mils integration protection profile
play

MILS Integration Protection Profile John Rushby, Rance DeLong a - PowerPoint PPT Presentation

Oct 13, 2023 •267 likes •533 views

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI International Menlo Park CA USA a Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I MILS Integration PP: 1 Need for an Integration

  1. MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI International Menlo Park CA USA a Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I MILS Integration PP: 1

  2. Need for an Integration Protection Profile • Security is a system property • Existing MILS protection profiles (PPs) are for components • How do we know that a system composed of evaluated components is secure? ◦ And how is the evaluation for the system constructed from the evaluations of its components? • This is what the MILS Integration PP (MIPP) must address • It is an instance of compositional certification • A bold vision that pushes the state of the art John Rushby, Rance DeLong, SR I MILS Integration PP: 2

  3. MIPP First Draft • Redirection of MNSPP activity • Sponsored by AFRL through Raytheon • Will provide an account of the MILS “idea” and architecture • And and describe the path from Common Criteria (CC) through multiple PPs to a TOE • And how MILS components and PPs compose to yield a secure and evaluable system • First draft is a 10-page overview • Available in a couple of weeks • Closely related to the MILS PP Authoring Environment • Funding to continue the effort is expected John Rushby, Rance DeLong, SR I MILS Integration PP: 3

  4. Compositional Certification • Because safety, security, etc. are system properties, traditional certification regimes consider only complete systems (or major components) ◦ E.g., the FAA certifies only airplanes, engines, propellers • Even when component already evaluated as part of another system, certifiers reserve right to look inside (cf. RSC) • But modern business practices (outsourcing, COTS) make this increasingly untenable, even in first use of a component ◦ System integrator, let alone system certifier, may have little visibility into the component ◦ They merely define its requirements • The component should be evaluated separately ◦ Evaluation is in terms of properties delivered at interfaces • System certification is then built on these interfaces and properties, with no looking inside John Rushby, Rance DeLong, SR I MILS Integration PP: 4

  5. Compositional Certification for MILS • Feasibility of compositional certification depends on the architecture • Because compositional certification is all about properties delivered at interfaces, we need ◦ Precise interfaces (the paths for component interaction) ⋆ There must be no paths for component interaction outside the known interfaces, even in the presence of faults, or of malice in untrusted components ◦ Precise properties ⋆ Must be meaningful at interfaces ⋄ So they can be evaluated locally ⋆ Must be meaningful in combination ⋄ So they compose to yield evaluable system properties • MILS is an architecture that promotes these characteristics John Rushby, Rance DeLong, SR I MILS Integration PP: 5

  6. The MILS Architecture • An architecture stands in relation to systems design as the US Constitution stands in relation to laws • The constitution is not a law ◦ It defines the allowable kinds of law • An architecture is not a system ◦ It defines the allowable kinds of system • If the only purpose of the MILS architecture were to promote compositional certification, it might be easy • But MILS must promote several goals John Rushby, Rance DeLong, SR I MILS Integration PP: 6

  7. MILS Goals These include • Security ◦ Security includes many notions, such as confidentiality, integrity, access control, authorized flow, authorized actions, and is often required in combination with other difficult properties, such as safety • Assurance ◦ i.e., compositional certification • Functionality ◦ The system must achieve its operational purpose, which is usually about something other than security • Affordability Previous approaches to computer security failed on one or more, or all of these John Rushby, Rance DeLong, SR I MILS Integration PP: 7

  8. Affordability • A reasonable expectation is that affordability will be promoted by a COTS competitive marketplace • So we need open standards, large market, many suppliers • The MILS component PPs (separation kernel, partitioning communication system, console, file system, network stack) are open standards intended to promote a COTS market • Makes sense to develop these first so that suppliers have time to develop products • But this bottom-up initiative must be complemented by a top-down one that helps systems integrators understand how to use these components • That’s the purpose of the MIPP John Rushby, Rance DeLong, SR I MILS Integration PP: 8

  9. Top-Down Security • Almost all system designs are portrayed in diagrams using circles (or boxes) and arrows • But in security, these have a particular (often unconscious) force and interpretation • Arrows indicate interfaces ◦ Implicitly, absence of an arrow means absence of component interaction • Circles indicate encapsulated data, information, control, etc. ◦ The only things that happen inside a circle are consequences of things in that circle and the incoming arrows, and the only things that change are the internal state of the circle and its outgoing arrows John Rushby, Rance DeLong, SR I MILS Integration PP: 9

  10. The Essence of Good Security Design • Try to arrange the circles and arrows so that security depends on only a few trusted circles • And those are trusted to do only relatively simple things �✁�✁� ✂✁✂✁✂ ✞✁✞✁✞ ✟✁✟✁✟ �✁�✁� ✂✁✂✁✂ ✞✁✞✁✞ ✝✁✝✁✝ ✆✁✆✁✆ ✟✁✟✁✟ ✂✁✂✁✂ �✁�✁� ✞✁✞✁✞ ✆✁✆✁✆ ✝✁✝✁✝ ✟✁✟✁✟ ✝✁✝✁✝ ✆✁✆✁✆ ✡✁✡✁✡ ✠✁✠✁✠ ✡✁✡✁✡ ✠✁✠✁✠ ✄✁✄✁✄ ☎✁☎✁☎ ✠✁✠✁✠ ✡✁✡✁✡ ✄✁✄✁✄ ☎✁☎✁☎ ☎✁☎✁☎ ✄✁✄✁✄ John Rushby, Rance DeLong, SR I MILS Integration PP: 10

  11. The MILS Architecture, Upper Level • The system structure should directly reflect the circles and arrows picture ◦ i.e., the implementation directly follows the logical design • We can afford to have lots of circle and arrows, and should use this to reduce and simplify the trusted circles John Rushby, Rance DeLong, SR I MILS Integration PP: 11

  12. The MILS Architecture, Lower Level • We can afford to have lots of circles and arrows because we can efficiently and securely share physical resources among separate logical circles and arrows • Care and skill needed to determine which logical components share physical resources (performance, faults) �✁�✁� ✂✁✂✁✂ ✞✁✞✁✞ ✟✁✟✁✟ �✁�✁� ✂✁✂✁✂ ✞✁✞✁✞ ✝✁✝✁✝ ✆✁✆✁✆ ✟✁✟✁✟ �✁�✁� ✂✁✂✁✂ ✝✁✝✁✝ ✆✁✆✁✆ ✞✁✞✁✞ ✟✁✟✁✟ ✆✁✆✁✆ ✝✁✝✁✝ ✠✁✠✁✠✁✠ ✡✁✡✁✡ ✠✁✠✁✠✁✠ ✡✁✡✁✡ ✄✁✄✁✄ ☎✁☎✁☎ ✠✁✠✁✠✁✠ ✡✁✡✁✡ ☎✁☎✁☎ ✄✁✄✁✄ ✄✁✄✁✄ ☎✁☎✁☎ John Rushby, Rance DeLong, SR I MILS Integration PP: 12

  13. Two Kinds of Components, Two Kinds of PPs The lower and upper levels of the MILS architecture have different concerns and are realized by different kinds of components having different kinds of PPs Lower level: components that partition/separate/securely share physical resources among logical entities • Examples: separation kernel, partitioning communication system, console, file system, network stack • Their PPs are foundational: concerned with partitioning/separation/secure sharing Upper level: components that provide or enforce specific security functionality • Examples: downgrading, authentication, MLS flow • Their PPs are operational: concerned with the specific security function that they provide John Rushby, Rance DeLong, SR I MILS Integration PP: 13

  14. The Essence of MILS • The foundational and operational security concerns are kept separate ◦ Separate kinds of components ◦ Separate kinds of PPs • Cf. traditional security kernels, where one component partitioned many kinds of resources (complex implementation), and either enforced a single operational security property (too rigid to be useful) or several (too complicated to be credible) • MILS is feasible today because we know how to do fine grain partitioning (e.g., paravirtualization), have better hardware support, and can afford the overhead John Rushby, Rance DeLong, SR I MILS Integration PP: 14

  15. Composition of MILS Components The foundational and the operational components and PPs compose differently • Foundational components compose with each other additively ◦ e.g., partitioning(kernel) + partitioning(file system) provides partitioning(kernel + file system) • Operational components combine in a way that ensures compositionality ◦ There’s some way to calculate the properties of interacting operational components from the properties of the components (with no need to look inside) John Rushby, Rance DeLong, SR I MILS Integration PP: 15

  16. Composition of MILS Components (ctd) • Foundational components Ensure composability of operational components ◦ Properties of a collection of interacting operational components are preserved when they are placed (suitably) in the environment provided by a collection of foundational components John Rushby, Rance DeLong, SR I MILS Integration PP: 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar Sifre, AFRL/RITB, Rome NY Boettcher,

414 views • 27 slides
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP

751 views • 23 slides
Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

548 views • 28 slides
MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1 MILS Efforts Overview

772 views • 26 slides
BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation: Section 1: The overarching approach/methodology for the urban design analysis Section 2: The specific urban design rationales for the MILS precincts

481 views • 24 slides
Annual Health Protection Profile for Barnet, 2014 Dr Tania Misra, Consultant in Health

Annual Health Protection Profile for Barnet, 2014 Dr Tania Misra, Consultant in Health

Annual Health Protection Profile for Barnet, 2014 Dr Tania Misra, Consultant in Health Protection, NE & NC London Health Protection Team, PHE 4th th June 2015 Infectious Diseases in Barnet The total number of infectious diseases reported

143 views • 13 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
Outline Scientific Background Payload Mission Profile Planetary Protection

Outline Scientific Background Payload Mission Profile Planetary Protection

Study of Active Mainbelt Object through Sample Acquisition Summer School Alpbach 2008 BLUE TEAM 1 Outline Scientific Background Payload Mission Profile Planetary Protection Budgets Critical Issues Conclusions

776 views • 30 slides
AVECTIS, ALC PROFESSIONAL SYSTEM INTEGRATION SOLUTIONS Company Profile Established in 1994

AVECTIS, ALC PROFESSIONAL SYSTEM INTEGRATION SOLUTIONS Company Profile Established in 1994

AVECTIS, ALC PROFESSIONAL SYSTEM INTEGRATION SOLUTIONS Company Profile Established in 1994 Number of employees exceeds 100 Quality management ISO 9001-2015 Direct partnership with over 30 vendors More than 50 foreign partners Over 500

665 views • 44 slides
SUPPORT AND INTEGRATION OF EDUCATION AND TRAINING FOR RADIATION PROTECTION RESEARCH IN THE

SUPPORT AND INTEGRATION OF EDUCATION AND TRAINING FOR RADIATION PROTECTION RESEARCH IN THE

SUPPORT AND INTEGRATION OF EDUCATION AND TRAINING FOR RADIATION PROTECTION RESEARCH IN THE EUROPEAN JOINT PROGRAMME CONCERT V. Smyth 1 , A. Ottolenghi 1 , A. Wojcik 2 , G. Safrany 3 , M. Coeck 4 , M. Atkinson 5 1 Physics Department, University of

376 views • 19 slides
Towards Law-Aware Semantic Cloud Policies with Exceptions for Data Integration and Protection

Towards Law-Aware Semantic Cloud Policies with Exceptions for Data Integration and Protection

Towards Law-Aware Semantic Cloud Policies with Exceptions for Data Integration and Protection Yuh-Jong Hu Win-Nan Wu Di-Rong Cheng { hu, d9905, 98753031 } @cs.nccu.edu.tw Emerging Network Technology(ENT) Lab. Department of Computer Science

1.24k views • 112 slides
An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

445 views • 28 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
1 L Punnett: TWH Integration OHP SI: July 17, 2014 Selected Indicators & Metrics [Adapted

1 L Punnett: TWH Integration OHP SI: July 17, 2014 Selected Indicators & Metrics [Adapted

L Punnett: TWH Integration OHP SI: July 17, 2014 A NIOSH Center for Excellence to Promote a Healthier Workforce TWH in the Context of Occupational Health Psychology: Integration of Health Protection & Health Promotion Laura Punnett &

591 views • 14 slides
Integration ahead of plan:

Integration ahead of plan:

Integration ahead of plan: Screen External Folio Tablet Battery Cases Audio Protection Power

603 views • 17 slides
for Barking and Dagenham, 2014 Vivien Cleary, Consultant in Health Protection, Acknowledgement

for Barking and Dagenham, 2014 Vivien Cleary, Consultant in Health Protection, Acknowledgement

Appendix 1 Annual Health Protection Profile for Barking and Dagenham, 2014 Vivien Cleary, Consultant in Health Protection, Acknowledgement Dr Tania Misra NE & NC London Health Protection Team Infectious Diseases in B&D Highest

523 views • 16 slides
Computational Logic Recall of First-Order Logic Damiano Zanardini UPM European Master in

Computational Logic Recall of First-Order Logic Damiano Zanardini UPM European Master in

Computational Logic Recall of First-Order Logic Damiano Zanardini UPM European Master in Computational Logic (EMCL) School of Computer Science Technical University of Madrid damiano@fi.upm.es Academic Year 2009/2010 D. Zanardini (

505 views • 37 slides
Today Recall CWA Given a KB written in first-order logic, we augment KB to get a bigger set of

Today Recall CWA Given a KB written in first-order logic, we augment KB to get a bigger set of

1 2 Today Recall CWA Given a KB written in first-order logic, we augment KB to get a bigger set of Domain Closure formulas CWA ( KB ) ; the extra formulas we add are: Circumscription X KB = { p ( t 1 , . . . , t n ) : not KB p ( t

392 views • 6 slides
Learning Logically Defined Hypotheses Martin Grohe RWTH Aachen Outline I. A Declarative

Learning Logically Defined Hypotheses Martin Grohe RWTH Aachen Outline I. A Declarative

Learning Logically Defined Hypotheses Martin Grohe RWTH Aachen Outline I. A Declarative Model-Theoretic Framework for ML II. First-Order Hypotheses on Low-Degree Structures (joint work with Martin Ritzert) III. Monadic Second-Order Hypotheses

1.51k views • 104 slides
Quantum Security Analysis of AES Xavier Bonnetain, Mara Naya-Plasencia, Andr Schrottenloher

Quantum Security Analysis of AES Xavier Bonnetain, Mara Naya-Plasencia, Andr Schrottenloher

Introduction A Framework for Search Problems Quantum DS-MITM attack on 8-round AES-256 Quantum Security Analysis of AES Xavier Bonnetain, Mara Naya-Plasencia, Andr Schrottenloher Inria, France Xavier B., Mara N.-P., Andr S. Quantum

610 views • 34 slides
Presented by Peter Fortunato BNNs Risk and Business Advisory Team Peter Fortunato; CISM,

Presented by Peter Fortunato BNNs Risk and Business Advisory Team Peter Fortunato; CISM,

Presented by Peter Fortunato BNNs Risk and Business Advisory Team Peter Fortunato; CISM, CISA, CISSP Comptia Security+ ISACA CISA Certified Information Security Auditor CISM Certified Information Security

775 views • 46 slides
US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific, Technical and Industrial Directorate of Business Resilience Defence Security Security Protection The DTCT requires the Parties to provide an

387 views • 9 slides
Declassification Options and Requirements Information Security Webinar Marc Brandsness

Declassification Options and Requirements Information Security Webinar Marc Brandsness

6/20/2013 Declassification Options and Requirements Information Security Webinar Marc Brandsness Security Asset Protection Professional Certification (SAPPC) Retired US Air Force-Security Forces with over 25 years of Law Enforcement

307 views • 15 slides
Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Three Ways to Argue for Cryptographic Security Cryptanalysis

933 views • 75 slides

More recommend