MILS Architecture: An Infrastructure for Building CDS MLS Systems

1
MILS Architecture An Infrastructure for
Building CDS / MLS Systems

• Dr. Ben A. Calloni, P.E.
• LM Fellow, Software Security

2
Overview

• MILS Concept, Vision, and Benefits
• Historical MLS, Security Policy, TCSEC, etc.
• Multiple Independent Levels of Separation/Security
  /Safety
• CDS Applicability
• MILS Concept Collaboration/Activities

3
Historical Strategies for Warfare
Shore Force Projection
Air Superiority
"Information Superiority" in the 21st Century
Numerical Superiority
Sea Power
4
The NEED!

• Modern warfare is all about sharing information
• Network Centric Warfare
• System of Systems integration
• Global Information Grid
• Information must be shared securely and reliably
  toprotect the warfighter and not compromise
  the mission
• Information is rapidly becoming more diverse
• Coalition Force Operations
• Multiple Levels and Communities of Interest
• Smart Push / Smart Pull / Web Services
• True MLS/CDS capability is becoming more
  important!

5
Accepted Safety Process vs. Enterprise IA Process
Imagine if COTS Aviation Safety were treated with
the same attitude as current security practices
in Enterprise Information Assurance
Architectures!!!
I thought YOU downloaded the Safety Patches from
Microsoft during Preflight?
I Did!
Disclaimer Photo edited with flames for emphasis
of slide context!
6
Definitions Security

• Traditional terms
• System High (all data and user access is treated
  at highest level)
• Multi Single Level Security - MSLS (or MSL)
• Cross Domain Solutions (or Systems) CDS
• Like MLS with 23 (or more) classifications for
  coalition partners
• Multi-level Security - MLS (BLP / Orange Book
  Secure OSs)

7
MLS and Security Policy (Historical Perspective)

• The Bell LaPadula model is a Confidentiality
  policy model (two axioms)
• simple security No Read Up
• the -property No Write Down
• Noninterference policy model (Goguen and
  Meseguer) or Information Flow (an attempt to
  extend BLP)
• The Biba model is an Integrity policy model
  (Access Control)
• No Read Down
• No Write Up

8
TCSEC (Orange Book) MLS Security Kernel (BLP
Policy)
Monolithic Applications
Monolithic Application Extensions
User Mode
Trustable MLS Requires Evaluatable Applications!
Monolothic OS
Auditing
Privilege Mode
Kernel
9
The Problem (Dr. John Rushbys1 Dilemma)
simple security No Read Up the -property No
Write Down
MLS System with BLP Policy
TS Workstation

• Spooler and Files system high - TS
• Secret Document written to spooler (OK)
• User checks on print status (Not OK)
• Spooler deletes file when print completed (OK)

Top Secret Print Server / Spooler
S Workstation
S - NATO Workstation
1http//www.csl.sri.com/papers/sosp81/
10
The C-I-A Triad

• There is no perfect security!!!
• Only levels of Trust or Assurance!
• CIA
• Confidentiality - means that secret or private
  information remains that way.
• Integrity - refers to the completeness,
  correctness, and trustworthiness of the
  information
• Availability - means the authorized persons may
  access the information in a timely manner.

11
Clarifying MSLS / CDS / MLS

• All provide secure (relative degrees) data
  processing of differing classifications
• All use Crypto when classified data has to move
  through untrusted media
• Multi Single Level Security (MSLS)
• Maintains separation of data of differing
  classifications
• No Downgrading (e.g. scrubbing TS data to release
  as Secret data)
• Used in communications platforms (MIDS-J),
  infrastructures (Secure Gateway)
• Cross Domain Systems (CDS)
• Employs Guard(s) / Downgraders to insure
  appropriate data flow (one way guards) between
  Domains, Enclaves and/or Caveats.
• Ideologically CDS is an MSLS system augmented
  with data migration capability.
• Multilevel Security (MLS)
• Data can be securely stored and moved between
  classification entities and levels.
• Generally requires guards, downgraders, MAC, DAC,
  non-repudiation, Trusted Login, etc.

12
Physical Security Analogy (Better Security is
More Expensive)
13
Physical Security Analogy MLS
MLS System Boundary

• Mandatory Access Controls
• Discretionary Access Controls

MSLS Component
TS
S
C

• Data Integrity
• Expectations of Integrity

14
MLS cf. MILS

• Generic Definition of MLS
• A system that supports multiple, entities (human,
  machine, data, or processes), each operating at
  a different classification level
  (safety/security/domains)
• Multiple Independent Levels of Separation/Safety/S
  ecurity (MILS) Architecture
• Layer (distribute) the responsibility for overall
  security policy
• A software architecture that supports the
  creation and evaluation of MLS, CDS, MSLS etc.
  systems
• Employs time space partitioning (damage
  limitation and denial of service)
• Enforces information flow, and data isolation

15
MILS Concept Objectives

• At the component level
• Accommodate trusted components (subjects)
  evaluatable to the appropriate level of
  robustness (low, medium, high)
• Reduce the amount of security critical code
• Increase the scrutiny of security critical code

16
What is the MILS Architecture?

• A layered architecture concept targeted at
  enabling the composition of system properties
  from trusted components
• Distributed (layered) functionality assurance
• Defines 4 conceptual layers based on the 3-level
  Rushby architecture
• Separation Kernel Hardware (single node)
• Distributed Communication (multiple nodes)
• Middleware Services (single node)
• Trusted Applications (as required) (single node)

17
Physical Security Analogy (System High vs. MSL)
Three System High Components
Multi Single Level Component
TS
C
S
TS
S
C
18
MILS Architecture Evolution
User Mode
Monolithic OS
Separation Kernel
DAC
MAC
File systems
DO-178B / ARINC 653
Privilege Mode
Network I/O
Information Flow
Fault Isolation
Data isolation
Device drivers
Periods Processing
Auditing
19
MILS is about Evaluatable Separation and
Connectivity Physical and Logical
This is an MLS (aka CDS) System (Generic
Definition)
Air Gap with Controlled Interfaces
GiG

• Physical Separation
• Controlled Interfaces
• Balance C-I-A of each Component
• Functional Requirements
• Assurance Requirements

20
MILS Architected and Evaluated Single Processing
Node
GiG
NATO S sys-h
S sys-h
TS sys-h
U sys-h
Print Spooler (MLS)
Guard (MLS)
Crypto
NIC
21
MILS ArchitectureAn Enabling Technology

• Leverage the Synergy between
• DoD, Contractors, COTS Vendors, Academia
• Developing Common Criteria Protection Profiles
• towards compliance with NSTISSP 11,
• within Open Standards Consortia (OMG, The Open
  Group, NCOIC)
• Developing and aggregating NIAP Validated COTS
  components
• Allowing Cost Sharing of
• Evaluation Certification costs of appropriate
  COTS products
• to provide an appropriate infrastructure for MLS,
  CDS, etc.
• Enabling secure, dependable GIG IA

22
MILS Components Aggregated into an MLS / CDS /
MSLS System
Validation Mechanism Controlled Access, Roles,
Privileges
Guard
Re-grader
DBMS
Console - Trusted Path
Network Gateway
Crypto
Audit
CORBA
DDS
Web Services
Networking - Labels, Routing
Devices Rapid IO, File Systems, IPv6
Partition Communication Services
High Robustness Separation Kernel (EAL-6) -
Isolation, Explicit Information Flow, Messages,
Shared Mem, Synchronization
Hardware - MMU, Supervisor Mode, Privileged
Instructions
Protection Profiles Exist (various stages)
23
MILS Workstation with Guest OS for CDS/MLS
PCS (MLS)
File Sys. Driver (MLS)
E-Mail (MLS)
IPv6 (MLS)
24
Crypto Modernization Example
Policy Enforcement Independent of Node Boundaries
Partition Communication System (PCS)
Processors in System
25
Current Security/Safety is Physical
Processor Rn
Processor R1
Processor R2
App
App
App
Unclass
Top Secret
Processor C1
Secret
Processor C2
App
App
Processor B2
Processor Bn
Processor B1
26
Legacy Systems Dont have to be Rebuilt!
Processor Rn
Processor R1
Processor R2
App
App
App
Unclass
Top Secret
Processor C1
MILS Cross Domain Server w/ PCS
Secret
Processor C2
App
App
Processor B2
Processor Bn
Processor B1
27
MILS Activity Where We Are Today
OASD (NII)
F-22A, JSF, CV-22, CryptoMod (USAF / Navy / SOCOM)
B-2, JTRS, DDX, MMA, FCS, Others
PMW 160 Cross Domain Solutions
AFCA Cross Domain Solutions
AFRL Information Directorate
Certified COTS MILS RTOS Middleware Products
COTS Vendors
DISA
Army Cross Domain Solutions
NSA Information Assurance Directorate
OSJTF (OUSD-ATL)
Standards Bodies (OMG The Open Group, NCOIC)
Platform Integrators
NIAP Labs
Artifacts
Evaluation (EAL6/7)
Tool Vendors
RTOS Vendors
Middleware Vendors
Funding Partners
Collaboration
Consulting
NIAP Labs Research Institutions
28
MILS Partners Industry Academia

• Platform Integrators
• Lockheed Aero (ADP)
• Boeing-St Louis
• Raytheon-El Segundo
• Northrop Grumman-El Segundo
• MILS RTOS Vendors / Announced Products
• Green Hills Software INTEGRITY-178B, INTEGRITY
  Workstation w/ Padded Cell
• LynuxWorks LynxOS-178, LynxOS-SE, LynxSecure
• Wind River Systems VxWorks MILS
• MILS Middleware Vendors / Announced Products
• Objective Interface PCSexpress, ORBexpress,
  DDSexpress
• Wind River/Interpeak IPSecure (Trusted Network
  Stack)
• MILS Test Beds, Research, Related Activities
• LM Aero- Ft Worth
• Boeing-St Louis Seattle
• General Dynamics C4 Systems-Scottsdale
• Northrop Grumman (Space Technology)
• Raytheon-El Segundo
• Rockwell Collins

29
Lockheed Martin MILS Architecture Demonstration