MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

Similar documents
The MILS Partitioning Communication System + RT CORBA = Secure Communications for SBC Systems

MILS Middleware: High Assurance Security for Real-time, Distributed Systems

Certification Requirements for High Assurance Systems

HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,

Implementing Middleware for Content Filtering and Information Flow Control

Multiple Independent Layers of Security (MILS) Network Subsystem Protection Profile (MNSPP) An Approach to High Assurance Networking Rationale

Joint Interpretation Library

Composite Evaluation for Smart Cards and Similar Devices

Challenges and Solutions of Distributed Systems Composition. Tsui, Tsun-Te / Dr. Jeng, Albert B. Telecom Technology Center

Common Criteria (CC) Introduction

FeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.

Implementing Middleware for Content Filtering and Information Flow Control

GREEN HILLS SOFTWARE: EAL6+ SECURITY FOR MISSION CRITICAL APPLICATIONS

CC Part 3 and the CEM Security Assurance and Evaluation Methodology. Su-en Yek Australasian CC Scheme

Brocade FastIron SX, ICX, and FCX Series Switch/Router

Use of Formal Methods in Assessment of IA Properties

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. Tripp Lite Secure KVM Switch Series

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

AnyConnect Secure Mobility Client for Windows 10

Common Criteria Installation Instructions for IBM Logical Partitioning Architecture on System i and System p

Certification Report

Check Point Endpoint Security Media Encryption

UNICOS/mp Common Criteria Evaluation

Samsung Electronics Co., Ltd. Samsung Galaxy Note 5 & Galaxy Tab S2 VPN Client

CCM 4350 Week 22. Security Architecture and Engineering. Dr A. Lasebae School of Science and Technology CCM4350 1

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Building High-Assurance Systems out of Software Components of Lesser Assurance Using Middleware Security Gateways

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

COMMON CRITERIA CERTIFICATION REPORT

Towards Formal Evaluation of a High-Assurance Guard

Common Criteria Developer Training Course Outline

COMMON CRITERIA CERTIFICATION REPORT

National Information Assurance Partnership

Secure Desktop KVM Switch Update. Keep classified information classified.

Certification Report

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.

Brocade FastIron SX, ICX, and FCX Series Switch/Router

Common Criteria. Xerox Advanced Multifunction Systems

Certification Report

Brocade MLXe and NetIron Family Devices with Multi-Service IronWare R

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Certification Report

Development of Informal Security Policy Models

Cisco IoT Industrial Ethernet and Connected Grid Switches running IOS

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Car2Car Forum Operational Security

Certification Report

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

The Common Criteria, Formal Methods and ACL2

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Compositional Security Evaluation: The MILS approach

Brocade MLXe Family Devices with Multi- Service IronWare R

National Information Assurance Partnership

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

National Information Assurance Partnership

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Assurance Continuity Maintenance Report

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Forcepoint NGFW 6.3.1

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Germany and The Netherlands Certification of cryptographic modules

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

3 August Software Safety and Security Best Practices A Case Study From Aerospace

Certification Report

Juniper Networks J2300, J2350, J4300, M7i and M10i Services Routers running JUNOS 8.5R3

A Cost Effective High Assurance Layered Solution for MLS Test Training and LVC

Juniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2

Certification Report

General Framework for Secure IoT Systems

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

Certification Report

Certification Report

National Information Assurance Partnership

Australasian Information Security Evaluation Program

Procedure for Network and Network-related devices

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

Guideline for Determining the TOE

Certification Report

Certification Report

D4 Secure VPN Client for the HTC A9 Secured by Cog Systems

CCEVS APPROVED ASSURANCE CONTINUITY MAINTENANCE REPORT

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Evaluating Multicore Architectures for Application in High Assurance Systems

Transcription:

MILS Multiple Independent Levels of Security Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

United states December 8, 2005 Taylor, ACSAC Presentation 2

Outline Introduction and Motivation MILS History MILS Architecture Common Criteria (CC) Certification MILS Certification Progress Conclusion December 8, 2005 Taylor, ACSAC Presentation 3

Introduction MILS is an evolving component based high assurance architecture MILS = Multiple Independent Levels of Security Under development by industry, government and academia Intended for high assurance environments Multi-level data communications Safety critical systems December 8, 2005 Taylor, ACSAC Presentation 4

Introduction Current and past practice in CC Certification No methodology for Common Criteria certification of components or much Reuse of certification efforts Common Criteria focused on certification of single systems or products Not easy to certify composed system December 8, 2005 Taylor, ACSAC Presentation 5

Introduction Also, entire certification process is not open Access to information on CC process not readily available at higher EAL levels Evaluation methodology is proprietary since labs compete with each other for certification business December 8, 2005 Taylor, ACSAC Presentation 6

Motivation Need to do component CC certification for MILS Reuse of certification artifacts Publish findings in order to clarify the process Investigate higher assurance levels for trusted MILS components December 8, 2005 Taylor, ACSAC Presentation 7

Motivation Area in need of further work Composing Protection Profiles of certified products Show composition of components will work Brian Snow, December 5, 2005 - ACSAC December 8, 2005 Taylor, ACSAC Presentation 8

MILS History High assurance systems require proof that system meets critical security requirements Proof = formal methods analysis Past high assurance systems relied on Security Kernel + Trusted Computing Base (TCB) December 8, 2005 Taylor, ACSAC Presentation 9

MILS History As high assurance systems evolved Difficult to separate security functionality from other system functions TCB became very large Impossible to formally verify correctness of system with many 1000 s lines of code Security policy complex High level design also complicated and large December 8, 2005 Taylor, ACSAC Presentation 10

MILS History MILS is an alternative vision for high assurance systems MILS is a layered approach with lower layers providing security services to higher layers Each layer is responsible for security services in its own domain and nothing else Limits the complexity and scope of security mechanisms Makes evaluation possible Fits in with small is beautiful thinking December 8, 2005 Taylor, ACSAC Presentation 11

Conceptual View MILS Layers Applications MLS and Non-MLS Middleware Services (Device drivers, File Systems, Network communications) Separation Kernel Hardware (MMU, Interrupts) December 8, 2005 Taylor, ACSAC Presentation 12

MILS Architecture Separation underlies all of MILS Long used in avionics world for safety critical systems Safety features Space partitioning Well defined, separate address space Damage Limitation Application errors only affect the application partition Time partitioning Only one application runs in mostly static time allowance December 8, 2005 Taylor, ACSAC Presentation 13

MILS Architecture Separation Kernel Simplified to provide partitioning, partition scheduling and secure communication between partitions An EAL 6+ Protection Profile has been written Vendors developing separation kernels Green Hills, LynuxWorks, Wind River Others developing MILS components Lockheed Martin, Objective Interface, University of Idaho, Navel Research Lab December 8, 2005 Taylor, ACSAC Presentation 14

MILS Architecture Separation Kernel Security Policy Data isolation enforces space partitioning Periods Processing enforces time partitioning Sanitization clears shared resources, system buffers and micro processor registers Information flow permits communication between authorized partitions December 8, 2005 Taylor, ACSAC Presentation 15

MILS Architecture Middleware Services Functionality previously in kernel now in OS Middleware layer File systems, network services, device drivers Added new functionality for security Partitioning Communication System Provides trusted, MLS, network communication MILS Message Router Data switch for partitions, handles multiple classification levels December 8, 2005 Taylor, ACSAC Presentation 16

MILS Architecture Applications Traditional middleware such as CORBA Guards MLS or Single level Encryption Downgrader or Regrader December 8, 2005 Taylor, ACSAC Presentation 17

The MILS Architecture U (SL) C (SL) S (SL) TS (SL) TS/S (MLS) Application Application Application Application Application Middleware Middleware Middleware Middleware Middleware MILS SEPARATION KERNEL Processor December 8, 2005 Taylor, ACSAC Presentation 18

Common Criteria Certification CC v. 2.2 Certification of single products Application, OS, processor Target of Evaluation (TOE) Define or find a Protection Profile (PP) Adapt PP to a Security Target (ST) at a given EAL level ST specifies security functionality of TOE Evaluated according to ST NIAP Lab evaluates products up to EAL 4 Beyond EAL 4, NSA evaluates TOE December 8, 2005 Taylor, ACSAC Presentation 19

Common Criteria Certification CC v. 3.0 Allows certification of composed products Involves combination of two or more evaluated products Intent is to evaluate components developed by different organizations Proprietary issues Assumption is not all information is available for evaluation December 8, 2005 Taylor, ACSAC Presentation 20

Common Criteria Certification Composed CC v. 3.0 Certification How to do it? Independent evaluation of each component Composed evaluation base component and dependent component Use new class ACO: Composition - Five families ACO-COR Composition rationale ACO-DEV Development evidence ACO-REL Reliance of dependent component ACO-TBT Base TOE Testing ACO-VUL Composition vulnerability analysis December 8, 2005 Taylor, ACSAC Presentation 21

Common Criteria Certification Composed CC v. 3.0 Certification Five families say Ensure base component provides at least as high an assurance level as the dependent component Security functionality in support of security requirements of dependent component is adequate Description of interfaces used to support security functions of dependent component is provided May not have been considered during component evaluation December 8, 2005 Taylor, ACSAC Presentation 22

Common Criteria Certification Composed CC v. 3.0 Certification Five families say Testing of base component as used in composed TOE is performed Residual vulnerabilities of base component are reported and an analysis of vulnerabilities arising from composition are considered December 8, 2005 Taylor, ACSAC Presentation 23

Common Criteria Certification Composed CC v. 3.0 Certification Composition Assurance Packages (CAPs) Replace EAL levels for composed TOE s Build on results of previously evaluated entities CAP-A Structurally Composed CAP-B Methodically Composed CAP-C Methodically Composed, Tested and Reviewed December 8, 2005 Taylor, ACSAC Presentation 24

Common Criteria Certification Composed CC v. 3.0 Certification CAP-A Structurally Composed Developers or users require low to moderate levels of independently assured security Security functional requirements are analyzed just using the outputs from the evaluations of the component TOE s ST, and guidance documentation No involvement of base TOE developer required December 8, 2005 Taylor, ACSAC Presentation 25

Common Criteria Certification Composed CC v. 3.0 Certification CAP-B Methodically Composed Developers or users require moderate levels of independently assured security Security functional requirements are analyzed using outputs from TOE evaluations, specification of interfaces and high level TOE design of the composed TOE Minimal involvement of base TOE developer required December 8, 2005 Taylor, ACSAC Presentation 26

Common Criteria Certification Composed CC v. 3.0 Certification CAP-C Methodically Composed, Tested and Reviewed Developers or users require moderate to high levels of independently assured security and are prepared to incur additional security-specific engineering costs Security functional requirements are analyzed using outputs from TOE evaluations, specification of interfaces and the TOE design of the composed TOE Involvement of base TOE developer required December 8, 2005 Taylor, ACSAC Presentation 27

Common Criteria Certification MILS Certification MILS is ideally suited to a composed certification effort MILS was designed as a component architecture Components designed by multiple vendors Components certified at multiple EAL levels Components assist with security policy enforcement December 8, 2005 Taylor, ACSAC Presentation 28

Common Criteria Certification Composed MILS CC v. 3.0 Certification Example: Separation Kernel and MMR Base component Separation Kernel Dependent component MILS Message Router (MMR) December 8, 2005 Taylor, ACSAC Presentation 29

Common Criteria Certification Steps for Composing MILS Components Evaluation of Separation Kernel Evaluation of MILS Message Router Evaluation of Composed MILS Components Define an ST for composed system Decide on a Composition Assurance Level (CAP) December 8, 2005 Taylor, ACSAC Presentation 30

MILS Certification Progress Separation Kernel evaluation Protection Profile, Security Target - done Currently being evaluated Formal methods artifacts under construction Target EAL 6+ MILS Message Router No PP, Security Target being created Constructing artifacts No actual NIAP Lab evaluation review of artifacts Target EAL 5 December 8, 2005 Taylor, ACSAC Presentation 31

MILS Certification Progress Composed Certification Next steps Define a composed ST, Evaluation Document all steps and publish results Discuss strategy and methodology Should be repeatable for other MILS components Many certification artifacts should be reusable within MILS systems Standard interfaces, consistent security policies December 8, 2005 Taylor, ACSAC Presentation 32

Conclusion MILS architecture provides layered, component-based approach to high assurance systems Components certified at different assurance levels as needed Saves cost, effort since entire system doesn t need to operate system high December 8, 2005 Taylor, ACSAC Presentation 33

Conclusion Newest CC version allows composed certification MILS can use composition so that components can be developed by multiple venders High assurance components designed to work together Re-use of certification results now possible December 8, 2005 Taylor, ACSAC Presentation 34

The End ctaylor@cs.uidaho.edu December 8, 2005 Taylor, ACSAC Presentation 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback