layered assurance workshop 13 14 august 2008 bwi hilton
play

Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on - PowerPoint PPT Presentation

Mar 12, 2024 •200 likes •418 views

Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on Open Group, 23 July 2008, Chicago MILS Policy Architecture And Layered Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I

  1. Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on Open Group, 23 July 2008, Chicago

  2. MILS Policy Architecture And Layered Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I MILS Policy Architecture: 1

  3. Compositional Assurance • We build systems from components • And we’d like critical properties and assurance to compose ◦ That is, assurance for the whole is built on assurance for the components • Seldom happens: assurance dives into everything • The system assurance argument may not decompose on architectural lines ◦ So what is architecture? ◦ A good one simplifies the assurance case John Rushby, SR I MILS Policy Architecture: 2

  4. The MILS Idea • Construct an architecture so that assurance does decompose along structural lines • Two issues in security: ◦ Enforce the security policy ◦ Manage shared resources securely • The MILS idea is to handle these separately • Focus the system architecture on simplifying the argument for policy enforcement ◦ Hence policy architecture • The policy architecture becomes the interface between the the two issues John Rushby, SR I MILS Policy Architecture: 3

  5. Policy Architecture • Intuitively, a boxes and arrows diagram ◦ There is a formal model for this • Boxes encapsulate data, information, control ◦ Access only local state, incoming communications ◦ i.e., they are state machines • Arrows are channels for information flow ◦ Strictly unidirectional ◦ Absence of arrows is often crucial • Some boxes are trusted to enforce local security policies • Want the trusted boxes to be as simple as possible • Decompose the policy architecture to achieve this • Assume boxes and arrows are free John Rushby, SR I MILS Policy Architecture: 4

  6. Crypto Controller Example: Step 1 Policy: no plaintext on black network header bypass header data header encrypted data red black side side encryption network utilities stacks compiler runtime operating system No architecture, everything trusted John Rushby, SR I MILS Policy Architecture: 5

  7. Crypto Controller Example: Step 2 Good policy architecture: fewer things trusted bypass minimal runtime red black crypto hardware Local policies: Header bypass: low bandwidth, data looks like headers Crypto: all output encrypted John Rushby, SR I MILS Policy Architecture: 6

  8. Policy Architecture: Compositional Assurance • Construct assurance for each trusted component individually ◦ i.e., each component enforces its local policy • Then provide an argument that the local policies ◦ In the context of the policy architecture Combine to achieve the overall system policy • Medium robustness: this is done informally • High robustness: this is done formally (compositional verification) • Cf. layered assurance John Rushby, SR I MILS Policy Architecture: 7

  9. Resource Sharing • Next, we need to implement the logical components and the communications of the policy architecture in an affordable manner • Allow different components and communications to share resources • Need to be sure the sharing does not violate the policy architecture ◦ Flaws might add new communications paths ◦ Might blur the separation between components John Rushby, SR I MILS Policy Architecture: 8

  10. Uncontrolled Resource Sharing red bypass black crypto Naive sharing could allow direct red to black information flow, or could blur the integrity of the components John Rushby, SR I MILS Policy Architecture: 9

  11. Unintended Communications Paths bypass minimal runtime red black operating system operating system crypto hardware John Rushby, SR I MILS Policy Architecture: 10

  12. Blurred Separation Between Components bypass minimal runtime red black operating system operating system crypto hardware John Rushby, SR I MILS Policy Architecture: 11

  13. Secure Resource Sharing • For broadly useful classes of resources ◦ e.g., file systems, networks, consoles, processors • Provide implementations that can be shared securely • Start by defining what it means to partition specific kinds of resource into separate logical components • Definition in the form of a protection profile (PP) ◦ e.g. separation kernel protection profile (SKPP) ◦ or network subsystem PP, filesystem PP, etc. John Rushby, SR I MILS Policy Architecture: 12

  14. Crypto Controller Example: Step 3 Separation kernel securely partitions the processor resource red bypass black device driver crypto for runtime or runtime or operating system operating system minimal runtime separation kernel crypto h/w The integrity of the policy architecture is preserved John Rushby, SR I MILS Policy Architecture: 13

  15. A Generic MILS System Separation Kernel Trusted TSE File System Care and skill needed to determine which logical components share physical resources (performance, faults) John Rushby, SR I MILS Policy Architecture: 14

  16. Resource Sharing: Compositional Assurance • Construct assurance for each resource sharing component individually ◦ i.e., each component enforces separation • Then provide an argument that the individual components ◦ Are additively compositional And threfore combine to create the policy architecture • Medium robustness: this is done informally • High robustness: this is done formally (compositional verification) • Cf. layered assurance John Rushby, SR I MILS Policy Architecture: 15

  17. MILS Business Model • DoD moves things forward by supporting development of protection profiles ◦ Separation kernels, partitioning communications systems, TCP/IP network stacks, file systems, consoles, publish-subscribe • Then vendors create a COTS marketplace of compliant components • Currently they are all resource sharing components; should be some policy components, too ◦ e.g., filters, downgraders for CDS John Rushby, SR I MILS Policy Architecture: 16

  18. MILS In The Enterprise • Separation kernels are like minimal hypervisors (cf. Xen) ◦ MILS separation kernel (4 KSLOC), EAL7 ◦ Avionics partitioning kernel (20 KSLOC), DO-178B Level A ( ≈ EAL4) ◦ Hypervisor (60 KSLOC), EAL? • Can expect some convergence of APIs (cf. ARINC 653) • Different vendors will offer different functionality/assurance tradeoffs • Can extend use of hypervisors from providing isolated virtual hosts to supporting the policy architecture of a secure service John Rushby, SR I MILS Policy Architecture: 17

  19. Recent Progress • Initial development of mathematical theory for compositional assurance of MILS systems • Initial development (by Rance DeLong) of a Common Criteria Authoring Environment to assist construction of coherent PPs • PPs for several MILS components at different levels of completion ◦ SKPP done, PCSPP nearly done ◦ Console, network, filesystem, under way • High and medium robustness separation kernels from several RTOS vendors John Rushby, SR I MILS Policy Architecture: 18

  20. Summary • Key idea of MILS is to align the architecture with the assurance case • Enabler for this is separation of concerns ◦ Enforcing policy ◦ Sharing resources • The policy architecture is the interface between these • Efficient and secure resource sharing allows the policy architecture to have many logically separate components and communications ◦ Use this to simplify the trusted components ◦ Which eases their assurance • Assured resource sharing components are COTS • Assurance for the system is composed from that of the components John Rushby, SR I MILS Policy Architecture: 19

  21. Thanks • To Carolyn Boettcher of Raytheon and Wilmar Sifre of AFRL • And to Rance DeLong, Joe Bergmann and members of RTES John Rushby, SR I MILS Policy Architecture: 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
Layered Assurance Scheme for Mul4-Core Architectures J.

Layered Assurance Scheme for Mul4-Core Architectures J.

Layered Assurance Scheme for Mul4-Core Architectures J. Alves-Foss, X. He and J. Song Center for Secure and Dependable Systems University of

255 views • 21 slides
Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop,

690 views • 31 slides
Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 &

Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 &

Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 & EUROCAE W G-6 3 Presented by Steve Beland Associate Technical Fellow Boeing Com m ercial Airplanes August 20, 2008 FAA Software & AEH

504 views • 34 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University

Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University

ALDR: A New Metric for Measuring Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University 12/6/2011 Layered Assurance Workshop 1 Motivation Buy security product X? Am I secure? 12/6/2011 Layered

630 views • 18 slides
INDONESIA EXPERIENCE IN TQS TQS Workshop Hilton Hotel Ankara August 16-17 th 2017 Gantjang

INDONESIA EXPERIENCE IN TQS TQS Workshop Hilton Hotel Ankara August 16-17 th 2017 Gantjang

BPS STATISTICS INDONESIA INDONESIA EXPERIENCE IN TQS TQS Workshop Hilton Hotel Ankara August 16-17 th 2017 Gantjang Amannullah Director of People Welfare Statistics, BPS-Statistics Indonesia Email: gantjang@bps.go.id 1. Introduction:

443 views • 17 slides
What Syntax Feeds Semantics? ESSLLI 2008 Workshop Hamburg, 11-15 August, 2008 Maribel Romero

What Syntax Feeds Semantics? ESSLLI 2008 Workshop Hamburg, 11-15 August, 2008 Maribel Romero

What Syntax Feeds Semantics? ESSLLI 2008 Workshop Hamburg, 11-15 August, 2008 Maribel Romero University of Konstanz 1 Division of labor between Syntax and Semantics Frege s Principle of Compositionality: The meaning of a complex

436 views • 29 slides
Workshop 3 Workshop 3 Cost Estimating and Cost Estimating and Financial Assurance Financial

Workshop 3 Workshop 3 Cost Estimating and Cost Estimating and Financial Assurance Financial

SWVP-0719 Workshop 3 Workshop 3 Cost Estimating and Cost Estimating and Financial Assurance Financial Assurance SWVP-028586 Reviews financial mechanism for Hal Hong Financial Administrator adequacy and completeness Communicates with

528 views • 51 slides
FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of

FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of

FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop, Alexandria, Oct 5,6 2006 Based on University of Illinois ITI

472 views • 28 slides
Coling 2008 workshop on human judgements in Computational Linguistics Ron Artstein Gemma Boleda

Coling 2008 workshop on human judgements in Computational Linguistics Ron Artstein Gemma Boleda

Workshop Topic Research Issues Statistics Coling 2008 workshop on human judgements in Computational Linguistics Ron Artstein Gemma Boleda Frank Keller Sabine Schulte im Walde August 23, 2008 Artstein et al. Coling 2008 workshop on human

254 views • 11 slides
BabyBEE Defining the Silicon Circuit Board CASPER Workshop August 4, 2008 Bob Conn CTO siXis

BabyBEE Defining the Silicon Circuit Board CASPER Workshop August 4, 2008 Bob Conn CTO siXis

BabyBEE Defining the Silicon Circuit Board CASPER Workshop August 4, 2008 Bob Conn CTO siXis Spin-out of Research Triangle Institute Started July 3, 2008 $5.2M MiniBee Alpha product already delivered BabyBEE available early

402 views • 17 slides
High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered

High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered

High Robustness Cross Domain Solutions Tiger Team John Mildner Jennifer Guild Layered Assurance Workshop - 2011 Purpose 2 Provide an overview of the High Robustness Cross Domain Solutions Tiger Team (HR CDS TT) Provide status on support to

465 views • 14 slides
Navigating the Web graph Workshop on Networks and Navigation Santa Fe Institute, August 2008

Navigating the Web graph Workshop on Networks and Navigation Santa Fe Institute, August 2008

Navigating the Web graph Workshop on Networks and Navigation Santa Fe Institute, August 2008 Filippo Menczer Informatics & Computer Science Indiana University, Bloomington Outline Topical locality: Content, link, and semantic topologies

1.27k views • 89 slides
Layered Protection for Web Tracking Layered Protection for Web Tracking position paper, W3C

Layered Protection for Web Tracking Layered Protection for Web Tracking position paper, W3C

Layered Protection for Web Tracking Layered Protection for Web Tracking position paper, W3C Workshop on Web Tracking and User Privacy position paper, W3C Workshop on Web Tracking and User Privacy Presenter: Wu Chou Authors: Wu Chou, Li Li

62 views • 5 slides
Workshop on the Implementation of a National Quality Assurance Framework for Official Statistics

Workshop on the Implementation of a National Quality Assurance Framework for Official Statistics

Workshop on the Implementation of a National Quality Assurance Framework for Official Statistics in countries of the Africa Region Addis Ababa, Ethiopia, 14-18 October 2019 Quality Assurance in the case of different data sources Certification

765 views • 30 slides
MARYLANDS INTERAGENCY COUNCIL ON HOMELESSNESS August 2, 2018 Maryland Department of Housing

MARYLANDS INTERAGENCY COUNCIL ON HOMELESSNESS August 2, 2018 Maryland Department of Housing

Maryland Department of Housing and Community Development Secretary Kenneth C. Holt MARYLANDS INTERAGENCY COUNCIL ON HOMELESSNESS August 2, 2018 Maryland Department of Housing and Community Development Secretary Kenneth C. Holt AGENDA I.

508 views • 18 slides
CS 309: Autonomous Intelligent Robotics FRI I Lecture 17: Starting the Robot Coordinate Frames

CS 309: Autonomous Intelligent Robotics FRI I Lecture 17: Starting the Robot Coordinate Frames

CS 309: Autonomous Intelligent Robotics FRI I Lecture 17: Starting the Robot Coordinate Frames TF2 Forming Project Groups Instructor: Justin Hart http://justinhart.net/teaching/2019_spring_cs309/ Pick a BWIBot V2 V4 V2 Startup Find

819 views • 61 slides
Minimum Spanning Trees Data Structures and Algorithms for CL III, WS 2019-2020 Corina Dima

Minimum Spanning Trees Data Structures and Algorithms for CL III, WS 2019-2020 Corina Dima

Department of General and Computational Linguistics Minimum Spanning Trees Data Structures and Algorithms for CL III, WS 2019-2020 Corina Dima corina.dima@uni-tuebingen.de M ICHAEL G OODRICH Data Structures & Algorithms in Python R OBERTO T

907 views • 64 slides
CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Teaching Staff TA : Shweta

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Teaching Staff TA : Shweta

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Teaching Staff TA : Shweta Gulati Student Mentors: Josan Munoz Nick White Staff: Peter Stone Piyush Khandelwal Jack O'Quin Two Main Goals Learn about

383 views • 21 slides
Minimum Spanning Trees 2704 BOS 867 849 PVD ORD 187 740 144 JFK 1846 621 1258 184

Minimum Spanning Trees 2704 BOS 867 849 PVD ORD 187 740 144 JFK 1846 621 1258 184

Minimum Spanning Trees 2704 BOS 867 849 PVD ORD 187 740 144 JFK 1846 621 1258 184 802 SFO BWI 1391 1464 337 1090 DFW 946 LAX 1235 1121 MIA 2342 Minimum Spanning Trees 1 Outline and Reading Minimum Spanning Trees

767 views • 32 slides
Updates October 16, 2020 COVID-19 Budget Impacts MDOT MTA received $392 million in CARES Act

Updates October 16, 2020 COVID-19 Budget Impacts MDOT MTA received $392 million in CARES Act

MDOT MTA Updates October 16, 2020 COVID-19 Budget Impacts MDOT MTA received $392 million in CARES Act funding that will be fully expended by September 2020. FY21-26 capital budget reduced by $150m. FY21 operating budget reduced by

561 views • 16 slides
University Retreat August 23, 2017 Comprehensive Campaign An integrated, or total development

University Retreat August 23, 2017 Comprehensive Campaign An integrated, or total development

University Retreat August 23, 2017 Comprehensive Campaign An integrated, or total development program, based on long-term comprehensive analysis of an organizations diverse needs: current program support, special purposes, capital, and

283 views • 11 slides
Archipelago Measurement Infrastructure kc claffy CAIDA AAF Workshop Nov 23, 2009 Outline

Archipelago Measurement Infrastructure kc claffy CAIDA AAF Workshop Nov 23, 2009 Outline

Archipelago Measurement Infrastructure kc claffy CAIDA AAF Workshop Nov 23, 2009 Outline Focus and Architecture Monitor Deployment Measurements Future Work 2 Introduction Archipelago (Ark) is CAIDAs next-generation active

1.01k views • 44 slides

More recommend