the mils component integration approach to secure
play

The MILS Component Integration Approach To Secure Information - PowerPoint PPT Presentation

Mar 23, 2024 •141 likes •414 views

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar Sifre, AFRL/RITB, Rome NY Boettcher,

  1. The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar Sifre, AFRL/RITB, Rome NY Boettcher, DeLong, Rushby, Sifre Component Security Integration: 1

  2. MILS • Is a security architecture adopted for ◦ F22, F35, FCS, JTRS, DDG-1000, CDS among others • We are talking about security as a critical property • So need to provide strong assurance that it is achieved • We build systems from components • And we’d like critical properties and assurance to compose component-wise as well • That’s the topic of this talk • I also want to persuade you the approach might work for safety (i.e., IMA) as well as security • And for enterprise (e.g., ground) and commercial systems, as well as embedded Boettcher, DeLong, Rushby, Sifre Component Security Integration: 2

  3. The MILS Idea Traditionally presented as three layers • Separation kernel, middleware, applications Physical Display, Keyboard & Mouse S TS S, TS Trusted Path (SL) (SL) (MLS) RT CORBA/ RT CORBA/ Minimal File Web IPv6 PCS DDS/WEB DDS/WEB Middleware Console E-Mail Sys. Browser Manager Driver Full OS / Full OS / Minimum Run-Time Run-Time Run-Time (MLS) (MLS) (MLS) (MLS) (MLS) Library Libraries Libraries Separation Kernel Automatic Processor Reload/Restart from Secure File System Somewhat similar to IMA Boettcher, DeLong, Rushby, Sifre Component Security Integration: 3

  4. The MILS Idea (ctd) • Problem is, that doesn’t compose ◦ i.e., it’s not clear how you get a certified MILS system out of certified MILS components and subsystems ◦ Without opening everything up ◦ IMA has a similar problem • I’ll present a MILS Component Security Integration approach based on two levels • That is compositional Boettcher, DeLong, Rushby, Sifre Component Security Integration: 4

  5. Component Security Integration • We build systems from components • And we’d like security properties and assurance/certification to compose ◦ That is, assurance for the whole is built on assurance for the components • Seldom happens: assurance dives into everything • The system security assurance argument may not decompose on architectural lines (Ibrahim Habli & Tim Kelly) ◦ So what is architecture? ◦ A good one simplifies the assurance case Boettcher, DeLong, Rushby, Sifre Component Security Integration: 5

  6. The MILS Idea (Two-Level Version) • Construct an architecture so that security assurance does decompose along structural lines • Two issues in security: ◦ Enforce the security policy ◦ Manage shared resources securely • The MILS idea is to handle these separately • Focus the system architecture on simplifying the argument that policy is enforced correctly ◦ Hence policy architecture • The policy architecture becomes the interface between the two issues Boettcher, DeLong, Rushby, Sifre Component Security Integration: 6

  7. Policy Architecture • Intuitively, a boxes and arrows diagram ◦ There is a formal model for this • Boxes encapsulate data, information, control ◦ Access only local state, incoming communications ◦ i.e., they are state machines • Arrows are channels for information flow ◦ Strictly unidirectional ◦ Absence of arrows is often crucial • Some boxes are trusted to enforce local security policies • Want the trusted boxes to be as simple as possible • Decompose the policy architecture to achieve this • Assume boxes and arrows are free Boettcher, DeLong, Rushby, Sifre Component Security Integration: 7

  8. Crypto Controller Example: Step 1 Policy: no plaintext on black network header bypass header data header encrypted data red black side side encryption network utilities stacks compiler runtime operating system No architecture, everything trusted Boettcher, DeLong, Rushby, Sifre Component Security Integration: 8

  9. Crypto Controller Example: Step 2 Good policy architecture: fewer things trusted bypass minimal runtime red black operating system operating system crypto hardware Local policies (notice these are intransitive): Header bypass: low bandwidth, data looks like headers Crypto: all output encrypted Boettcher, DeLong, Rushby, Sifre Component Security Integration: 9

  10. Policy Architecture: Compositional Assurance • Construct assurance for each trusted component individually ◦ i.e., each component enforces its local policy • Then provide an argument that the local policies ◦ In the context of the policy architecture Combine to achieve the overall system policy • Medium robustness: this is done informally • High robustness: this is done formally ◦ Compositional verification Boettcher, DeLong, Rushby, Sifre Component Security Integration: 10

  11. Compositional Verification for Policy Integration • Need to specify what it means for a component to satisfy a policy under assumptions about its environment • Then show how these compose (policy of one component becomes the assumptions of anther) • Fairly standard Computer Science • MILS is agnostic on the exact approach used ◦ Policies/assumptions as properties ◦ Or as abstract components Boettcher, DeLong, Rushby, Sifre Component Security Integration: 11

  12. Resource Sharing • Next, we need to implement the logical components and the communications of the policy architecture in an affordable manner • Allow different components and communications to share resources • Need to be sure the sharing does not violate the policy architecture ◦ Flaws might add new communications paths ◦ Might blur the separation between components Boettcher, DeLong, Rushby, Sifre Component Security Integration: 12

  13. Poorly Controlled Resource Sharing red bypass black crypto Naive sharing could allow direct red to black information flow, or could blur the integrity of the components Boettcher, DeLong, Rushby, Sifre Component Security Integration: 13

  14. Unintended Communications Paths bypass minimal runtime red black operating system operating system crypto hardware Boettcher, DeLong, Rushby, Sifre Component Security Integration: 14

  15. Blurred Separation Between Components bypass minimal runtime red black operating system operating system crypto hardware Boettcher, DeLong, Rushby, Sifre Component Security Integration: 15

  16. Secure Resource Sharing • For broadly useful classes of resources ◦ e.g., file systems, networks, consoles, processors • Provide implementations that can be shared securely • Start by defining what it means to partition specific kinds of resource into separate logical components • Definition in the form of a protection profile (PP) ◦ e.g., separation kernel protection profile (SKPP) ◦ or network subsystem PP, filesystem PP, etc. • Then build and evaluate to the appropriate PP Boettcher, DeLong, Rushby, Sifre Component Security Integration: 16

  17. Crypto Controller Example: Step 3 Separation kernel securely partitions the processor resource red bypass black device driver for crypto runtime or runtime or operating system operating system minimal runtime separation kernel crypto h/w The integrity of the policy architecture is preserved Boettcher, DeLong, Rushby, Sifre Component Security Integration: 17

  18. A Generic MILS System separation kernel TSE partitioning filesystem Care and skill needed to determine which logical components share physical resources (performance, faults) Boettcher, DeLong, Rushby, Sifre Component Security Integration: 18

  19. Resource Sharing: Compositional Assurance • Construct assurance for each resource sharing component individually ◦ i.e., each component enforces separation • Then provide an argument that the individual components ◦ Are additively compositional ◦ e.g., partitioning(kernel) + partitioning(network) provides partitioning(kernel + network) And therefore combine to create the policy architecture • Medium robustness: this is done informally • High robustness: this is done formally ◦ Compositional verification • There is an asymmetry: partitioning network stacks and file systems and so on run as clients of the partitioning kernel ◦ Hence, a link to the three-layer view Boettcher, DeLong, Rushby, Sifre Component Security Integration: 19

  20. Compositional Verification: Resource Sharing Integration • We have a formal policy architecture model • Fairly standard Computer Science ◦ Components are state machines ◦ Communications channels are shared variables ◦ Asynchronous composition • Definition of well-formed policy architecture • And of implementation respecting and enforcing a policy architecture • Argument that these are additively compositional Boettcher, DeLong, Rushby, Sifre Component Security Integration: 20

  21. MILS Business Model • DoD moves things forward by supporting development of protection profiles ◦ Separation kernels, partitioning communications systems, TCP/IP network stacks, file systems, consoles, publish-subscribe • Then vendors create a COTS marketplace of compliant components • Currently they are all resource sharing components • Should be some policy components, too ◦ E.g., filters, downgraders for CDS ⋆ Could be a standardized CDS engine, many rule sets ⋆ Rule sets derived from goals, not hand coded ⋆ e.g., Ontologically-driven purpose and anti-purpose ◦ Or even MLS Boettcher, DeLong, Rushby, Sifre Component Security Integration: 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI

MILS Integration Protection Profile John Rushby, Rance DeLong a Computer Science Laboratory SRI International Menlo Park CA USA a Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I MILS Integration PP: 1 Need for an Integration

533 views • 25 slides
An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

445 views • 28 slides
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP

751 views • 23 slides
BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation: Section 1: The overarching approach/methodology for the urban design analysis Section 2: The specific urban design rationales for the MILS precincts

481 views • 24 slides
CHAPTER 12: APPLICATION AND COMPONENT INTEGRATION 11:35 2 Application integration What if

CHAPTER 12: APPLICATION AND COMPONENT INTEGRATION 11:35 2 Application integration What if

1 Architecture and Modelling of Information Systems (D0I71A) Prof. dr. Monique Snoeck CHAPTER 12: APPLICATION AND COMPONENT INTEGRATION 11:35 2 Application integration What if you already have software ? Software manages its own

346 views • 17 slides
Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

466 views • 25 slides
Component-based approach Discovery exercise conducted last year on overall approach to social

Component-based approach Discovery exercise conducted last year on overall approach to social

SS Programme Board 5 - 24/10/2017: Agenda item 5 Paper 5.5 Component-based approach Discovery exercise conducted last year on overall approach to social security This underpins the approach to estimating costs set out in the financial

480 views • 8 slides
Component-based Robotics Middleware Software Development and Integration in Robotics (SDIR V)

Component-based Robotics Middleware Software Development and Integration in Robotics (SDIR V)

Motivation Use Case Component-based Robotics Middleware Conclusion and Discussion Component-based Robotics Middleware Software Development and Integration in Robotics (SDIR V) Tutorial on Component-based Robotics Engineering 2010 IEEE

597 views • 37 slides
Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

548 views • 28 slides
MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1 MILS Efforts Overview

772 views • 26 slides
AM 205: lecture 10 Last time: Principal Component Analysis Today: Numerical integration and

AM 205: lecture 10 Last time: Principal Component Analysis Today: Numerical integration and

AM 205: lecture 10 Last time: Principal Component Analysis Today: Numerical integration and differentiation Error Estimates: Another Perspective Theorem: If Q n integrates polynomials of degree n exactly, then C n > 0 such that | E n

469 views • 33 slides
Problem solved: SAP Integration 2 SAP Integration SAPs ability to standardize a range of

Problem solved: SAP Integration 2 SAP Integration SAPs ability to standardize a range of

Problem solved: SAP Integration 2 SAP Integration SAPs ability to standardize a range of Build applications shared business functions has made it a that seamlessly critical component of many enterprises back offjce operations

500 views • 10 slides
Component Based Software Engineering approach on DSP Targets Agenda 2 / 2 / Motivations

Component Based Software Engineering approach on DSP Targets Agenda 2 / 2 / Motivations

Component Based Software Engineering approach on DSP Targets Agenda 2 / 2 / Motivations Context LwCCM/MyCCM GPP - DSP unified approach (EULER) Framework optimizations for DSP Benchmarks Perspectives Conclusion 2011/05/20 Motivations

783 views • 25 slides
Fortify Integration & User Experience Fortify Partner Integration Integration with both

Fortify Integration & User Experience Fortify Partner Integration Integration with both

Fortify Integration & User Experience Fortify Partner Integration Integration with both Fortify on Demand and Software Security Center (v18.2). Get Training provides Fortify User with real-time interactive training in Secure

527 views • 31 slides
Correlated Component Regression: A Fast Parsimonious Approach for Predicting Outcome Variables

Correlated Component Regression: A Fast Parsimonious Approach for Predicting Outcome Variables

Correlated Component Regression: A Fast Parsimonious Approach for Predicting Outcome Variables from a Large Number of Predictors Jay M agidson, Ph.D. Statistical Innovations 1 COM PTSTAT 2010, Paris, France Correlated Component Regression

408 views • 21 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani

A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani

A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani ( * ) , Jean-Charles Fabre, Marc-Olivier Killijian LAAS-CNRS ( ( * ): Now at Lancaster University) DSN'2005, The International Conference on

741 views • 34 slides
OMEdit - OpenModelica Connection Editor Adeel Asghar Motivation Modelica models were created

OMEdit - OpenModelica Connection Editor Adeel Asghar Motivation Modelica models were created

OMEdit - OpenModelica Connection Editor Adeel Asghar Motivation Modelica models were created using; Textual editors SimForge New Graphical User Interface was needed, To overcome the deficiencies of SimForge OMEdit

666 views • 24 slides
Toward a Standardized Toward a Standardized Architecture for CAx Architecture for CAx Model

Toward a Standardized Toward a Standardized Architecture for CAx Architecture for CAx Model

Toward a Standardized Toward a Standardized Architecture for CAx Architecture for CAx Model Integration and Model Integration and Synthesis Synthesis Stephen C. Waterbury NASA/Goddard Space Flight Center Presentation for the PDT Europe

388 views • 9 slides
Asynchronous RPC Abstraction Motivation Strong coupling induces strong dependencies in

Asynchronous RPC Abstraction Motivation Strong coupling induces strong dependencies in

Asynchronous RPC Abstraction Motivation Strong coupling induces strong dependencies in distributed application Latency of remote invocations different than local ones Remove flow coupling (Subtypes of) proxy abstraction

1.23k views • 97 slides
Acknowledgements Acknowl edgements Software M So ftware Mode odel Check Checking Us ng

Acknowledgements Acknowl edgements Software M So ftware Mode odel Check Checking Us ng

Acknowledgements Acknowl edgements Software M So ftware Mode odel Check Checking Us ng Using Bogor ng Bogor a Mod Modular an r and E Extensible Model Model Che Checking ng F Frame amework Work on Cadena has been carried out

421 views • 21 slides
Web Architecture Principles and constraints that characterize Web-based information systems URI:

Web Architecture Principles and constraints that characterize Web-based information systems URI:

Web Architecture Principles and constraints that characterize Web-based information systems URI: Uniform Resource Identifier HTTP: HyperText Transfer Protocol Metadata must be recognized and respected Enables making resources comprehensible

358 views • 5 slides
Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces

Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces

J D T Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces Java 9 / Part II D T We've all migrated to Java 11 From here adopting new Java versions is a breeze Compatibility for all!

664 views • 17 slides
Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote

Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote

Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote Method Invocation (RMI) CORBA Object Registration Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts Sockets

461 views • 21 slides

More recommend