The Challenge of The Challenge of Multilevel Security Multilevel - - PowerPoint PPT Presentation

October 2003 1 Cryptosmith LLC

The Challenge of The Challenge of Multilevel Security Multilevel Security

Rick Smith, Ph.D., CISSP Rick Smith, Ph.D., CISSP Rick@ Rick@cryptosmith cryptosmith.com .com http://www. http://www.cryptosmith cryptosmith.com/ .com/ October 2003 October 2003

October 2003 2 Cryptosmith LLC

Text-Only Outline Text-Only Outline

Outline presented here Outline presented here

• What is MLS?

What is MLS?

• Why is MLS Hard?

Why is MLS Hard? – – Accreditation Accreditation

• Building MLS Systems

Building MLS Systems

• Selecting a Trusted OS

Selecting a Trusted OS Please see the Please see the BlackHat BlackHat CDROM for the complete CDROM for the complete copy of this presentation, or visit this web site: copy of this presentation, or visit this web site: http://www. http://www.cryptosmith cryptosmith.com .com

October 2003 3 Cryptosmith LLC

Multilevel Security Multilevel Security

• An overloaded term

An overloaded term

• Some vendors build

Some vendors build “ “MLS Products MLS Products” ”

– – Implement Implement “ “Bell Bell LaPadula LaPadula” ” security mechanism security mechanism – – Allows higher-classified processes to read data created by lower- Allows higher-classified processes to read data created by lower- classified processes classified processes – – Example: a Top Secret user Example: a Top Secret user’ ’s process can read Secret data s process can read Secret data – – Vice versa (downgrading) not directly permitted Vice versa (downgrading) not directly permitted

• Most

Most requirements requirements for for “ “MLS Operating Mode MLS Operating Mode” ”

– – Devices handle classified information with different classification Devices handle classified information with different classification markings markings – – Must Must never never release wrong level to wrong recipient release wrong level to wrong recipient – – Much Much more general than more general than “ “MLS Products MLS Products” ”

October 2003 4 Cryptosmith LLC

An Example MLS Problem An Example MLS Problem

Sensor to Shooter: Sensor to Shooter: Data travels from Data travels from satellites to planners satellites to planners at different levels, at different levels, and finally to the and finally to the warrior who pulls the warrior who pulls the trigger. trigger. Data is sanitized at Data is sanitized at each level and each level and passed to a lower passed to a lower classification. classification.

SCI Top Secret Unclassified Secret

October 2003 5 Cryptosmith LLC

MILS versus MLS MILS versus MLS

Achieves Achieves “ “MLS Operating Mode MLS Operating Mode” ” without without “ “MLS Products MLS Products” ”

• MILS = Multiple Independent Levels of Security

MILS = Multiple Independent Levels of Security

– – Deals with multiple levels via separate, Deals with multiple levels via separate, “ “System High System High” ” elements elements – – Data sharing, if any, is via guards or one-way data transfers Data sharing, if any, is via guards or one-way data transfers

• Does not necessarily require

Does not necessarily require “ “MLS Products MLS Products” ”

– – Most or all elements may be standard COTS products Most or all elements may be standard COTS products – – Guard may use an MLS Product, but not necessarily Guard may use an MLS Product, but not necessarily

• Site networks usually operate in

Site networks usually operate in “ “MILS MILS” ” mode mode

– – Individual networks consist of COTS products Individual networks consist of COTS products – – Networks run at System High Networks run at System High – – Interconnections, if any, require a special-purpose Guard Interconnections, if any, require a special-purpose Guard

October 2003 6 Cryptosmith LLC

Why is MLS Hard? Why is MLS Hard?

• Short answer: Software is unreliable

Short answer: Software is unreliable

– – Nobody wants to trust the protection of their own, valuable Nobody wants to trust the protection of their own, valuable classified information to a buggy OS or application classified information to a buggy OS or application – – Felony Boxes Felony Boxes – – nobody wants to be personally liable for leaking nobody wants to be personally liable for leaking classified information classified information

• MLS accreditation tries to reduce/eliminate risk

MLS accreditation tries to reduce/eliminate risk

– – Accreditation Accreditation – – approval to operate by major command user approval to operate by major command user – – MLS accreditation seeks to eliminate risk of data leaks MLS accreditation seeks to eliminate risk of data leaks – – Confidence in software = confidence in safety of data Confidence in software = confidence in safety of data

• Modern software is too complex for confidence

Modern software is too complex for confidence

– – 16 million lines of code in modern Windows OS 16 million lines of code in modern Windows OS

October 2003 7 Cryptosmith LLC

System Accreditation System Accreditation

• Required of all systems handling classified data

Required of all systems handling classified data

• Regulations: DOD 5200.1, now DOD 8500

Regulations: DOD 5200.1, now DOD 8500

– – Regulations establishing policies for DOD info systems Regulations establishing policies for DOD info systems

• DITSCAP: Defense Information Technology Security

DITSCAP: Defense Information Technology Security Certification and Accreditation Process Certification and Accreditation Process

– – Process to verify a system Process to verify a system’ ’s security features s security features – – “ “certification certification” ” – – Process to authorize its operation Process to authorize its operation – – “ “accreditation accreditation” ”

• SSAA

SSAA – – System Security Authorization Agreement System Security Authorization Agreement

– – Documents security requirements, features, and steps taken to assure Documents security requirements, features, and steps taken to assure its correct and secure operation its correct and secure operation

• DAA

DAA – – Designated Approval Authority Designated Approval Authority

– – General/Flag officer at major command General/Flag officer at major command – – Signs of on need and risk for using the accredited system Signs of on need and risk for using the accredited system

October 2003 8 Cryptosmith LLC

Getting Into Operation Getting Into Operation

• “

“Full Full” ” Accreditation Accreditation

– – System goes through certification process System goes through certification process

• May be based on

May be based on evaluations evaluations of products being used

• f products being used
• May be based on template of another successful site

May be based on template of another successful site – – this is this is how the how the SABI/TSABI SABI/TSABI processes work processes work

• May involve a combination

May involve a combination – – DAA approves system for operation DAA approves system for operation

• IATO

IATO – – Interim Approval to Operate Interim Approval to Operate

– – Certification is incomplete; DAA lacks basis to fully accredit Certification is incomplete; DAA lacks basis to fully accredit – – May occur in May occur in “ “emergency emergency” ” situations where system is needed situations where system is needed regardless of the certification status and risks regardless of the certification status and risks – – At the discretion of the major command At the discretion of the major command’ ’s DAA s DAA – – DAA may even make an IATO permanent ( DAA may even make an IATO permanent ( “ “back door back door” ” approval) approval)

October 2003 9 Cryptosmith LLC

Evaluation: a product-oriented Evaluation: a product-oriented process process

• Process established by data owner(s)

Process established by data owner(s)

– – Pioneered by NSA: Owner/producer of classified information Pioneered by NSA: Owner/producer of classified information – – Evaluated systems to serve as surrogates to enforce NSA policy Evaluated systems to serve as surrogates to enforce NSA policy

• Expects vendors to seek product evaluation

Expects vendors to seek product evaluation

– – Historically, this is the exception, not the rule Historically, this is the exception, not the rule

• Evaluation is supposed to

Evaluation is supposed to “ “authorize authorize” ” use use

– – Traditionally, MLS systems had to achieve a certain level of Traditionally, MLS systems had to achieve a certain level of evaluation and incorporate certain features: evaluation and incorporate certain features: “ “B1 B1” ” or

• r “

“EAL4 EAL4” ” – – In practice, the DAA is the final authority In practice, the DAA is the final authority

• In practice, evaluation becomes one more factor

In practice, evaluation becomes one more factor

– – Some MLS systems use evaluated products Some MLS systems use evaluated products – – Some MLS systems rely on other assurances Some MLS systems rely on other assurances

October 2003 10 Cryptosmith LLC

SABI/TSABI SABI/TSABI

• (T)SABI = (Top) Secret And Below

(T)SABI = (Top) Secret And Below Interoperability Interoperability

• Process established by end users

Process established by end users

– – Pioneered by the ASD/C3I and the JCS Pioneered by the ASD/C3I and the JCS – – Representing Representing warfighters warfighters, not data producers , not data producers

• Focus on guards connecting MILS networks

Focus on guards connecting MILS networks

– – Particularly DISA and NSA Particularly DISA and NSA netowrks netowrks

• End user initiates the process

End user initiates the process

– – posts a posts a “ “ticket ticket” ” defining what they need to do defining what they need to do – – SABI/TSABI provides templates for common guard SABI/TSABI provides templates for common guard configs configs – – New solutions may serve as templates for future users New solutions may serve as templates for future users

October 2003 11 Cryptosmith LLC

Program Risk Program Risk

• No process guarantees accreditation

No process guarantees accreditation

• Evaluations, SABI, TSABI, etc., try to reduce risk

Evaluations, SABI, TSABI, etc., try to reduce risk

– – Provides evidence of correctness to help convince Provides evidence of correctness to help convince accreditors accreditors – – Policy or prior accreditations used to support arguments Policy or prior accreditations used to support arguments

• Assurance

Assurance vs vs Cost Trade-off Cost Trade-off

– – Evaluations, SABI, TSABI processes increase assurance Evaluations, SABI, TSABI processes increase assurance – – High assurance increases product costs High assurance increases product costs – – Cheaper, COTS products provide lower assurance Cheaper, COTS products provide lower assurance

October 2003 12 Cryptosmith LLC

Building MLS Systems Building MLS Systems

• Establish the networking infrastructure

Establish the networking infrastructure

– – Option: physical separation Option: physical separation – – Option: system-high LANs with separation Option: system-high LANs with separation – – Option: MLS LANs with Type 1 encryption Option: MLS LANs with Type 1 encryption

• Establish low-to-high flows

Establish low-to-high flows

– – One-way optical transmission One-way optical transmission – – MLS middleware with read-down capabilities MLS middleware with read-down capabilities

• Establish high-to-low flows -

Establish high-to-low flows - downgraders downgraders

– – Manual review on COTS platforms Manual review on COTS platforms – – Manual review on a trusted platform Manual review on a trusted platform – – Automatic review/sanitization by a trusted guard Automatic review/sanitization by a trusted guard

October 2003 13 Cryptosmith LLC

Network Infrastructure Network Infrastructure

• Wiring has its own problems

Wiring has its own problems

– – Physical protection, separation, auditing, assurance Physical protection, separation, auditing, assurance

• System-high LANs

System-high LANs

– – Provide Provide seoaration seoaration, not confidentiality , not confidentiality – – Examples: Dragonfly, Examples: Dragonfly, Cryptek Cryptek’ ’s DiamondTEK s DiamondTEK – – Issue: must physically protect confidentiality of LAN Issue: must physically protect confidentiality of LAN

• Network encryption minimizes wiring

Network encryption minimizes wiring

– – Confidentiality using Type 1 encryption Confidentiality using Type 1 encryption – – Examples: GD Examples: GD Fastlane Fastlane/ /Taclane Taclane – – Share internal LAN wiring to minimize extra wires Share internal LAN wiring to minimize extra wires – – Issue: infrastructure costs of Type 1 encryption Issue: infrastructure costs of Type 1 encryption

October 2003 14 Cryptosmith LLC

Low-High Data Flow Low-High Data Flow

• Option: Use one-way flow hardware

Option: Use one-way flow hardware

– – Examples: Examples: Tenix Tenix, Owl , Owl – – Ensures one-way data transfer, no backward leakage Ensures one-way data transfer, no backward leakage

• Option: use guards for low-high flow

Option: use guards for low-high flow

– – Downgraders Downgraders can also move data low-to-high can also move data low-to-high – – (see later discussion) (see later discussion)

• Option: Use middleware

Option: Use middleware… …

October 2003 15 Cryptosmith LLC

Middleware for Low-High Sharing Middleware for Low-High Sharing

• Use approved middleware to store shared data

Use approved middleware to store shared data

– – Option: multilevel web server Option: multilevel web server

• Example: TSL Trusted Web Server, TCS MLS Web Server

Example: TSL Trusted Web Server, TCS MLS Web Server – – Option: multilevel database Option: multilevel database

• Example: Trusted Oracle,

Example: Trusted Oracle, Rubix Rubix – – Option: multilevel file sharing Option: multilevel file sharing

• Example: TCS Trusted Gateway System

Example: TCS Trusted Gateway System

• Gap: these are

Gap: these are moderate assurance moderate assurance solutions solutions

– – Can not share data across a broad classification range Can not share data across a broad classification range – – Often restricted to two adjacent classification levels Often restricted to two adjacent classification levels – – Broader ranges require additional network security mechanisms Broader ranges require additional network security mechanisms

October 2003 16 Cryptosmith LLC

High-to-Low Reclassification High-to-Low Reclassification

• Manual review for downgrading

Manual review for downgrading

– – People examine and sanitize interactively People examine and sanitize interactively – – Option: On-the-spot reviewing on user desktop workstations Option: On-the-spot reviewing on user desktop workstations – – Option: Trusted review terminal for a disclosure officer or clerk Option: Trusted review terminal for a disclosure officer or clerk

• Automatic review for downgrading

Automatic review for downgrading

– – Mechanized rules for passing data safely Mechanized rules for passing data safely – – Issue: not all reviews can be automated effectively Issue: not all reviews can be automated effectively

• Guards filter/sanitize the actual transfers

Guards filter/sanitize the actual transfers

– – Existing guard products: Radiant Mercury, Existing guard products: Radiant Mercury, Digitalnet Digitalnet SAGE, ISSE SAGE, ISSE – – Gap: some applications need custom guard filtering Gap: some applications need custom guard filtering

• Option: build atop existing guard

Option: build atop existing guard

• Option: create new guard software if existing guards inadequate

Option: create new guard software if existing guards inadequate

October 2003 17 Cryptosmith LLC

High-to-Low Downgrading High-to-Low Downgrading

• Option: Use OS to host a custom guard

Option: Use OS to host a custom guard

– – Examples: XTS-400, Examples: XTS-400, Aesec Aesec, Sun Trusted Solaris, SGI Trusted , Sun Trusted Solaris, SGI Trusted Irix Irix, , Green Hill Integrity 178B, Green Hill Integrity 178B, Lynuxworks Lynuxworks LynxDO178B. LynxDO178B.

• Option: Use existing guards to filter/sanitize

Option: Use existing guards to filter/sanitize traffic traffic

– – Examples: SAGE, Radiant Mercury, ISSE Guard Examples: SAGE, Radiant Mercury, ISSE Guard

• The Gaps

The Gaps

– – Must implement multilevel applications and earn accreditation Must implement multilevel applications and earn accreditation – – Need customer approval on strategy and classification filtering Need customer approval on strategy and classification filtering

October 2003 18 Cryptosmith LLC

Trusted Systems: Build Trusted Systems: Build vs vs Buy Buy

• Trusted software is

Trusted software is very very costly to develop costly to develop

– – Developers placed under intense scrutiny Developers placed under intense scrutiny – – Detailed documentation of software architecture, design Detailed documentation of software architecture, design – – BUT BUT – – third parties charge a third parties charge a fortune fortune to do this work for you to do this work for you

• May be feasible to build small-scale products

May be feasible to build small-scale products

– – Small, simple software components Small, simple software components – – Must reside atop a trustworthy OS Must reside atop a trustworthy OS

• Traditional Trusted OS Options

Traditional Trusted OS Options

– – OS with Strong Labeling OS with Strong Labeling

• Examples today:

Examples today: Digitalnet Digitalnet XTS-400, XTS-400, Aesec Aesec Platform Platform – – OS with OS with “ “Sufficient Sufficient” ” Labeling Labeling

• Examples Today: Sun Trusted Solaris, SGI Trusted

Examples Today: Sun Trusted Solaris, SGI Trusted Irix Irix

October 2003 19 Cryptosmith LLC

How do we use a Trusted OS? How do we use a Trusted OS?

• OS ensures process separation

OS ensures process separation

• Certifiers look at processes independently

Certifiers look at processes independently

• Assured separation = easier certification

Assured separation = easier certification Process separation is the key to certification Process separation is the key to certification

Trusted OS Trusted OS

Low Side Low Side Process Process High Side High Side Process Process Regrader Regrader Process Process

October 2003 20 Cryptosmith LLC

Emerging OS Options: Emerging OS Options: Open Source Open Source

• Offer MLS and other schemes to ensure security

Offer MLS and other schemes to ensure security

– – Provides the expected MLS mechanism for process separation Provides the expected MLS mechanism for process separation – – Option to use Option to use Biba Biba or other separation mechanisms

• r other separation mechanisms

– – Process separation is the key, not just MLS Process separation is the key, not just MLS

• Example Products

Example Products

– – NSA NSA’ ’s s Security Enhanced Linux ( Security Enhanced Linux (SELinux SELinux) )

• Rumor

Rumor – – actually been used in operational systems actually been used in operational systems – – FreeBSD FreeBSD with security extensions like MLS: with security extensions like MLS: “ “Trusted BSD Trusted BSD” ”

• Gap: Open source lacks vendor control

Gap: Open source lacks vendor control

– – Existing documents don Existing documents don’ ’t necessarily match the code t necessarily match the code – – No assurance regarding authorship of the code No assurance regarding authorship of the code

October 2003 21 Cryptosmith LLC

• OSes

OSes that earned highest safety certification for flight that earned highest safety certification for flight software: RTCA/DO-178B Level A. software: RTCA/DO-178B Level A.

– – RTCA: formerly RTCA: formerly “ “Radio Technical Commission for Aeronautics Radio Technical Commission for Aeronautics” ”

• Provides high assurance of process separation

Provides high assurance of process separation

– – In flight safety, ensures that a software glitch in one process won In flight safety, ensures that a software glitch in one process won’ ’t t interfere with a different, critical software process interfere with a different, critical software process – – Simplifies assurance by allowing software partitioning Simplifies assurance by allowing software partitioning

• Example Products

Example Products

– – Green Hills DO-178B product Green Hills DO-178B product – – LynuxWorks LynuxWorks – – LynxOS LynxOS-178 provides DO-178 assurance documents

• 178 provides DO-178 assurance documents
• Gap: DO178-B doesn

Gap: DO178-B doesn’ ’t cover all security bases t cover all security bases

– – DO178 Level A exceeds many security requirements, DO178 Level A exceeds many security requirements, but but – – DO178 lacks assurances against malicious software, developers DO178 lacks assurances against malicious software, developers – – Green Hills working on Common Criteria security evaluation with LM Green Hills working on Common Criteria security evaluation with LM

Emerging OS Options: Emerging OS Options: Safety Certified OS Safety Certified OS

October 2003 22 Cryptosmith LLC

What About Microsoft Windows? What About Microsoft Windows?

• Microsoft quietly speaking of MLS support

Microsoft quietly speaking of MLS support

• Current direction based on

Current direction based on NSA NSA’ ’s NetTop s NetTop work work

– – Use PC-based virtual machines for level separation Use PC-based virtual machines for level separation

• Each

Each “ “Level Level” ” has its own Windows OS has its own Windows OS – – Separation kernel approach instead of true MLS Separation kernel approach instead of true MLS

• Data sharing via external mechanisms

Data sharing via external mechanisms – – Product: Product: VMWare VMWare

• Issue: this is exploratory work

Issue: this is exploratory work

– – Microsoft has backed away from MLS support before Microsoft has backed away from MLS support before – – VMWare VMWare itself lacks the assurance needed for accreditation itself lacks the assurance needed for accreditation

October 2003 23 Cryptosmith LLC

Thank You! Thank You!

Questions? Comments? Questions? Comments? My e-mail: My e-mail: rick rick@ @cryptosmith cryptosmith.com .com http://www.cryptosmith.com http://www.cryptosmith.com