MILS Middleware: High Assurance Security for Real-time, Distributed Systems

Similar documents
The MILS Partitioning Communication System + RT CORBA = Secure Communications for SBC Systems

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

Multiple Independent Levels of Security. GIG High Assurance (MILS) Infrastructure Building Blocks. Objective Interface Systems

Using a Real-time, QoS-based ORB to Intelligently Manage Communications Bandwidth in a Multi-Protocol Environment

Multiple Independent Layers of Security (MILS) Network Subsystem Protection Profile (MNSPP) An Approach to High Assurance Networking Rationale

Green Hills Software, Inc.

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Implementing Middleware for Content Filtering and Information Flow Control

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

Providing Real-Time and Fault Tolerance for CORBA Applications

Benchmarking Real-Time and Embedded CORBA ORBs

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

Certification Requirements for High Assurance Systems

HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,

Applying MILS to multicore avionics systems

GREEN HILLS SOFTWARE: EAL6+ SECURITY FOR MISSION CRITICAL APPLICATIONS

Securing IoT with the ARM mbed ecosystem

Verizon Software Defined Perimeter (SDP).

10 Steps to Virtualization

A Cost Effective High Assurance Layered Solution for MLS Test Training and LVC

An Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.

A Developer's Guide to Security on Cortex-M based MCUs

EMBEDDED OPERATING SYSTEMS

Implementing Middleware for Content Filtering and Information Flow Control

Security: The Key to Affordable Unmanned Aircraft Systems

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

Use of Formal Methods in Assessment of IA Properties

Accelerate Your Enterprise Private Cloud Initiative

Understanding Layer 2 Encryption

Weapon Systems Open Architecture Overview

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

ARM TrustZone for ARMv8-M for software engineers

Connecting Securely to the Cloud

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

FOCUS ON THE FACTS: SOFTWARE-DEFINED STORAGE

FPGAs: High Assurance through Model Based Design

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Implementing Scheduling Algorithms. Real-Time and Embedded Systems (M) Lecture 9

Product Security Briefing

ITTIA DB SQL Em bedded Dat abase and VxWorks

Lecture 15 Designing Trusted Operating Systems

Specifying and Certifying Information Flow Properties in MILS Systems

Introduction to Computer Security

High Assurance Systems Development Using the MILS Architecture

Operating System Security

Advanced Systems Security: Multics

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Merging Enterprise Applications with Docker* Container Technology

Operating Systems Overview. Chapter 2

Web Services. Lecture I. Valdas Rapševičius Vilnius University Faculty of Mathematics and Informatics

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

A Synchronous IPC Protocol for Predictable Access to Shared Resources in Mixed-Criticality Systems

Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Building High-Assurance Systems out of Software Components of Lesser Assurance Using Middleware Security Gateways

Security Philosophy. Humans have difficulty understanding risk

SECURING DEVICES IN THE INTERNET OF THINGS

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

SECURING DEVICES IN THE INTERNET OF THINGS

Importance of Interoperability in High Speed Seamless Redundancy (HSR) Communication Networks

a A secure, field upgradeable operating system architecture for Blackfin Microprocessors

Operating Systems Overview. Chapter 2

CSP 2017 Network Virtualisation and Security Scott McKinnon

Web Services. Lecture I. Valdas Rapševičius. Vilnius University Faculty of Mathematics and Informatics

AVOIDING THE 2020 WINDOWS 10 ATM HARDWARE UPGRADE CYCLE A PROOF OF CONCEPT

Securing Devices in the Internet of Things

ARM Security Solutions and Numonyx Authenticated Flash

Simple and secure PCI DSS compliance

The Smart Grid Security Innovation Alliance. John Reynolds October 26, 2011 Cambridge, Massachusetts

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

F6 Model-driven Development Kit (F6MDK)

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Data Model Considerations for Radar Systems

2. REAL-TIME CONTROL SYSTEM AND REAL-TIME NETWORKS

TEITP User and Evaluator Expectations for Trusted Extensions. David Hardin Rockwell Collins Advanced Technology Center Cedar Rapids, Iowa USA

The Next Steps in the Evolution of Embedded Processors

Introduction to Operating Systems. Chapter Chapter

Trusted Platform for Mobile Devices: Challenges and Solutions

Reliable UDP (RDP) Transport for CORBA

Architectural Support for A More Secure Operating System

Security Architecture

TDDD07 Real-time Systems Lecture 10: Wrapping up & Real-time operating systems

Network Implications of Cloud Computing Presentation to Internet2 Meeting November 4, 2010

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Evaluating Multicore Architectures for Application in High Assurance Systems

Mixed Critical Architecture Requirements (MCAR)

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Who s Protecting Your Keys? August 2018

New Approaches to Connected Device Security

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Virtual Machine Security

Department of Computer Science, Institute for System Architecture, Operating Systems Group. Real-Time Systems '08 / '09. Hardware.

Primary Multicore Software Configurations Mark Hermeling, Senior Product Manager Wind River

BRDS ( , WS 2017) Ulrich Schmid

Middleware for Embedded Adaptive Dependability (MEAD)

Introduction to Operating. Chapter Chapter

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Transcription:

2001 Objective Interface Systems, Inc. MILS Middleware: High Assurance Security for Real-time, Distributed Systems Bill Beckwith bill.beckwith@ois.com Objective Interface Systems, Inc. 13873 Park Center Road, Suite 360 Herndon, VA 20171-3247 703/295-6500 (voice) 703/295-6501 (fax) http://www.ois.com/ info@ois.com

2003 Objective Interface Systems, Inc. 2 Agenda Introduction Sponsors Objective Real-time Security Challenge Distributed Security Requirements Partitioned Communications System Real-time MILS CORBA MILS Middleware Realization

2001 Objective Interface Systems, Inc. Introduction

2003 Objective Interface Systems, Inc. 4 Sponsors Sponsors for PKPP and RT CORBA PP effort Wright-Patterson AFB (WSSTS Project) Air Force F22 and JSF (via LM Ft. Worth) Objective Interface

2003 Objective Interface Systems, Inc. 5 Objective An applications and communications infrastructure that provides: Safety high correctness Security High performance Fault resilience Real-time Standards-based (does what it is supposed to do) high integrity ( and nothing else!) low latency/high bandwidth high reliability high predictability high independence

2003 Objective Interface Systems, Inc. 6 Real-time Security Challenge Requires New Thinking Old approaches to security don t work for real-time Monolithic security kernels Too large Too slow Unpredictable Don t support inherent distribution of embedded systems Can t get above EAL 4 (medium assurance) CORBA Security Weak trust model Too large Too slow Unpredictable Can t get above EAL 4 (medium assurance) New thinking required MILS: Multiple Independent Levels of Security

2003 Objective Interface Systems, Inc. 7 Distributed Security Requirements Rely upon partitioning kernel to enforce middleware security policies on a given node Information Flow Data Isolation Periods Processing Damage Limitation Application specific security requirements must not creep down into the middleware (or kernel) ensure the system remains supportable and evaluatable Optimal inter-partition communication Minimizing added latency (first byte) Minimizing bandwidth reduction (per byte) Fault resilience No single point of failure

2003 Objective Interface Systems, Inc. 8 Distributed System Distributed object communication Partition Local same address space, same machine Machine Local different address space, same machine Remote different address space, on a different machine Shared Memory Multicast Rapid IO TCP/IP 1394 ATM RACEway VME

2003 Objective Interface Systems, Inc. 9 Inter-object Communication Unrestricted information flow between objects creates a significant security concern Three types of inter-object communication Intra-partition: between objects in same partition left to application Inter-partition: between objects in partitions on the same node Node = one CPU or tightly coupled group of CPUs Unencrypted communication Middleware controls Inter-partition: between objects in partitions on different nodes Encrypted communication Middleware controls

2003 Objective Interface Systems, Inc. 10 Secure Communications Framework Security concerns include: The correct processes occur within an application e.g., the correct waveform and applications are instantiated Inter-object messages flow between the correct objects Information flow security policy Trusted objects are capable of instantiating and tearing down applications Permissions enforced on read, write, & execution of files Boots correctly with integrity Implementation dependent Are all of the puzzle pieces present and correct? Is my piece of the puzzle correct? Audit records are understandable Implementation dependent Audit record protected from unauthorized changes or reading

2003 Objective Interface Systems, Inc. 11 Why CORBA Security Is Not Used Can t accommodate MLS Provides a overly wide trust model Commercially available CORBA security implementations place CORBASEC within the ORB and application ORBs reside within the application components process spaces Security mechanisms can be modified by other software objects within process space (e.g. application) Security mechanisms can be bypassed Security becomes an application option CORBA Security services More of a collection of security APIs than a security architecture CORBASEC implementations too large to evaluate Non-security issues related to message latency Not appropriate for medium or high assurance systems

2003 Objective Interface Systems, Inc. 12 Layer Responsibilities MILS Partitioning Kernel Functionality Time and Space Partitioning Data Isolation Inter-partition Communication Periods Processing Minimum Interrupt Servicing Semaphores Timers Instrumentation MILS Middleware Functionality RTOS Services Device Drivers CORBA File System Partitioned Communication System Inter-processor Communication

2001 Objective Interface Systems, Inc. Partitioned Communication System

2003 Objective Interface Systems, Inc. 14 PCS: Partitioned Communication System Partitioned Communication System A portion of MILS Middleware Responsible for all communication between MILS nodes Purpose Extend the protected environment of MILS kernel to multiple nodes Similar philosophy to MILS Partitioning Kernel Minimalist: Only that functionality needed to enforce end-to-end versions of policies End-to-end Information Flow End-to-end Data Isolation End-to-end Periods Processing End-to-end Damage Limitation Designed for EAL level 7 evaluation

2003 Objective Interface Systems, Inc. 15 PCS Objective What? Just like MILS: Enable the Application Layer Entities to Enforce, Manage, and Control their own Application Level Security Policies in such a manner that the Application Level Security Policies are Non-Bypassable, Evaluatable, Always-Invoked, and Tamper-proof. Desire is an architecture that allows the Security Kernel and PCS to share the RESPONSIBILITY of Security with the Application. Extended: To all inter-partition communication within a group of MILS nodes (enclave)

2003 Objective Interface Systems, Inc. 16 PCS Requirements PCS must provide Strong identity of nodes within enclave Separation of Levels Need cryptographic separation Separation of Communities of Interest Need cryptographic separation Bandwidth Provisioning & Partitioning Secure Configuration of all Nodes in Enclave Federated information Distributed (compared) vs. Centralized (signed) Secure Clock Synchronization Secure Loading Signed partition images PCS must eliminate Covert channels Network resources (bandwidth, hardware resources, buffers, )

2003 Objective Interface Systems, Inc. 17 MILS PCS Security Policy Application Example PCS Provides: End-to-end Information Flow End-to-end Data Isolation End-to-end Periods Processing End-to-end Damage Limitation Policy Enforcement Independent of Node Boundaries E1 RS E2 BV Red Data E3 Black Data RPM BPM D1 RV D2 BS D3

2003 Objective Interface Systems, Inc. 18 High Assurance MILS Architecture Application Partitions MILS - Multiple Independent Levels of Security MSL - Multi Single Level MLS - Multi Level Secure Supervisor Mode MMU, Inter-Partition Communications Interrupts S TS (MSL) (MSL) Processor... S,TS (MLS) RTCORBA RTCORBA RTCORBA PCS PCS PCS RTOS Micro Kernel (MILS) User Mode

2003 Objective Interface Systems, Inc. 19 Confines Malicious Code With MILS Partitioning Kernel Architecture we know Where inputs came from for each object Where outputs are going for each object Data for each object remains private Impossible to TEST security system for all possible user applications In addition to testing, high-assurance communication system requires Rigorous design methods Proven software engineering process methods Rigorous use of mathematics

2001 Objective Interface Systems, Inc. Real-time MILS CORBA

2003 Objective Interface Systems, Inc. 21 Real-Time MILS CORBA Real-time CORBA can take advantage of PCS capabilities Real-time CORBA + PCS = Real-time MILS CORBA Additional application-level security policies are enforceable because of MILS PK and PCS foundation Real-time MILS CORBA represents a single enabling application infrastructure Can address the following key cross-cutting system requirements: High-assurance, MILS-based distributed security (with high-integrity support required for safety critical systems) Real-time (fixed priority as well as dynamically scheduled) High performance distributed object communications (low latency, high bandwidth)

2003 Objective Interface Systems, Inc. 22 Security Policies for RT CORBA Unauthorized Discloser of Data - > Information Flow Critical tasks not bypassed Compromise/Corruption of Sensitive Data->Data Isolation Data segments not read or corrupted by unauthorized entities Covert Storage Channels - > Periods Processing ORB is not a covert storage channel on separate messages Presence of Unevaluated Code - > Damage Limitation Unevaluated code will not compromise processing or data

2003 Objective Interface Systems, Inc. 23 Threat Examples T.CONFIG_CORRUPT A malicious or faulty subject may attempt to modify or corrupt configuration data used by the ORB to enforce information flow policy by accessing the contents of an ORB. A malicious or faulty subject may attempt to bypass the information flow policy enforced by an ORB by using configuration data that, while valid, differs from that being used by another ORB. T.DOS A malicious or faulty subject may attempt to block other subjects from sending or receiving communications by exhausting or monopolizing shared resources or the resources of another ORB.

2001 Objective Interface Systems, Inc. MILS Middleware Realization

2003 Objective Interface Systems, Inc. 25 MILS Partnering Objective Interface is partnered with Boeing Lockheed-Martin MITRE National Security Agency Rockwell Collins U. S. Air Force University of Idaho To integrate Several MILS security partitioning kernels with A Real-time CORBA middleware implementation, ORBexpress RT

2003 Objective Interface Systems, Inc. 26 Business Dependencies Success depends on Strong business and technical commitment by RTOS vendors So far so great Customer need There s a difference between wanting security and buying security Performance, size, and predictability are key Ease of use is essential Logistics of standards groups Reconciliation of business and technical perspectives Secure Applications Secure Communications Infrastructure (PCS & RTCORBA) Secure RTOS (PK)

2003 Objective Interface Systems, Inc. 27 MILS Implementors Hardware Based Kernel AAMP7 Software Based Kernel Integrity-178 LynuxOS VxWorks AE Middleware ORBexpress Rockwell-Collins Green Hills Software LynuxWorks Wind River Systems Objective Interface

2003 Objective Interface Systems, Inc. 28 Summary MILS = High-assurance Multi-level Evaluatable Distributed PCS provides distribution for MILS RTOSes DoD needs multi-level systems for the war-fighter Partitioning kernel provides the lowest risk, quickest development time to provide high-assurance MILS systems MILS + PCS + Real-time CORBA = A secure deployment platform for distributed, real-time applications

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback