mils research montage mils research montage
play

MILS Research Montage MILS Research Montage LAW LAW - PowerPoint PPT Presentation

MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1 MILS Efforts Overview


  1. MILS Research Montage MILS Research Montage LAW LAW Work-In-Progress Session Work-In-Progress Session December 6, 2011 December 6, 2011 Rance DeLong Rance DeLong Consulting Researcher Consulting Researcher 1

  2. MILS Efforts Overview Effort Categories * * Efforts/Results to date NSA TOG Future * Sponsored by AFRL / CMPO MILS Vision Constitution Patterns Assemblies Lecture AADL Found’nl Implementation Notes Comps Science Math Concepts Tools Ref Impls Opera’nl Manifesto Example Comps Dissemination LAW DASC TOG ICCC MIPP Guard Compos. CCAE SKPP Cert. API Standards Scheme Eval & Cert MNSPP DCI Evidence Assur. Case Inter-op MCSPP OIS Galois RTI RCI SIs / Programs Products Sysgo GHS WRS LW R. DeLong 2

  3. Research Enabling MILS Development Research Enabling MILS Development and Deployment (REMDaD REMDaD)* )* and Deployment ( l Objective: Objective: l Move to next stage of MILS deployment and development Move to next stage of MILS deployment and development l 4 Themes 4 Themes l – Components – – development and assurance of individual components development and assurance of individual components – Components – Integration – – integration of MILS components and systems integration of MILS components and systems – Integration – Deployment – – facilitate MILS deployment facilitate MILS deployment – Deployment – Certification – – enable MILS evaluation and certification enable MILS evaluation and certification – Certification l Initial tasks (2010) Initial tasks (2010) l – Evidence and toolchains toolchains for MILS certification study for MILS certification study – Evidence and – MILS Cross Domain Solution (CDS) operational component Study – MILS Cross Domain Solution (CDS) operational component Study – – MILS Delivery, Configuration, and Initialization (DCI) Study MILS Delivery, Configuration, and Initialization (DCI) Study * Performed at SRI, sponsored by AF Research Laboratory and AF Cryptographic Modernization Program Office. R. DeLong 3

  4. Research Enabling MILS Development Research Enabling MILS Development and Deployment (REMDaD REMDaD)* )* and Deployment ( l Current tasks (2011-2012) - Current tasks (2011-2012) - l (John Rushby Rushby, Dave , Dave Hanz Hanz, Rance DeLong) , Rance DeLong) (John – AADL and MILS – AADL and MILS – MIPP completion (MIPP as a document) – MIPP completion (MIPP as a document) – – “Programming the MIPP “ Programming the MIPP” ” (MIPP encoded in the CCAE) (MIPP encoded in the CCAE) – MILS Delivery, Configuration, Initialization model – MILS Delivery, Configuration, Initialization model – MILS Cross Domain Solution investigation – MILS Cross Domain Solution investigation – – MILS Network Subsystem Protection Profile MILS Network Subsystem Protection Profile * Performed at SRI, sponsored by AF Research Laboratory and AF Cryptographic Modernization Program Office. R. DeLong 4

  5. MILS is based on composition of cooperating MILS is based on composition of cooperating components defined by related Protection Profiles* components defined by related Protection Profiles* l Separation Kernel (SKPP) Separation Kernel (SKPP) l l MILS Network System (MNSPP) MILS Network System (MNSPP) l l MILS Console System (MCSPP) MILS Console System (MCSPP) l l MILS Extended Attributes PP (MEAPP) MILS Extended Attributes PP (MEAPP) l l MILS File System (MFSPP) MILS File System (MFSPP) l l . . . . . . l l MILS Integration Protection Profile (MIPP) MILS Integration Protection Profile (MIPP) l MIPP “Conforms to” SKPP “Patterned after” . . . “Extended by” MNSPP MCSPP MEAPP MFSPP R. DeLong 5

  6. Mils PPs are expected to achieve Mils PPs are expected to achieve this: this: ST SK SK 1 System A ST SK SK 2 SKPP ST SK SK 3 SK 4 MEA 2 ST SK SK 4 ST MEA MEA 1 ! Console 1 Network 3 ST MEA MEA 2 MEAPP ST MEA MEA 3 File System 3 ST MEA MEA 4 ST MCS Console 1 System B ! ST MCS Console 2 MCSPP ST MCS Console 3 CC ST MCS Console 4 SK 1 MEA 3 ST MFS File System 1 ! ST MFS File System 2 Console 4 Network 1 MFSPP ST MFS File System 3 File System 4 ST MFS File System 4 ST MNS Network 1 ST MNS Network 2 MNSPP ! = It works! ST MNS Network 3 ST MNS Network 4 R. DeLong 6

  7. Illustrative Architecture of a MILS-based Illustrative Architecture of a MILS-based MLS workstation - a collection of MLS workstation - a collection of connected “ “things things” ” connected MILS File and Client MLS Directory Client Partitions RVM Client Subsystem Partitions / Subjects Partitions / Subjects / Subjects Application Instantiator MILS Session App CORBA Manager Mgmt MILS MILS Human MLS PCS Auth I’face Console System RVM Data Devs Management Subsystem Mgmt MILS I&A Network Audit Subsystem Audit Mgmt R. DeLong 7

  8. Architecture of a MILS based of a MILS based Architecture So Something workstation - itself is So Something workstation - itself is Architecture as an Something that must be designed. Integration Framework Something that has properties. R. DeLong 8

  9. Something So This So Something is what the MIPP describes is what the MIPP describes This l The system level The system level security problem security problem (T/P/A) (T/P/A) l l The system level The system level security objectives security objectives l l The system level The system level SFRs SFRs and and SARs SARs l l A system concept and A system concept and reference architecture reference architecture l l Identification of, and connections among, the Identification of, and connections among, the components components l l A basis for formal A basis for formal composition composition of component properties of component properties l l Constraints Constraints on the MILS components that fit in the on the MILS components that fit in the “ “holes holes” ” l – Security objectives, or modified ones, that pass to the component – Security objectives, or modified ones, that pass to the component – Relationships and obligations (rely-guarantee) among the – Relationships and obligations (rely-guarantee) among the components components – – Interaction schemas for interacting components Interaction schemas for interacting components R. DeLong 9

  10. Some architecture alternatives for MILS network system Some architecture alternatives for MILS network system Apps Apps Nothing calls calls MLS Socket Layer Socket Layer Trusted Apps App Apps calls calls calls calls calls queues Transport Layer Transport Layer queues Socket Layer Socket Layer calls calls sw intr queues sw intr calls calls Network Layer Network Layer queues queues queues calls calls queues Transport Layer Transport Layer sw intr sw intr Interface Layer Interface Layer calls calls queues Mbuf queues queues Mgmt Driver Driver Dev Dev Network Layer sw intr calls queues Apps calls Code manipulates calls data in multiple Everything Interface Layer security domains Socket Layer sw intr Trusted calls queues t Mbufs / Clusters Transport Layer t t Driver Driver calls Mbuf queues b hw intr Mgmt b b Network Layer Dev Dev Dev Dev calls queues Dev Labeled Crypto Dev Sep Sep Interface Layer Combination of Driver Individual data Trusted and Untrusted items associated with a single Dev Dev Dev Dev security domain R. DeLong 10

  11. System Inputs, Outputs, Relies and System Inputs, Outputs, Relies and Guarantees Guarantees Relies Guarantees HIGH inputs HIGH outputs OOOOOOO … IIIIIIIII … S NI iiiiiiii … LOW inputs ooooooo … LOW outputs R. DeLong 11

  12. MILS System from MILS System from Components/Subsystems Components/Subsystems Constraints: Relies Guarantees H(HI,HO) OOOOOOO … IIIIIIIII … HIGH Inputs HIGH Outputs S LOW Inputs LOW Outputs iiiiiiii … ooooooo … L(LI,LO) S(HI,HO,LI,LO) Properties: P(HI,HO,LI,LO) st S ≤ P R. DeLong 12

  13. Compositional Relies / Guarantees Compositional Relies / Guarantees Relies Guarantees a) A c) C b) S A C C R. DeLong 13

  14. MILS Composite Assurance Case MILS Composite Assurance Case Compose assurance cases using Assume-Guarantee Reasoning Compose assurance cases using Assume-Guarantee Reasoning l l Assumptions from MI assurance case become requirements on the Assumptions from MI assurance case become requirements on the l l components components Assured Claims from component assurance cases become evidence Assured Claims from component assurance cases become evidence l l for MI for MI SK Assurance Argument Inference rule MI Assurance Argument Inference rule SK MNS Assurance Inference rule Argument Claims Evidence Inference rule MI Inference rule MNS Claims Evidence Inference rule Claims Evidence Inference rule MCS Claims Inference rule MCS Assurance Argument Rely Guarantee R. DeLong 14

  15. Common Criteria Authoring Environment as a distributed Common Criteria Authoring Environment as a distributed collaboration environment collaboration environment Evaluators Author CCAE CCAE ST Author CCAE CCAE Evaluators CCAE CCAE CCAE CCAE PP ST PP Co Collaboration Reviewers Reviewers Environment En CCAE CCAE CCAE CCAE CCAE Certifiers R. DeLong 15

Recommend


More recommend