MILS C Compl plete S ete Separa rati tion P n Platf tform orm - - PowerPoint PPT Presentation
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP
MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH
01 Motivation 02 MILS CSP PP Overview 03 TOE Architecture 04 Assets 05 Roles 06 Security Requirements
3
Multiple Independent Levels of Security (MILS)
Based on the concepts of resource separation and controlled information flow. Offering a secure decomposition of complex embedded systems into logically independent components. Supports the coexistence of untrusted and trusted components.
Possible approach – MILS security architecture Question How to build up and operate devices with a mix of critical and of unknown (and untrustworthy) applications in a secure and reliable way? Challenge TOE (Target of Evaluation) may comprise very different system constellations.
4
Common Criteria Protection Profile for MILS separation platform (MILS CSP PP) A generic, but clear description is mandated
for the components of a MILS system and for the obligations during system integration, while determining the operational environment and selecting concrete components.
5
Target of Evaluation (TOE)
Special kind of operating system and underlying hardware platform. Used as an integrated component in MILS systems. May be used as part of embedded systems. Can host user applications (e.g. operating systems) and system applications. User applications can be malicious. Controls usage of memory, devices, processors, and communication channels. Separation of user applications. Prevention of unexpected interference between user applications. Enforces restrictions on the communication between user applications.
6
7
8
9
10
Primary assets Values being really important for the risk owner and to be protected by the TOE itself. Secondary assets TSF and TSF configuration data enforcing the System Security Policy (SSP) as defined by the System Integrator. Definitions
A system component is a system partition, system extension or an ODSP and contains user data supplied and approved by the system
integrator.
A communication object is used for communication between partitions (object exposed to one or multiple partitions with access rights as
defined in the configuration data).
System component content Communication object content User partition content Description Generic Security Properties
User applications and/or data being executed and/or stored in a user partition
Confidentiality
Integrity
Content of a communication object and exchanged (received/read and sent/written) between partitions
Confidentiality
Integrity
System applications and/or data being executed and/or stored in a system component (a system partition, a system extension or the on-board device support package).
Confidentiality
Integrity
Electronic records reflecting events to be audited.
Confidentiality
Integrity
11
Audit data (optional)
Communication object resources User partition shape User partition resources Description Generic Security Properties
Comprise physical memory space and allocated CPU time for each CPU
Resources are assigned according to the SSP
Availability
Contains a set of security attributes assigned to a user partition (e.g. unique partition identity, flag indicating that the partition is a user partition, SSP enforcement data.)
Links its user partition resources and its user partition content
Can contain security irrelevant data, e.g. information on optimising virtualised guests that is not security relevant
Confidentiality
Integrity
Memory space
Resources are assigned according to the SSP
Availability
Contains a set of security attributes assigned to a communication object (e.g. unique communication object identity)
Links its communication object resources and its communication object content
Confidentiality
Integrity
12
Communication object shape
Configuration data System component shape System component resources Description Generic Security Properties
Comprises physical memory space and allocated CPU time for each CPU
Resources are assigned according to the SSP
Availability
Confidentiality
Integrity
Contains a set of security attributes assigned to a system component (e.g. unique identity, flag indicating that the partition is a system partition)
Links its system component resources and its system component content
Confidentiality
Integrity
Data used by the TOE to enforce the SSP
Confidentiality
Integrity
Interface to functions of the TSF available for system applications
Availability (in the sense of ‘executability’) only for system applications
13
System application API
System Integrator System application User application Description
Any application within a user partition,
Allowed to use only the TOE user partition API
For each instantiation of this subject the TOE assigns a unique subject identity
Any application within a system partition, a system extension, or the on-board device support package (ODSP)
Only a system application in a system partition is allowed to use the TOE system partition API
Only a system application in a system extension is allowed to use the TOE system extension API.
Only a system application in the ODSP is allowed to use the TOE ODSP API
For each instantiation of this subject the TOE assigns a unique subject identity
Person trusted to (re-)configure and integrate the TOE
This includes identifying system partitions and user partitions and assigning applications into partitions
Person trusted to (re-)install, stop, start, restart, or access (also physically) the TOE in the field
14
System Operator
Description
Threat agent (a person or a process acting on his/her behalf) trying to undermine the TOE security policy
The attacker especially tries to change properties of the assets having to be maintained according to the TOE security policy
The attacker is assumed to possess an at most high attack potential
Only attacks carried out by user applications are addressed (no physical attacks)
All attacks from other sources than user applications shall be averted by the TOE operational environment.
15
Attacker
16
Security Assurance Requirements (SAR)
Defining the scope and the rigour of the evaluator’s verification work. This PP claims conformance to the CC assurance package EAL5 augmented by AVA_VAN.5. Resistance against high attack potential.
Security Functional Requirements (SFR)
To be enforced by the TSF. Security functional groups are defined and allocated to the functional requirements. SFRs which are always used together are grouped by “{}”. SFRs whose fulfilling might need a direct support by the TOE hardware are tagged by HW.
Separation in space of applications hosted in different partitions from each other and from the TOE operating system. Security Functional Requirements (SFRs)
User Data Protection (FDP)
{FDP_ACC.2/AS.USER_PART_CONT, FDP_ACF.1/AS.USER_PART_CONT}HW, {FDP_ACC.2/AS.SYS_COMP_CONT, FDP_ACF.1/AS.SYS_COMP_CONT}HW, {FDP_IFC.2, FDP_IFF.1}, FDP_IFF.5 Resource Utilisation (FRU)
FRU_RSA.2/AS.USER_PART_RES Supported by: Identification and Authentication (FIA)
FIA_UID.2 Security Management (FMT)
all selected components of the class FMT Protection of the TOE Security Functions (FPT)
all selected components of the class FPT
17
Separation in time of applications hosted in different partitions from each other and from the TOE operating system Security Functional Requirements (SFRs)
User Data Protection (FDP)
{FDP_ACC.2/AS.COMMUN_OBJ_CONT, FDP_ACF.1/AS.COMMUN_OBJ_CONT}, {FDP_IFC.2, FDP_IFF.1}, FDP_IFF.5, FDP_RIP.2HW Resource Utilisation (FRU)
FRU_PRS.1, FRU_RSA.2/AS.USER_PART_RES Supported by: Identification and Authentication (FIA)
FIA_UID.2 Security Management (FMT)
all selected components of the class FMT Protection of the TOE Security Functions (FPT)
selected components of the class FPT
18
Provision and management of communication objects Security Functional Requirements (SFRs)
User Data Protection (FDP)
{FDP_ACC.2/AS.COMMUN_OBJ_CONT, FDP_ACF.1/AS.COMMUN_OBJ_CONT}, {FDP_IFC.2, FDP_IFF.1}, FDP_IFF.5 Resource Utilisation (FRU)
FRU_RSA.2/AS.COMMUN_OBJ_RES Supported by: Identification and Authentication (FIA)
FIA_UID.2 Security Management (FMT)
all selected components of the class FMT Protection of the TOE Security Functions (FPT)
selected components of the class FPT
19
Management of and access to the TSF and TSF data Security Functional Requirements (SFRs)
Identification and Authentication (FIA)
FIA_UID.2 Security Management (FMT)
all selected components of the class FMTHW Protection of the TOE Security Functions (FPT)
FPT_FLS.1, FPT_RCV.2 Supported by: Identification and Authentication (FIA)
FIA_UID.2 Security Management (FMT)
all selected components of the class FMT
20
TSF self-protection and accuracy of security functionality
21
Status of MILS CSP PP
Not published yet Not evaluated yet Open for comments and usage
Contact Viola Saftig T-Systems International GmbH Telekom Security Bonn, Germany viola.saftig@t-systems.com Contact
T-Systems International GmbH Telekom Security Bonn, Germany igor.furgel@t-systems.com
22
If interested in the MILS CS PP please send an email to the authors
23
FAU Security Audit
Audit Data Generation FAU_GEN.1 (optional)
FDP User Data Protection
Complete Access Control FDP_ACC.2
Access Control Functions FDP_ACF.1
Complete Information Flow Control FDP_IFC.2
Simple Security Attributes FDP_IFF.1
No Illicit Information Flows FDP_IFF.5
Full Residual Information Protection FDP_RIP.2
FIA Identification and Authentication
User Identification FIA_UID.2
FPT Protection of the TSF
Failure with Preservation of Secure State FPT_FLS.1
Automated Recovery FPT_RCV.2
FRU Resource Utilization
Limited Priority of Service FRU_PRS.1
Minimum and Maximum Quotas FRU_RSA.2
FMT Security Management
Management of Security Functions Behavior FMT_MOF.1
Management of Security Attributes FMT_MSA.1
Secure Security Attributes FMT_MSA.2
Static Policy Attribute Initialization FMT_MSA.3
Management of TSF Data FMT_MTD.1
Specification of Management Functions FMT_SMF.1
Security Roles FMT_SMR.1