compositional certification for mils
play

Compositional Certification for MILS John Rushby Computer Science - PowerPoint PPT Presentation

Jan 30, 2023 •265 likes •548 views

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

  1. Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1

  2. Intuitive Security Architecture • Almost all system designs are portrayed in diagrams using circles and arrows • But in security, these have a particular (often unconscious) force and interpretation • Arrows indicate interfaces ◦ Implicitly, absence of an arrow means absence of component interaction • Circles indicate encapsulated data, information, control, etc. ◦ The only things that happen inside a circle are consequences of things in that circle and the incoming arrows, and the only things that change are the internal state of the circle and its outgoing arrows John Rushby, SR I Compositional Cert for MILS: 2

  3. Good Intuitive Security Architecture • Try to arrange the circles and arrows so that security depends on only a few trusted circles • And those are trusted to do only relatively simple things • Split big circles up if necessary to achieve these John Rushby, SR I Compositional Cert for MILS: 3

  4. The MILS Idea • The structure of the system implementation should directly reflect the circles and arrows picture ◦ i.e., the implementation directly follows the logical design • We can afford to have lots of circle and arrows, and should use this to reduce and simplify the trusted circles Let me say that again • The structure of the system implementation should directly reflect the circles and arrows picture ◦ i.e., the implementation directly follows the logical design • We can afford to have lots of circle and arrows, and should use this to reduce and simplify the trusted circles John Rushby, SR I Compositional Cert for MILS: 4

  5. The MILS Technology • We can afford to have lots of circles and arrows because we can efficiently and securely share physical resources among separate logical circles and arrows • Care and skill needed to determine which logical components share physical resources (performance, faults) separation kernel TSE partitioning filesystem John Rushby, SR I Compositional Cert for MILS: 5

  6. The MILS Architecture • The MILS architecture is a combination of the idea and the technology • Deconstruct functions so the trusted components are as simple as possible ◦ These trusted components are called operational • Allow operational and untrusted components to share resources ◦ The components that do the secure sharing (separation kernel etc.) are called foundational • We need protection profiles for these classes of components ◦ Assurance specialization goes Common Criteria (CC) to Protection Profile (PP) to Security Target (ST) to Target of Evaluation (TOE) John Rushby, SR I Compositional Cert for MILS: 6

  7. Advantages of the MILS Architecture • The foundational and operational security concerns are kept separate ◦ Separate kinds of components ◦ Separate kinds of PPs • Cf. traditional security kernels, where one component partitioned many kinds of resources (complex implementation), and either enforced a single operational security property (too rigid to be useful) or several (too complicated to be credible) • MILS is feasible today because we know how to do fine grain partitioning (e.g., paravirtualization), have better hardware support, and can afford the overhead John Rushby, SR I Compositional Cert for MILS: 7

  8. Goals for the MILS Architecture These include • Security ◦ Security includes many notions, such as confidentiality, integrity, access control, authorized flow, authorized actions, and is often required in combination with other difficult properties, such as safety • Functionality ◦ The system must achieve its operational purpose, which is usually about something other than security • Assurance ◦ Need a rational approach to evaluation and certification • Affordability Previous approaches to computer security failed on one or more, or all of these John Rushby, SR I Compositional Cert for MILS: 8

  9. Affordability • A reasonable expectation is that affordability will be promoted by a COTS competitive marketplace • So we need open standards, large market, many suppliers • The MILS component PPs (separation kernel, partitioning communication system, console, file system, network stack) are open standards intended to promote a COTS market • Makes sense to develop these first so that suppliers have time to develop products • But this bottom-up initiative must be complemented by a top-down one that helps systems integrators understand how to use these components • And how to develop an evaluation case for a system from those of its components John Rushby, SR I Compositional Cert for MILS: 9

  10. MILS Integration Protection Profile • Security is a system property • Existing MILS protection profiles are for components • How do we know that a system composed of evaluated components is secure? ◦ And how is the evaluation for the system constructed from the evaluations of its components? • This is what the MILS Integration PP (MIPP) is about • It is an instance of compositional certification • A bold vision that pushes the state of the art John Rushby, SR I Compositional Cert for MILS: 10

  11. Compositional Certification • Because safety, security, etc. are system properties, traditional certification regimes consider only complete systems (or major components) ◦ E.g., the FAA certifies only airplanes, engines, propellers • Even when component already evaluated as part of another system, certifiers reserve right to look inside (cf. RSC) • But modern business practices (outsourcing, COTS) make this increasingly untenable, even in first use of a component ◦ System integrator, let alone system certifier, may have little visibility into the component ◦ They merely define its requirements • The component should be evaluated separately ◦ Evaluation is in terms of properties delivered at interfaces • System certification is then built on these interfaces and properties, with no looking inside John Rushby, SR I Compositional Cert for MILS: 11

  12. Compositional Certification for MILS • Feasibility of compositional certification depends on the architecture • Because compositional certification is all about properties delivered at interfaces, we need ◦ Known interfaces (the paths for component interaction) ⋆ There must be no paths for component interaction outside the known interfaces, even in the presence of faults, or of malice in untrusted components ◦ Meaningful properties ⋆ Must be meaningful at interfaces ⋄ So they can be evaluated locally ⋆ Must be meaningful in combination ⋄ So they compose to yield evaluable system properties • MILS is an architecture that promotes these characteristics John Rushby, SR I Compositional Cert for MILS: 12

  13. Two Kinds of Components, Two Kinds of PPs The foundational and operational levels of the MILS architecture have different concerns and are realized by different kinds of components having different kinds of PPs Operational level: components that provide or enforce application-specific security functionality • Examples: downgrading, authentication, MLS flow • Their PPs are concerned with the specific security function that they provide Foundational level: components that securely share physical resources among logical entities • Examples: separation kernel, partitioning communication system, console, file system, network stack • Their PPs are concerned with partitioning/separation/secure sharing John Rushby, SR I Compositional Cert for MILS: 13

  14. Two Kinds of Components, Three Kinds of Composition We need to consider three kinds of component compositions operational/operational: need compositionality foundational/operational: need composability foundational/foundational: need additivity Consider these in turn John Rushby, SR I Compositional Cert for MILS: 14

  15. Compositionality Operational components combine in a way that ensures compositionality • There’s some way to calculate the properties of interacting operational components from the properties of the components (with no need to look inside), e.g.: ◦ Component A guarantees P if environment ensures Q ◦ Component B guarantees Q if environment ensures P ◦ Conclude that A || B guarantees P and Q • Assumes components interact only through explicit computational mechanisms (e.g., shared variables) John Rushby, SR I Compositional Cert for MILS: 15

  16. Composability Foundational components ensure composability of operational components • Properties of a collection of interacting operational components are preserved when they are placed (suitably) in the environment provided by a collection of foundational components • Hence foundational components do not get in the way • And the combination is itself composable • Hence operational components cannot interfere with each other nor with the foundational ones John Rushby, SR I Compositional Cert for MILS: 16

  17. Additivity Foundational components compose with each other additively • e.g., partitioning(kernel) + partitioning(network) provides partitioning(kernel + network) • There is an asymmetry: partitioning network stacks and file systems and so on run as clients of the partitioning kernel John Rushby, SR I Compositional Cert for MILS: 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

466 views • 25 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

522 views • 17 slides
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP

751 views • 23 slides
Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science

Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science

Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Compositional Assurance: 1 Assurance and Certification: The Traditional

551 views • 29 slides
MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1 MILS Efforts Overview

772 views • 26 slides
BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation: Section 1: The overarching approach/methodology for the urban design analysis Section 2: The specific urban design rationales for the MILS precincts

481 views • 24 slides
MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI International Menlo Park CA USA a Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I MILS Integration PP: 1 Need for an Integration

533 views • 25 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar Sifre, AFRL/RITB, Rome NY Boettcher,

414 views • 27 slides
1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA Certification is based on Dr. As Habits of Health Transformational System and is available to all Coaches who want to apply and reinforce their knowledge of

613 views • 19 slides
Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

ASHA Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the CFCC Presentation Overview What is Certification? CCC-A Certification Standards CCC-A Application Process FAQs Keep your

209 views • 19 slides
An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

445 views • 28 slides
Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional Deep Learning Bruno Gavranovi c Faculty of Electrical Engineering and Computing (FER) University of Zagreb, Croatia bruno.gavranovic@fer.hr

1.22k views • 102 slides
CS 4495 Computer Vision Finding 2D Shapes and the Hough Transform Aaron Bobick School of

CS 4495 Computer Vision Finding 2D Shapes and the Hough Transform Aaron Bobick School of

Hough Transform CS 4495 Computer Vision A. Bobick CS 4495 Computer Vision Finding 2D Shapes and the Hough Transform Aaron Bobick School of Interactive Computing Hough Transform CS 4495 Computer Vision A. Bobick Administrivia

736 views • 48 slides
14: Clique Finding Machine Learning and Real-world Data (MLRD) Ryan Cotterell (based on slides

14: Clique Finding Machine Learning and Real-world Data (MLRD) Ryan Cotterell (based on slides

14: Clique Finding Machine Learning and Real-world Data (MLRD) Ryan Cotterell (based on slides created by Simone Teufel) Lent 2020 Last session: betweenness centrality You implemented betweenness centrality. This let you find gatekeeper

409 views • 14 slides
On generalized Clifford configurations: geometry and integrability by W.K. Schief Technische

On generalized Clifford configurations: geometry and integrability by W.K. Schief Technische

On generalized Clifford configurations: geometry and integrability by W.K. Schief Technische Universit at Berlin ARC Centre of Excellence for Mathematics and Statistics of Complex Systems, Australia (with B.G. Konopelchenko, Proc. R. Soc

400 views • 27 slides
Introduction to D3 Ma Maneesh Agrawala CS 448B: Visualization Fall 2020 1 D3 Notebooks 2 1

Introduction to D3 Ma Maneesh Agrawala CS 448B: Visualization Fall 2020 1 D3 Notebooks 2 1

Introduction to D3 Ma Maneesh Agrawala CS 448B: Visualization Fall 2020 1 D3 Notebooks 2 1 Last Time: Interaction 3 Dynamic Queries 6 2 Query and results SELECT house FROM east bay WHERE price < 1,000,000 AND bedrooms > 2

335 views • 21 slides
Scopus Introduction Massimiliano Bearzot | Customer Consultant | Elsevier m.bearzot@elsevier.com

Scopus Introduction Massimiliano Bearzot | Customer Consultant | Elsevier m.bearzot@elsevier.com

| 1 TITLE OF PRESENTATION | 1 Scopus Introduction Massimiliano Bearzot | Customer Consultant | Elsevier m.bearzot@elsevier.com | 2 TITLE OF PRESENTATION | 2 What youll learn today What is Scopus and who uses it? What content

1.36k views • 99 slides
Bibliographic Analysis of Nature Based on Altmetrics Xiaoyan Su DUT MSCLab Contents 1

Bibliographic Analysis of Nature Based on Altmetrics Xiaoyan Su DUT MSCLab Contents 1

Bibliographic Analysis of Nature Based on Altmetrics Xiaoyan Su DUT MSCLab Contents 1 Introduction 2 Data and Methods 3 Results and discussion 4 Conclusion 1 Impact of academic publications Citation Part 1 Introduction H-index or

597 views • 26 slides
Making sense of citations Xenia Koulouri Claudia Ifrim Manolis Wallace Florin Pop 1 Knowledge

Making sense of citations Xenia Koulouri Claudia Ifrim Manolis Wallace Florin Pop 1 Knowledge

Making sense of citations Xenia Koulouri Claudia Ifrim Manolis Wallace Florin Pop 1 Knowledge and Uncertainty Research Laboratory Knowledge and Uncertainty Research Laboratory 2 11/9/2016 Todays talk Publications Citations

355 views • 9 slides
CDLs Path Towards Data Publishing Adoption: Community Infrastructure John Chodacki, UC

CDLs Path Towards Data Publishing Adoption: Community Infrastructure John Chodacki, UC

CDLs Path Towards Data Publishing Adoption: Community Infrastructure John Chodacki, UC Curation Center (UC3) Looking Inward: Self Assessment Last year... Institutions build or buy general data repositories (a.k.a. data IRs, non-domain

497 views • 38 slides

More recommend