the challenge of the challenge of multilevel security
play

The Challenge of The Challenge of Multilevel Security Multilevel - PowerPoint PPT Presentation

The Challenge of The Challenge of Multilevel Security Multilevel Security Rick Smith, Ph.D., CISSP Rick Smith, Ph.D., CISSP Rick@cryptosmith cryptosmith.com .com Rick@ http://www.cryptosmith cryptosmith.com/ .com/ http://www. October


  1. The Challenge of The Challenge of Multilevel Security Multilevel Security Rick Smith, Ph.D., CISSP Rick Smith, Ph.D., CISSP Rick@cryptosmith cryptosmith.com .com Rick@ http://www.cryptosmith cryptosmith.com/ .com/ http://www. October 2003 October 2003 October 2003 Cryptosmith LLC 1

  2. Text-Only Outline Text-Only Outline Outline presented here Outline presented here • What is MLS? What is MLS? • • Why is MLS Hard? Why is MLS Hard? – – Accreditation Accreditation • • Building MLS Systems Building MLS Systems • • Selecting a Trusted OS Selecting a Trusted OS • Please see the BlackHat BlackHat CDROM for the complete CDROM for the complete Please see the copy of this presentation, or visit this web site: copy of this presentation, or visit this web site: http://www.cryptosmith cryptosmith.com .com http://www. October 2003 Cryptosmith LLC 2

  3. Multilevel Security Multilevel Security • An overloaded term An overloaded term • • Some vendors build Some vendors build “ “MLS Products MLS Products” ” • – Implement Implement “ “Bell Bell LaPadula LaPadula” ” security mechanism security mechanism – – Allows higher-classified processes to read data created by lower- Allows higher-classified processes to read data created by lower- – classified processes classified processes – Example: a Top Secret user Example: a Top Secret user’ ’s process can read Secret data s process can read Secret data – – Vice versa (downgrading) not directly permitted Vice versa (downgrading) not directly permitted – • Most Most requirements requirements for for “ “MLS Operating Mode MLS Operating Mode” ” • – Devices handle classified information with different classification Devices handle classified information with different classification – markings markings – Must Must never never release wrong level to wrong recipient release wrong level to wrong recipient – – Much Much more general than more general than “ “MLS Products MLS Products” ” – October 2003 Cryptosmith LLC 3

  4. An Example MLS Problem An Example MLS Problem Sensor to Shooter: Sensor to Shooter: SCI Data travels from Data travels from satellites to planners satellites to planners Top Secret at different levels, at different levels, and finally to the and finally to the Unclassified warrior who pulls the warrior who pulls the trigger. trigger. Secret Data is sanitized at Data is sanitized at each level and each level and passed to a lower passed to a lower classification. classification. October 2003 Cryptosmith LLC 4

  5. MILS versus MLS MILS versus MLS Achieves “ “MLS Operating Mode MLS Operating Mode” ” Achieves without “ “MLS Products MLS Products” ” without • MILS = Multiple Independent Levels of Security MILS = Multiple Independent Levels of Security • – Deals with multiple levels via separate, Deals with multiple levels via separate, “ “System High System High” ” elements elements – – Data sharing, if any, is via guards or one-way data transfers Data sharing, if any, is via guards or one-way data transfers – • Does not necessarily require Does not necessarily require “ “MLS Products MLS Products” ” • – Most or all elements may be standard COTS products Most or all elements may be standard COTS products – – Guard may use an MLS Product, but not necessarily Guard may use an MLS Product, but not necessarily – • Site networks usually operate in Site networks usually operate in “ “MILS MILS” ” mode mode • – Individual networks consist of COTS products Individual networks consist of COTS products – – Networks run at System High Networks run at System High – – Interconnections, if any, require a special-purpose Guard Interconnections, if any, require a special-purpose Guard – October 2003 Cryptosmith LLC 5

  6. Why is MLS Hard? Why is MLS Hard? • Short answer: Software is unreliable Short answer: Software is unreliable • – Nobody wants to trust the protection of their own, valuable Nobody wants to trust the protection of their own, valuable – classified information to a buggy OS or application classified information to a buggy OS or application – Felony Boxes Felony Boxes – – nobody wants to be personally liable for leaking nobody wants to be personally liable for leaking – classified information classified information • MLS accreditation tries to reduce/eliminate risk MLS accreditation tries to reduce/eliminate risk • – Accreditation Accreditation – – approval to operate by major command user approval to operate by major command user – – MLS accreditation seeks to eliminate risk of data leaks MLS accreditation seeks to eliminate risk of data leaks – – Confidence in software = confidence in safety of data Confidence in software = confidence in safety of data – • Modern software is too complex for confidence Modern software is too complex for confidence • – 16 million lines of code in modern Windows OS 16 million lines of code in modern Windows OS – October 2003 Cryptosmith LLC 6

  7. System Accreditation System Accreditation Required of all systems handling classified data • Required of all systems handling classified data • Regulations: DOD 5200.1, now DOD 8500 Regulations: DOD 5200.1, now DOD 8500 • • – Regulations establishing policies for DOD info systems Regulations establishing policies for DOD info systems – DITSCAP: Defense Information Technology Security • DITSCAP: Defense Information Technology Security • Certification and Accreditation Process Certification and Accreditation Process – Process to verify a system Process to verify a system’ ’s security features s security features – – “ “certification certification” ” – – Process to authorize its operation Process to authorize its operation – – “ “accreditation accreditation” ” – SSAA – – System Security Authorization Agreement System Security Authorization Agreement • SSAA • – Documents security requirements, features, and steps taken to assure Documents security requirements, features, and steps taken to assure – its correct and secure operation its correct and secure operation DAA – – Designated Approval Authority Designated Approval Authority • DAA • – General/Flag officer at major command General/Flag officer at major command – – Signs of on need and risk for using the accredited system Signs of on need and risk for using the accredited system – October 2003 Cryptosmith LLC 7

  8. Getting Into Operation Getting Into Operation • “ “Full Full” ” Accreditation Accreditation • – System goes through certification process System goes through certification process – • May be based on May be based on evaluations evaluations of products being used of products being used • • May be based on template of another successful site May be based on template of another successful site – – this is this is • how the SABI/TSABI SABI/TSABI processes work processes work how the • May involve a combination May involve a combination • – DAA approves system for operation DAA approves system for operation – • IATO IATO – – Interim Approval to Operate Interim Approval to Operate • – Certification is incomplete; DAA lacks basis to fully accredit Certification is incomplete; DAA lacks basis to fully accredit – – May occur in May occur in “ “emergency emergency” ” situations where system is needed situations where system is needed – regardless of the certification status and risks regardless of the certification status and risks – At the discretion of the major command At the discretion of the major command’ ’s DAA s DAA – – DAA may even make an IATO permanent ( DAA may even make an IATO permanent ( “ “back door back door” ” approval) approval) – October 2003 Cryptosmith LLC 8

  9. Evaluation: a product-oriented Evaluation: a product-oriented process process • Process established by data owner(s) Process established by data owner(s) • – Pioneered by NSA: Owner/producer of classified information Pioneered by NSA: Owner/producer of classified information – – Evaluated systems to serve as surrogates to enforce NSA policy Evaluated systems to serve as surrogates to enforce NSA policy – • Expects vendors to seek product evaluation Expects vendors to seek product evaluation • – Historically, this is the exception, not the rule Historically, this is the exception, not the rule – • Evaluation is supposed to Evaluation is supposed to “ “authorize authorize” ” use use • – Traditionally, MLS systems had to achieve a certain level of Traditionally, MLS systems had to achieve a certain level of – evaluation and incorporate certain features: “ “B1 B1” ” or or “ “EAL4 EAL4” ” evaluation and incorporate certain features: – In practice, the DAA is the final authority In practice, the DAA is the final authority – • In practice, evaluation becomes one more factor In practice, evaluation becomes one more factor • – Some MLS systems use evaluated products Some MLS systems use evaluated products – – Some MLS systems rely on other assurances Some MLS systems rely on other assurances – October 2003 Cryptosmith LLC 9

Recommend


More recommend