MILS Research Montage MILS Research Montage LAW LAW - - PowerPoint PPT Presentation

1

MILS Research Montage MILS Research Montage

LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011

Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher

2

• R. DeLong

Implementation Science Standards Eval & Cert Products Dissemination MILS Vision

Constitution

Manifesto

Math

Lecture Notes RTI OIS GHS LW WRS

SKPP MIPP

Concepts

Compos. Cert. DCI Galois

SIs / Programs

Example

CCAE

LAW

Evidence

MILS Efforts Overview

Effort Categories Efforts/Results to date

* Sponsored by AFRL / CMPO

Guard MCSPP MNSPP

*

ICCC DASC TOG RCI Found’nl Comps Opera’nl Comps

Tools

• Assur. Case

API

Inter-op

Patterns

Assemblies

Ref Impls

*

Scheme

Sysgo NSA TOG

Future

AADL

3

• R. DeLong

Research Enabling MILS Development Research Enabling MILS Development and Deployment ( and Deployment (REMDaD REMDaD)* )*

l l Objective:

Objective: Move to next stage of MILS deployment and development Move to next stage of MILS deployment and development

l l 4 Themes

4 Themes

– – Components Components – – development and assurance of individual components development and assurance of individual components – – Integration Integration – – integration of MILS components and systems integration of MILS components and systems – – Deployment Deployment – – facilitate MILS deployment facilitate MILS deployment – – Certification Certification – – enable MILS evaluation and certification enable MILS evaluation and certification

l l Initial tasks (2010)

Initial tasks (2010)

– – Evidence and Evidence and toolchains toolchains for MILS certification study for MILS certification study – – MILS Cross Domain Solution (CDS) operational component Study MILS Cross Domain Solution (CDS) operational component Study – – MILS Delivery, Configuration, and Initialization (DCI) Study MILS Delivery, Configuration, and Initialization (DCI) Study

* Performed at SRI, sponsored by AF Research Laboratory and AF Cryptographic Modernization Program Office.

4

• R. DeLong

Research Enabling MILS Development Research Enabling MILS Development and Deployment ( and Deployment (REMDaD REMDaD)* )*

l l Current tasks (2011-2012) -

Current tasks (2011-2012) - (John (John Rushby Rushby, Dave , Dave Hanz Hanz, Rance DeLong) , Rance DeLong)

– – AADL and MILS AADL and MILS – – MIPP completion (MIPP as a document) MIPP completion (MIPP as a document) – – “ “Programming the MIPP Programming the MIPP” ” (MIPP encoded in the CCAE) (MIPP encoded in the CCAE) – – MILS Delivery, Configuration, Initialization model MILS Delivery, Configuration, Initialization model – – MILS Cross Domain Solution investigation MILS Cross Domain Solution investigation – – MILS Network Subsystem Protection Profile MILS Network Subsystem Protection Profile

* Performed at SRI, sponsored by AF Research Laboratory and AF Cryptographic Modernization Program Office.

5

• R. DeLong

MILS is based on composition of cooperating MILS is based on composition of cooperating components defined by related Protection Profiles* components defined by related Protection Profiles*

l l Separation Kernel (SKPP)

Separation Kernel (SKPP)

l l MILS Network System (MNSPP)

MILS Network System (MNSPP)

l l MILS Console System (MCSPP)

MILS Console System (MCSPP)

l l MILS Extended Attributes PP (MEAPP)

MILS Extended Attributes PP (MEAPP)

l l MILS File System (MFSPP)

MILS File System (MFSPP)

l l . . .

. . .

l l MILS Integration Protection Profile (MIPP)

MILS Integration Protection Profile (MIPP)

MIPP MFSPP MEAPP MCSPP MNSPP SKPP . . .

“Conforms to” “Patterned after” “Extended by”

6

• R. DeLong

Mils PPs are expected to achieve Mils PPs are expected to achieve this: this:

CC MEAPP MCSPP MNSPP MFSPP STMEA STMCS STMNS STMFS STMEA STMCS STMNS STMFS STMEA STMCS STMNS STMFS STMEA STMCS STMNS STMFS MEA2 Console2 Network2 File System2 MEA4 Console4 Network4 File System4 MEA1 Console1 Network1 File System1 MEA3 Console3 Network3 File System3 SKPP STSK STSK STSK STSK SK2 SK4 SK1 SK3 SK4 MEA2 Console1 File System3 Network3

!

SK1 MEA3 Console4 File System4 Network1

!

System A System B !

! = It works!

7

• R. DeLong

Illustrative Architecture of a MILS-based Illustrative Architecture of a MILS-based MLS workstation - a collection of MLS workstation - a collection of connected connected “ “things things” ”

MILS Console Subsystem Session Manager

MILS File and Directory Subsystem

MLS RVM Auth Data Mgmt

Audit Mgmt

I&A

Human

I’face Devs

MILS Network Subsystem

System Management

Application Instantiator

MILS PCS MILS

CORBA

App Mgmt Audit Client Partitions / Subjects Client Partitions / Subjects Client Partitions / Subjects MLS RVM

8

• R. DeLong

Architecture Architecture of a MILS based

• f a MILS based

workstation - itself is workstation - itself is So Something So Something

Architecture as an Integration Framework Something that must be designed. Something that has properties.

9

• R. DeLong

This This So

Something So Something

is what the MIPP describes is what the MIPP describes

l l The system level

The system level security problem security problem (T/P/A) (T/P/A)

l l The system level

The system level security objectives security objectives

l l The system level

The system level SFRs SFRs and and SARs SARs

l l A system concept and

A system concept and reference architecture reference architecture

l l Identification of, and connections among, the

Identification of, and connections among, the components components

l l A basis for formal

A basis for formal composition composition of component properties

• f component properties

l l Constraints

Constraints on the MILS components that fit in the

• n the MILS components that fit in the “

“holes holes” ”

– – Security objectives, or modified ones, that pass to the component Security objectives, or modified ones, that pass to the component – – Relationships and obligations (rely-guarantee) among the Relationships and obligations (rely-guarantee) among the components components – – Interaction schemas for interacting components Interaction schemas for interacting components

10

• R. DeLong

Some architecture alternatives for MILS network system Some architecture alternatives for MILS network system

Mbuf Mgmt Socket Layer Transport Layer Network Layer Interface Layer calls queues calls queues calls queues

Apps

Dev

Driver

calls Socket Layer Transport Layer calls queues calls queues

Apps

Dev

Driver

calls

MLS App

calls Dev

b t b t b t

Dev Dev sw intr sw intr

sw intr

sw intr

sw intr

hw intr sw intr Dev Labeled Sep calls Crypto Sep

Socket Layer Transport Layer Network Layer Interface Layer calls queues calls queues calls queues

Apps

Dev Driver calls Socket Layer Transport Layer Network Layer Interface Layer calls queues calls queues calls queues

Apps

Dev Driver calls

Individual data items associated with a single security domain Code manipulates data in multiple security domains

Socket Layer Transport Layer Network Layer Interface Layer Driver Mbufs / Clusters calls queues calls queues calls queues

Apps

calls

Mbuf Mgmt

Nothing Trusted Everything Trusted Combination of Trusted and Untrusted

Dev Dev Dev Dev

11

• R. DeLong

SNI

HIGH inputs LOW outputs LOW inputs HIGH outputs

System Inputs, Outputs, Relies and System Inputs, Outputs, Relies and Guarantees Guarantees

Relies Guarantees IIIIIIIII… iiiiiiii… OOOOOOO…

• oooooo…

12

• R. DeLong

S

HIGH Inputs LOW Outputs LOW Inputs HIGH Outputs

MILS System from MILS System from Components/Subsystems Components/Subsystems

Relies Guarantees H(HI,HO) L(LI,LO) S(HI,HO,LI,LO)

Constraints:

IIIIIIIII… iiiiiiii… OOOOOOO…

• oooooo…

Properties: P(HI,HO,LI,LO) st S ≤ P

13

• R. DeLong

C

Compositional Relies / Guarantees Compositional Relies / Guarantees

Relies Guarantees

S

A C A C

a) b) c)

14

• R. DeLong

MILS Composite Assurance Case MILS Composite Assurance Case

l l

Compose assurance cases using Assume-Guarantee Reasoning Compose assurance cases using Assume-Guarantee Reasoning

l l

Assumptions from MI assurance case become requirements on the Assumptions from MI assurance case become requirements on the components components

l l

Assured Claims from component assurance cases become evidence Assured Claims from component assurance cases become evidence for MI for MI

MI Claims

Evidence Evidence Evidence Inference rule Inference rule MI Assurance Argument

SK Claims MNS Claims MCS Claims

Inference rule Inference rule Inference rule Inference rule Inference rule Inference rule SK Assurance Argument MNS Assurance Argument MCS Assurance Argument

Rely Guarantee

15

• R. DeLong

CCAE CCAE CCAE CCAE CCAE Co Collaboration En Environment CCAE CCAE CCAE CCAE CCAE CCAE Author Author Reviewers Reviewers Evaluators Evaluators Certifiers

PP PP ST ST

CCAE CCAE

Common Criteria Authoring Environment as a distributed Common Criteria Authoring Environment as a distributed collaboration environment collaboration environment

16

• R. DeLong

Rule Base

CC Component Operation Rules, Semantic Rules, Relational Model, Workflow Rules

Doc Creation Library

Conventions, Doc comp classes Doc generators: PP, ST, FSP

Env Library

Components, CC SFRs/SARs, Interps, CIM, Security Ontology, Resource Registry MILS Integ FW

Author/Reviewer

Parent PP, MILS TOE Concept,

• r TOE Flow-down

Requirements

PP, ST, stats Document Publishing

Project Team Exchange

• r Export

Doc Assembly, Catalog Selection, Checking, Reviewing, Inference, Rule Execution, Queries, XML gen

XML PDF, DOCX, XLSX, …

Current Document Factbase

Document Creation/Revision

Documents & Reports

Rendering & Conversion

CCAE Document Repository UI Agent

CCAE User and Components CCAE User and Components

17

• R. DeLong

Functional Requirements Assurance Requirements Assumptions Policies Threats Security Objectives Environment Requirements Environment Security Objectives

FAU, FCO, FCS, FDP, FIA, FMT, FPR, FPT, FRU, FTA, FTP ACM, ADO, ADV, AGD, ALC, (AMA), ATE, AVA

Τ Τ Π Π Α Α Ω Ω SFR SFR SAR SAR “ “Space Space” ” of PPs = ( 2

• f PPs = ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

)

Relational Structure of a Protection Profile Relational Structure of a Protection Profile

18

• R. DeLong

PP = ( 2 PP = ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

)

E M M MC

C

MCCAE

E E ⊂ ⊂ PP evaluatable PPs PP evaluatable PPs M M ⊂ ⊂ E MILS evaluatable PPs E MILS evaluatable PPs

M MC

C a candidate

a candidate member of M member of M

CCAE drives MC toward M by measuring consistency and coverage with respect to MCCAE

Approximation of a MILS PP Oracle Approximation of a MILS PP Oracle (M (MCCAE

CCAE)

)

19

• R. DeLong

Projecting the MILS PPP to standard PPs Projecting the MILS PPP to standard PPs

PPABC

PPAC PPAB PPA

Projection Function PPPABC

ƒ PPPABC { {A}, {A,B}, {A,C}, {A,B,C} }

= { PPA, PPAB, PPAC, PPABC } + Evaluation Work Unit Checklists

Work Units A

Work Units AB \ {A} Work Units AC \ {A,AB}

Work Units ABC \ {A,AB,AC}

Difference operator “ \ ” applies comp’nt dependency, hierarchy, and other PP property closures. Differential work units assume

• rdered evaluation of PPs.

Evaluation Work Unit Checklists Standard PPs

ƒ

Polymorphic PP with sub-profiles A, B, C

20

• R. DeLong

Evaluation differential work units (1) Evaluation differential work units (1)

PPA

Entailed work units to be performed to evaluate ƒ PPPABC {A} = PPA

Note, the following Venn diagrams represent contents of projected PPs, not PPP sub-profiles. Projected PPs may have substantial intersection, while sub-profiles may be disjoint.

21

• R. DeLong

Evaluation differential work units (2) Evaluation differential work units (2)

PPAB

Differential work units AB \ {A} to be performed to complete evaluation

• f PPAB

PPA

Work units entailed to evaluate ƒ PPPABC {A,B} = PPAB Work units already completed during evaluation of PPA PPAB common work units completed for evaluation of PPA

PPA ∩ PPAB

22

• R. DeLong

Evaluation differential work units (2) Evaluation differential work units (2)

PPAB PPA

PPA ∩ PPAB

PPABC

(PPA ∩ PPAB) ∩ PPABC

Differential work units ABC \ {A,AB} to be performed to complete evaluation

• f PPABC

PPABC common work units completed for evaluation of PPA and PPAB Work units entailed to evaluate ƒ PPPABC {A,B,C} = PPABC

23

• R. DeLong

Generalized Delivery, Configuration, and Generalized Delivery, Configuration, and Initialization interpretation Initialization interpretation

l l Interleaved configuration and delivery

Interleaved configuration and delivery

l l Configuration and integration is

Configuration and integration is incremental incremental due to separation of concerns due to separation of concerns and separation of duty and separation of duty

l l OEM TOE developer is responsible for providing trusted delivery and for

OEM TOE developer is responsible for providing trusted delivery and for trusted initialization trusted initialization

l l Trusted delivery should protect TOE to the deployment environment,

Trusted delivery should protect TOE to the deployment environment, providing basis for establishment of secure initial state providing basis for establishment of secure initial state

l l There can be multiple intermediate integrator environments!

There can be multiple intermediate integrator environments!

Developer Environment Integrator Environment(s)

Dev Delivery Config Init Operation OEM Config

User (deployment) Environment

Config Delivery

…

24

• R. DeLong

Incremental accumulation of component / configuration data Incremental accumulation of component / configuration data bundle protected by, and updated within, Trusted DCI pipeline bundle protected by, and updated within, Trusted DCI pipeline

fs pcs net con sk ap1 ap2 fs pcs net con ap1 ap2 C cn c6 c5 c4 c3 c2 c1 c7

Trusted Delivery Pipeline

bundle

Components Configuration actions Applications Deploy Env

init cm sk cd

25

• R. DeLong

The big picture, scope of phases The big picture, scope of phases

Temporal overlap and location spanning Temporal overlap and location spanning …

Development Env Configuration Delivery Initialization Integration Env(s) Operation Reconfig User Env

t

Developer Environment Integrator Environment(s) User (deployment) Environment

26

• R. DeLong

…

φ1

Operational Interval 1

…

φ2

Operational Interval 2

Φ - system configuration property φi - interval configuration property τR - reconfiguration transition

Trace of System States

τR

Φ

s0

1

s0

2

Interval Configuration Properties System Configuration Property

Generalized Reconfiguration Generalized Reconfiguration

⊥ ⇒ ⊥