The Pump: 10 Years of Covertness Myong H. Kang Ira S. Moskowitz Stanley Chincheck Center for High Assurance Computer Systems US Naval Research Laboratory Code 5540 Washington, DC mkang@itd.nrl.navy.mil 1
A Brief History Started in 1993 addressing data replication from ! Low database to High database M. H. Kang and I. S. Moskowitz, “A Pump for rapid, – reliable, secure communication,” Proceedings of the First ACM Conference on Computer and Communications Security, 1993 Wanted to replace XTS-200 ! Network Pump algorithm was developed in 1995 ! Hardware version of the Pump ! Completed January 2004 by NRL 5540 – Navy Type accredited ! As a critical security component of a cross-domain – solution Installed in various DoD facilities – About 60 in use 17.5"W x 1.75"H x 10.5"D ! ! $3K for DoD customers ! 19” rack mount ! Many papers later ! Ethernet 100BaseT interface ! US Patent filed, Navy Case #84,150, 25 July 2003 – Applied for international rights – Trademarked “Network Pump™” name – 2
Design Requirements ! Assurance – Simple and easy to understand to facilitate accreditation – Protocol neutral ! Reliability – No loss of messages – No duplication of messages ! Performance – No reduction of data transfer rate due to security reasons 3
Design Requirements (cont’d) ! Covert channel – Reduce covert channel capacity as much as possible without compromising performance ! Fairness – Fair rates among many senders and many receivers ! Denial of service attack – Resist denial of service attacks 4
Basic Pump Low High LAN LAN Low system Low system High system High system Pump Data Data Low Low Low Low High High High High application application wrapper wrapper Non-volatile wrapper wrapper application application Stochastic ACK buffer ACK 5
Basic Pump (cont’d) ! The Pump’s confidentiality properties depend solely on the Pump itself, not on the wrappers - Assurance Separates MLS functions from other functions – Wrappers make the Pump a generic device that is independent of a – specific application ! Provide ACKs to a sender - Reliability ! Provide non-volatile buffer - Reliability Decoupled Low ACKs from High ACKs - Covert Channel – Low ACKs are stochastic ACKs based upon a moving average of – the past m High ACK times - Performance 6
Network Pump TM H 1 L 1 Receiver 1 Output buffer 1 link 1 . I{ . J{ . . . . . . THP 1 . scheduler Trusted . . . . Low Process ROUTING . . Receiver I . . Output buffer J . . J{ . I{ THP J . L I . link I scheduler H J 7
Network Pump TM (cont’d) ! Share output buffers among different sessions - efficiency ! Acting as a router between receiving buffers and output buffers – Round robin scheme - fairness and denial of service attack – Fair size - keep the queue length at a certain level - covert channel and denial of service attack 8
Hardware Pump High LAN High Ethernet Interface High Interface RAM High Microprocessor Administrator Serial Interface High EEPROM Interface Security Monitor Fault � Control Dual Port RAM Reset � Power (Bypass Channel) Power_Fail � Interface 9 VCC_5 Power & Reset 8 VCC_12 Control VCC_3.3 Low RAM VCC_RAM Low Battery EEPROM Low Microprocessor Low LAN Low Ethernet Interface Interface 9
Hardware Pump (cont’d) ! Provides an interface to an administrator workstation - configuration and receiving error and performance reports – Specify Low and High IP addresses and port numbers for opening connections ! Equipped with a built-in backup battery - Reliability – Power failure: All messages in the volatile RAM will be saved into non-volatile flash memory – Pump start up: All undelivered messages will be restored to the RAM and redelivery to the High IP addresses will commence 10
Related Ideas J. McDermott, “The B2/C3 problem: How Big Buffers Overcome Covert Channel ! Cynicism in Trusted Database Systems,” in Biskup, J., M. Morgenstern, and C. E. Landwehr, eds. Database Security, VIII: Status and Prospects. IFIP Transactions A-60, Elsevier Science B.V., Amsterdam, 1994. ! R. Mraz, “Secure Directory File Transfer System”, Proc. 12th Annual Canadian Information Technology Security Symposium, 2000. N. Ogurtsov, H. Orman, R. Schroeppel, S. O'Malley, O. Spatscheck, “Experimental ! results of covert channel limitation in one-way communication systems,” Network and Distributed System Security, 1997. “Owl Computing Data Diode,” Common Criteria Security Target (EAL2), ! http://niap.nist.gov/cc-scheme/st/ST_VID4000-ST.pdf ! US Patent 5,703,562, Method for Transferring Data from an Unsecured Computer to a Secured Computer, C.A. Nilsen Dec 30, 1997. M. Bobbitt, “(Un)bridging the Gap,” Information Security, July 2000. ! 11
Pump Relevant (non NRL) ! V. Anantharam, and S.Verdu, “Bits through queues,” Information Theory, IEEE Transactions on , Volume: 42 , Issue: 1 , Jan. 1996. ! V. Anantharam and S. Verdú, ``Reflections on the 1998 Information Theory Society Paper Award: Bits through Queues,'' IEEE Information Theory Society Newsletter vol. 49, no. 4, Dec. 1999. J. S. Holmgren and R. P. Rich, Metric Methodology for the Creation of Environments ! and Processes to Certif Component: The NRL Pump, Naval Postgraduate School Monterey CA, March 2003. A. Aldini and M. Bernado, “An Integrated View of Security Analysis and Performance ! Evaluation: Trading QoS with Covert Channel Bandwidth” to appear: SAFECOMP 2004. A. Aldini and M. Bernado, Measuring the Covert Channel Bandwidth in the NRL Pump, ! technical report 2004, http://mefisto.web.cs.unibo.it/PubblSedeC0.html R. Lanotte, A. Maggiolo-Schettini, S. Tini, A. Troina, and E. Tronci, Automatic Analysis ! of the NRL Pump, preprint, 2004 www.di.unipi.it/~troina/mefisto/drafts/NRLdraft.pdf 12
Pump Relevant (NRL) M. H. Kang and I. S. Moskowitz, “ A Pump for rapid, reliable, secure ! communication ,” Proceedings of the first ACM Conference on Computer and Communications Security, 1993. ! I. S. Moskowitz and M. H. Kang, “ Discussion of a statistical channel ,” Proceedings of IEEE-IMS Workshop on Information Theory and Statistics, Alexandria, VA, 1994. I. Moskowitz and M.H. Kang, “The Modulated-Input Modulated-Output Model ,” Proc. ! IFIP WG11.3 Workshop on Database Security, NY, August 1995. J. Froscher, D. M. Golschlag, M. H. Kang,C. Landwehr, A. P. Moore, I. S. Moskowitz, and ! C. Payne, “ Improving Inter-Enclave Information Flow for a Secure Strike Planning Application ,” Proceedings of the 11th Annual Computer Security Applications Conference, pp.89 – 98,1995. M.H. Kang and I. Moskowitz, “ A data Pump for communication ,” NRL Memorandum ! Report, 5540-95-7771, 1995. M. H. Kang, I. S. Moskowitz and D. C. Lee, “ A Network Version of the Pump ,” Proc. 1995 ! IEEE Computer Society Symposium on Research in Security and Privacy. May 1995. M. H. Kang, J. Froscher, and I. S. Moskowitz, “ A Framework for MLS Interoperability ,” ! Proc. HASE’96, Niagara-on-the-Lake, Canada, October 1996 . 13
Pump Relevant (NRL) M. H. Kang, I. S. Moskowitz, B. E. Montrose, and J. J. Parsonese, “ A Case Study of Two ! NRL Pump Prototypes ,” 12th Annual Computer Applications Security Conference 1996. M. H. Kang, I. S. Moskowitz. and D. C. Lee, “ A Network Pump ,” IEEE Transactions on ! Software Engineering, vol. 22, no. 5, 1996. ! M. H. Kang, A. P. Moore, and I. S. Moskowitz, “ Design and Assurance Strategy for the NRL Pump ,” 2nd IEEE High-Assurance System Engineering Workshop (1997). IEEE Computer Magazine, Vol. 31, No 4, 1998. US Patent application , 10/627,102, Navy Case #84,150, July 25, 2003. ! 14
Lessons Learned ! Bridge funding: Transitioning the product from research and development to a certified real-world product ! Patient and flexible customers: Customers whose patience and understanding afford some latitude in getting the product established ! Perseverance: The quality that the researchers and developers had to exhibit to make this product a reality 15
Recommend
More recommend