compositional security evaluation the mils approach
play

Compositional Security Evaluation: The MILS approach John Rushby and - PowerPoint PPT Presentation

Oct 15, 2022 •197 likes •466 views

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

  1. Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong † Computer Science Laboratory SRI International Menlo Park CA USA † Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 1

  2. Systems, Components, and Security • Security is a system property • But there is a compelling case to establish a marketplace for security-relevant components ◦ Secure file systems, communications subsystems, operating system kernels ◦ Filters, downgraders, authentication services • Want the security of these components to be evaluated • In such a way that security evaluation for a system built on these is largely based on prior evaluations of the components • This is an example of compositional assurance John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 2

  3. Component-Based Design and Compositional Assurance • Component-based design ◦ Take some off the shelf components ◦ Build some bespoke components ◦ Connect them all together with glue (components) To achieve the required functionality ◦ We understand the functionality of the system by understanding the functions of its components • Compositional assurance ◦ The idea that we can provide assurance for properties of a component-based system based on preconstructed assurance for properties of its components John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 3

  4. Why Is Compositional Assurance Hard? • Assurance must consider properties, not just function ◦ Properties depend on component interactions as much as on individual component behavior ◦ And must consider what must not happen • Assurance must consider faults and malice ◦ Including those that subvert the design ◦ In particular, those that vitiate the separation into components and bypass the interfaces between them ◦ i.e., those that create unintended interactions • So assurance for components must anticipate this and provide very strong guarantees, and must consider interactions as well as local behavior John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 4

  5. State of Practice in Compositional Assurance • Not endorsed by any stringent certification regime we are familiar with ◦ Because of the interaction issue: the current way to deal with this is to look at the whole system and inside every component • E.g., the FAA certifies only airplanes, engines, propellers ◦ Some weak mechanisms for components ⋆ Reusable Software Components (AC 20-148) ◦ And for incremental construction of certification ⋆ Integrated Modular Avionics (DO-297/ED-124) ◦ But the initial certification is always whole system, not compositional, and they reserve the right to look inside components • Doing security evaluations compositionally would be a first! John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 5

  6. Compositional Security Evaluation Two topics: Procedural: how to do this within the CC framework? Technical: the approach we’re developing for MILS John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 6

  7. Compositional Evaluation Within The CC Framework • A community effort is needed to explore this ◦ Our goal here is to stimulate debate • For MILS, we are using an ad-hoc approach ◦ Developing a MILS Integration Protection Profile (MIPP) • Use a PP because that is an established mechanism • But it’s really a meta-PP ◦ Constraints on component PPs so that they compose to yield system-level assurance John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 7

  8. The MILS Approach • Historically, MILS stood for Multiple Independent Levels of Security • Now, its best thought of as a name for . . . • . . . a class of security architectures based on two levels Subject Interaction Level: the security attributes of encapsulated subjects, and their interactions Resource Sharing Level: the security attributes that arise from subjects sharing resources • Each level has its own kind of component Subject Interaction Level: operational components Resource Sharing Level: foundational components And these each have their own kind of PP John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 8

  9. Intuitive Security Architecture • Almost all system designs are portrayed in diagrams using circles and arrows • But in security, these have a particular (often unconscious) force and interpretation • Circles indicate subjects, ◦ Encapsulated data, information, control, • Arrows indicate interactions (and interfaces) ◦ Absence of an arrow means absence of interaction • The only things that happen inside a circle are consequences of things in that circle and the incoming arrows, and the only things that change are the internal state of the circle and its outgoing arrows (i.e., interacting state machines) John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 9

  10. Good Intuitive Security Architecture • Try to arrange the circles and arrows so that security depends on only a few trusted circles • And those are trusted to do only relatively simple things • Split big circles up if necessary to achieve these John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 10

  11. The MILS Architecture, Upper Level • The system structure should directly reflect the circles and arrows picture ◦ i.e., the implementation directly follows the logical design ◦ Circles are subjects, arrows are interactions • We can afford to have lots of circles and arrows, and should use this to reduce and simplify the trusted circles/subjects ◦ Trusted subjects implement policy John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 11

  12. The MILS Architecture, Lower Level • We can afford to have lots of circles and arrows because we can efficiently and securely share physical resources among separate logical circles and arrows Separation Kernel Secure sharing is ensured by foundational components, which enforce partitioning/separation Partitioning TSE File System • Allocation of logical components to shared resources has impacts beyond security (faults, performance)—care needed John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 12

  13. Two Kinds of Components, Two Kinds of PPs The lower and upper levels of the MILS architecture have different concerns and are realized by different kinds of components having different kinds of PPs Upper level: components that provide or enforce specific security policy functionality • Examples: downgrading, authentication, MLS flow • Their PPs are operational: concerned with the specific security policy that they provide Lower level: components that partition/separate/securely share physical resources among logical entities • Examples: separation kernel, partitioning communication system, console, file system, network stack • Their PPs are foundational: concerned with partitioning/separation/secure sharing John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 13

  14. The Essence of MILS • The operational and foundational security concerns are kept separate ◦ Separate kinds of components ◦ Separate kinds of PPs • Cf. traditional security kernels ◦ One component partitioned many kinds of resources ⋆ complex implementation ◦ And either enforced a single operational security policy ⋆ too rigid to be useful Or several ⋆ too complicated to be credible • MILS is feasible today because we know how to do fine grain partitioning (e.g., paravirtualization), have better hardware support, and can afford the overhead John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 14

  15. Two Kinds of Components, Three Kinds of Composition We need to consider three kinds of component compositions operational/operational: need compositionality foundational/operational: need composability foundational/foundational: need additivity Consider these in turn John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 15

  16. Compositionality Operational components combine in a way that ensures compositionality • There’s some way to calculate the properties of interacting operational components from the properties of the components (with no need to look inside), e.g.: ◦ Component A guarantees P if environment ensures Q ◦ Component B guarantees Q if environment ensures P ◦ Conclude that A || B guarantees P and Q This is called assume-guarantee reasoning • Requires components interact only through explicit computational mechanisms (e.g., shared variables) And that is what the foundational components guarantee John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 16

  17. Composability Foundational components ensure composability of operational components • Properties of a collection of interacting operational components are preserved when they are placed (suitably) in the environment provided by a collection of foundational components ◦ Circles behave the same when put in a box • Hence foundational components do not get in the way • And the combination is itself composable ◦ A box containing circles still behaves as a box • Hence operational components cannot interfere with each other nor with the foundational ones Partitioning/separation are ways to provide composability John Rushby, Rance DeLong, SR I Compositional Security Evaluation: 17

Recommend

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

548 views • 28 slides
An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

445 views • 28 slides
SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

1 SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Securify Architecture Reasoning with Untrusted Components

418 views • 13 slides
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP

751 views • 23 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher,

The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar Sifre, AFRL/RITB, Rome NY Boettcher,

414 views • 27 slides
Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr University of Copenhagen, Department of Computer Science paba@diku.dk 23rd Nordic Workshop on Programming Theory, M alardalen University, V aster

703 views • 68 slides
Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr University of Copenhagen, Department of Computer Science paba@diku.dk 23rd Nordic Workshop on Programming Theory, M alardalen University, V aster

546 views • 19 slides
BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation:

BRUNSWICK MILS Urban Design Presentation Introduction Structure of this presentation: Section 1: The overarching approach/methodology for the urban design analysis Section 2: The specific urban design rationales for the MILS precincts

481 views • 24 slides
Synonymy in an approach to combined distributional and compositional semantics Ann Copestake and

Synonymy in an approach to combined distributional and compositional semantics Ann Copestake and

Synonymy in an approach to combined distributional and compositional semantics Synonymy in an approach to combined distributional and compositional semantics Ann Copestake and Aurlie Herbelot Computer Laboratory University of Cambridge

736 views • 21 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Compositional Approach to Suspension and Other Improvements to LTL Translation s Babiak 1 Thomas

Compositional Approach to Suspension and Other Improvements to LTL Translation s Babiak 1 Thomas

Compositional Approach to Suspension and Other Improvements to LTL Translation s Babiak 1 Thomas Badie 2 Alexandre Duret-Lutz 2 Tom a y 1 cek 1 Mojm r K ret nsk Jan Strej 1 Faculty of Informatics, Masaryk University, Brno,

657 views • 51 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction) Mykola (Nikolaj) S. Nikitchenko Taras Shevchenko National University of Kyiv Linz, JKU, November 08-19, 2012 1 Contents Introduction

783 views • 40 slides
Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David Pym 1 Julian Williams 2 1 Department of Computer Science, University College London 2 Business School, University of Durham 26th June 2014 Security

439 views • 10 slides
Building Structured Web Community Portals: A Top-Down, Compositional, and Incremental Approach

Building Structured Web Community Portals: A Top-Down, Compositional, and Incremental Approach

Building Structured Web Community Portals: A Top-Down, Compositional, and Incremental Approach Pedro DeRose University of Wisconsin-Madison Joint work with Warren Shen, Fei Chen, AnHai Doan, and Raghu Ramakrishnan 1 Structured Web Community

528 views • 26 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic programming Darren Wilkinson @darrenjw darrenjw.github.io Newcastle University, UK / The Alan Turing Institute Bristol Data Science Seminar Bristol

687 views • 45 slides
A compositional approach to networks Brendan Fong, University of Oxford Southampton ECS Seminar

A compositional approach to networks Brendan Fong, University of Oxford Southampton ECS Seminar

A compositional approach to networks Brendan Fong, University of Oxford Southampton ECS Seminar 4 February 2015 The big picture Network-style diagrammatic languages have developed to represent and reason about many different sciences: Why?

874 views • 62 slides
MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1 MILS Efforts Overview

772 views • 26 slides
Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann , Oliver Schwarz , Mads Dam KTH Royal Institute of Technology, Stockholm, Sweden RISE.SICS, Kista, Sweden cbaumann@kth.se

903 views • 65 slides
Participatory Approach to Evaluation: Democratizing Evaluation and Embodying Social Inclusion

Participatory Approach to Evaluation: Democratizing Evaluation and Embodying Social Inclusion

Participatory Approach to Evaluation: Democratizing Evaluation and Embodying Social Inclusion CESBC Webinar October 10, 2019 MONA LEE, JANICE DUDDY, PAUL KERBER Poll: Have you ever used a participatory evaluation approach? No

573 views • 30 slides
Safety control with performance guarantees of cooperative systems using compositional abstractions

Safety control with performance guarantees of cooperative systems using compositional abstractions

Cooperative systems Centralized symbolic control Compositional approach Safety control with performance guarantees of cooperative systems using compositional abstractions Pierre-Jean Meyer Antoine Girard Emmanuel Witrant Universit e

849 views • 45 slides

More recommend