domain Based Secure Systems
- Trevor Taylor, Jointery and the Emerging Defence Review, Nov 2009