Multilevel Secure Systems and Cross Domain Solutions: Challenges
Transcription
Multilevel Secure Systems and Cross Domain Solutions: Challenges
Multilevel Secure Systems and Cross Domain Solutions: Challenges and Solutions Systems and Software Technology Conference Salt Lake City City, April 27 27, 2010 Paul Chen Director Product Management Director, Presentation Goal To understand a new way to increase defense system capability while reducing cost (development, acquisition, and operation) by creating Multilevel Secure (MLS) systems running multiple applications on a single processor based on 1. An emerging system and security architecture implemented in software: Multiple Independent Levels of Security (MILS) 2 Common 2. C C Criteria it i security it evaluation l ti of that RTOS 2 | © 2010 Wind River. All Rights Reserved. Defense Challenge – More for Less 1 3 Defense Requirements • Higher lethality • • • • • g survivability y • Higher + 2 Functionality Mobility y Connectivity Proven security Proven safety Lower Cost • Purchase cost • Operational cost • Tech refresh cost 3 More Capability | © 2010 Wind River. All Rights Reserved. ≠ 4 • Higher costs Challenge and Today’s Solution: Lockheed Martin F F-35 35 Lightning II > 100 microprocessors per plane ! http://en.wikipedia.org/wiki/F-35_Lightning_II > 100 microprocessors per plane ! 4 | © 2010 Wind River. All Rights Reserved. Challenge and Today’s Solution: DDG 1000 D DDG-1000 Destroyer t Dual Band Radar, Adv. Gun System, Integrated Undersea U de sea Warfare, a a e, Peripheral Vertical Launch System, … ! 1,000 blade servers 200 HAIPE boxes 6 data centers ! http://en.wikipedia.org/wiki/Zumwalt_class_destroyer and other public sources. 5 | © 2010 Wind River. All Rights Reserved. Challenge and Today’s Solutions: General’s General s Field HQ http://www.af.mil/shared/media/photodb/photos/100223-F-0938O-154.jpg Army officer: “We need three C-130s to move a general’s field headquarters because of the large amount of computer equipment. equipment ” 6 | © 2010 Wind River. All Rights Reserved. C Courtesy t D Dr. B Ben C Calloni ll i 7 | © 2010 Wind River. All Rights Reserved. The Solution: Divide and Conquer 8 | © 2010 Wind River. All Rights Reserved. To Build The Devices We Need Exploit increasing microprocessor power (faster processors, multicore processors) to run multiple software components on a single processor or smaller set of processors But then new challenge: g the multiple p software components p ensuring cannot interfere with each other in any undesired or covert way while interacting exactly as required 9 | © 2010 Wind River. All Rights Reserved. Security Critical Code Not Well Isolated, Security Policies Centralized in Kernel Evaluation: 10+ Years, $50-$100M for system Orange Book Approach MIL-STD Large applications in user mode Monolithic Applications User Mode Large middleware Dangerous “privilege” privilege (supervisor) mode code is large due to kernel with MAC, DAC, multiple drivers etc drivers, etc. 10 | © 2010 Wind River. All Rights Reserved. MLS Requires Evaluatable Applications! Fault Isolation Network I/O Periods Processing Monolithic pp cat o Application Extensions Monolithic Kernel Information Flow File systems y Data isolation Privilege Mode Auditing Kernel 29 Nov 2004 MILS/MLS Architecture for Deeply Embedded Systems 23 Divide and Conquer: Decompose and Partition a System into Multiple Software Components Large App B Run multiple applications on top of a secure operating system – multiple, lti l separate t components – 10-30 components practical b based d on performance f requirements – with strict control of interactions 11 | © 2010 Wind River. All Rights Reserved. App A UnUn trusted Stack (U) (U) Mostly unclassified but includes TSÆ S S Downgrader, so all TS NO Secure Operating System Trusted Stack (TS) Divide and Conquer: Decompose and Partition a Large Component S Split lit llarge application li ti B iinto t small security-critical components and larger lower or non-secure non secure elements – Very small security-critical TS Æ S Downgrader – Mid Mid-size size Secret part App A UnUn trusted Stack (U) (U) App B Part 1 (U) App B P Part 2 (S) App B P t3 Part Downgrader (TS/S) Trusted Stack (TS) – Larger Unclassified part Downgrade o g ade secu security ty po policy cy now o isolated to the Downgrader Still strict control of componentto-component interaction i i 12 | © 2010 Wind River. All Rights Reserved. NO Secure Operating System Therefore, security evaluation cost for Therefore downgrader and whole system greatly reduced MILS Architecture Split app reduces cost of development, cert, operation Architecture with three layers – Trusted hardware – Separation kernel (SK) in supervisor mode – User components (applications (applications, middleware, drivers) in user mode – Reduce security-critical code – Therefore increase scrutiny of security-critical code – Separation – Composition – Layered assurance 13 | © 2010 Wind River. All Rights Reserved. Trusted Network Driver TS U App 2a S Guest OS HA Runtime Supervis sor Mode e through “Divide and Conquer” User Mo ode Partitions Enable independent development and evaluation/certification App or MW Guest OS App 2b TS/S Downgrader HA Runtime Separation Kernel (SK) Trusted Hardware HA Runtime: High Assurance EAL6+ SK interface Guest OS: Traditional RTOS, Linux, Windows Evaluatable at Acceptable Cost Evaluation: 3+ Years and $3-$5M for RTOS, and great reuse; components evaluation also lower cost MILS Architecture COTS Baseline CSCI Applications in partitions SL (S) Application SL (TS) Application ed vic ers I/O riv or k tw DAC MLS Downgrader De Ne Auditing AC Evaluatable Applications On an E l t bl Evaluatable Infrastructure SL (U) Application M Middleware p components and drivers in partitions (Main Program) Fi le s Separation Kernel Small kernel 29 Nov 2004 14 | © 2010 Wind River. All Rights Reserved. Information Flow Data isolation Fault Isolation Periods Processing MILS/MLS Architecture for Deeply Embedded Systems t ys em s User Mode Rushby’s Middleware Appropriate Mathematical Verification Privilege Mode 25 App1 (SK Reqt.) Attestatio A on Notional MILS-Based Gateway Guard1 App2 Guard2 Network Stack HAE1 GOS2 User Config Network Stack HAE HAE GOS Windows Separation Kernel Trusted Hardware Config High Note: inter-partition communications require a g the SK;; secure communication mechanism through for clarity these actual paths are not shown 15 | © 2010 Wind River. All Rights Reserved. Low 1 2 HAE: High Assurance Environment Guest OS: e.g., g , traditional real-time operating p g system, Linux, Windows, other Evaluation ((C&A)) for MILS Components: Common Criteria 16 | © 2010 Wind River. All Rights Reserved. System Certification (Notional Example) Customer (US): ATO, based on DIACAP or DCID 6/3 Customer: DO-178B DO 178B Customer: one or more of DIACAP, DIACAP DITSCAP DITSCAP, DO-178B, DO-254 Customer: Common Criteria EAL6+ SABI, EAL6+, SABI TSABI FCS Driver Common Core System Customer + OS Vendor: Common Criteria EAL6+ and DO-254 ATO (US): DIACAP (US): DCID 6/3: DO-178B: DO-254: SABI: TSABI: 17 TS U App S Downgrader TS/S Separation Kernel (SK) Trusted Hardware OS Vendor: Common Criteria EAL6+ Authorization to Operate Operate, or IATO: Interim ATO US DoD Information Assurance Certification and Accreditation Process (replaced DITSCAP on 2006) Director of Central Intelligence Directive 6/3: Protecting Sensitive Compartmented Information Within Information Systems Software Considerations in Airborne Systems and Equipment Certification (RTCA; EUROCAE ED-12B in Europe) Design Assurance Guidance for Airborne Electronic Hardware (RTCA) Secret and Below (US DoD) Top Secret and Below (US Intelligence Community) | © 2010 Wind River. All Rights Reserved. MILS Evaluation Using Common Criteria What? An internationally defined way to y of anyy IT evaluate the security product Accepted By? • EAL1 – EAL4 accepted internationally Evaluation Assurance Level – EAL1 (lowest) to EAL7 (highest) May include formal methods Operated By? • In US: National Information Assurance Partnership (NIAP): NSA + NIST 18 | © 2010 Wind River. All Rights Reserved. • Higher EAL certified by security agencies in each country Common Criteria: Initially From Canada, France Germany France, Germany, Netherlands Netherlands, UK, UK US 1980s 1990s US “Orange Book” TCSEC1 US Federal Criteria Draft7 (1985) (1992) French “BlueBlue White-Red Book”2 German ITSecurity Criteria3 Netherlands Criteria UK Sys. Security C fid Confidence Levels4 UK “Green Books”5 (All 1989) 19 | © 2010 Wind River. All Rights Reserved. Canadian Criteria CTCPEC8 (1993) European ITSEC6 (1991) 2000s Common Criteria, ISO 15408 v1.0 1996 v2.0 1998 v2.1 1999 v2.2 2004 v2 3 2005* v2.3 2005 v3.0 2005 v3.1 2006 * Base for Separation Kernel Protection Profile for High Robustness, 29 June 2007 1-8: See end slide “References For Security Documents” U.S. Government Protection Profile for Separation Kernels i E in Environments i t R Requiring i i Hi High hR Robustness, b t V i 1 Version 1.03 03 Suitable for “mission-critical mission critical systems systems” … and “management of classified and other high-valued information” http://www.niap-ccevs.org/cc-scheme/pp/pp_skpp_hr_v1.03/ 20 | © 2010 Wind River. All Rights Reserved. With MLS systems y using g MILS,, we can … 21 | © 2010 Wind River. All Rights Reserved. … Reduce Many Radios to One Top Secret Secret Confidential Unclassified Today: • Multiple radios at different security levels • Multiple waveforms 22 | © 2010 Wind River. All Rights Reserved. Top Secret Secret Confidential Unclassified Goal: Single, multilevel secure, multi-waveform radio … Increase Field Agility Reduce the number of C-130s to move a general’s field headquarters from three to one htt // http://www.af.mil/shared/media/photodb/photos/100223-F-0938O-154.jpg f il/ h d/ di / h t db/ h t /100223 F 0938O 154 j 23 | © 2010 Wind River. All Rights Reserved. http://www.af.mil/shared/media/photodb/photos/100114-F-2435S-110.jpg … Eliminate many workstations S U C TS Ground Theater Air Control System (GTACS) From Federation of American Scientists http://www.fas.org/man/dod-101/sys/ac/equip/gtacs.htm Today: • Multiple workstations at different security levels, applications, networks 24 | © 2010 Wind River. All Rights Reserved. Goal: Single, multilevel secure, multiapplication workstation … Consolidate Networks: From This … TS/SCI Top Secret Secret C fid ti l Confidential Unclassified Today: Multiple networks at different security levels or for different coalition partners or domains 25 | © 2010 Wind River. All Rights Reserved. Separate servers, networks, and workstations for different domains … Consolidate Networks: To This … U U U U UU U U U U U U Secure Net Interface Secure Net Interface SCI Encrypted black network link carrying messages at multiple levels Goal: G l Multilevel secure networks Combined with a multilevel secure devices 26 | © 2010 Wind River. All Rights Reserved. S C TS Save Money ! $6.6M total the new way $50M the old way! Courtesy Dr. Ben Calloni 27 | © 2010 Wind River. All Rights Reserved. Summary: y MILS Is Challenging, But Worth It ! 28 | © 2010 Wind River. All Rights Reserved. Comparing Separation Technologies Orange Book Approach MIL-STD GIG Monolithic Applications Physical Separation User Mode Traditional MLS Monolithic Application Extensions MLS Requires Evaluatable Applications! Fault Isolation Network I/O Periods Processing Monolithic Kernel Information Flow Data isolation Privilege Mode Auditing Secure Good Bad 29 | © 2010 Wind River. All Rights Reserved. Data Sharing NATO S (SLS) S (SLS) TS, S (MLS) Guard (MLS) Crypto (MSLS) File systems Kernel 29 Nov 2004 MILS U (SLS) NIC Driver (MSLS) Print Spooler Driver (MSLS) MILS/MLS Architecture for Deeply Embedded Systems 23 Easy to Use MILS Separation Kernel, Kernel Security Policy Data Trusted Processor Affordable Technology Evolution MILS S enables bl multilevel ltil l secure (MLS) systems that meet today’s today s and tomorrow’s tomorrow s threats at reasonable cost and acceptable risk 30 | © 2010 Wind River. All Rights Reserved. References Referred to in Speaker Notes 1. ARINC 653, Avionics Application Software Standard Interface, is in three parts at: https://www.arinc.com/cf/store/catalog.cfm?prod_group_id=1&category_group_id=3 (scan for “653”, then Parts 1, 2, and 3) 2 2. Common Criteria Evaluation and Validation Scheme (CCEVS): http://www.niap-ccevs.org/cc-scheme/ http://www niap ccevs org/cc scheme/ 3. Computer Security Planning Study, J. P. Anderson, October 1972, ESD-TR-73-51, Vol. II: paper is listed at http://seclab.cs.ucdavis.edu/projects/history/CD/index.html. “E”, “A”, and “T” of “NEAT” come from this report. 4. Design and Verification of Secure Systems, Dr. John Rushby, December 1981: http://www.csl.sri.com/papers/sosp81/ 5. Enabling the GIG, PowerPoint presentation, Dr. Jim Alves-Foss, University of Idaho, Dr. Ben Calloni, Lockheed Martin, Michael Dransfield, NSA/IAD, Jahn Luke, AFRL, Dr. Lee MacLaren, Boeing, Uchenick, G., Objective Interface Systems, Mark Vanfleet, NSA/IAD, November 2004. A copy suitable for printing the extensive slide notes is available from Wind River; contact [email protected], +1.510.749.4486. References in this presentation of the form [EtG #slide-number] refer to this version. 6 6. Intel Trusted Execution Technology: http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf http://www intel com/technology/security/downloads/TrustedExec Overview pdf 7. National Security Telecommunications and Information Systems Security Policy (NSTISSP No. 11), CNSS (Committee on National Security Systems) Secretariat (I42), National Security Agency, July 2003: http://www.cnss.gov/Assets/pdf/nstissp_11_fs.pdf. 8. RTCA DO-178B, Software Considerations in Airborne Systems and Equipment Certification: http://www rtca org/onlinecart/product cfm?id=341 http://www.rtca.org/onlinecart/product.cfm?id 341. 9. RTCA DO-297, Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations: http://www.rtca.org/onlinecart/product.cfm?id=382. 10. Trusted Computer Security Evaluation Criteria (TCSEC), the “Orange Book”, US DOD, 1985: http://csrc.nist.gov/publications/history/dod85.pdf. p g p y p Good introduction: http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria. 11. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, v1.03: http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03 12. Zumwalt-class destroyer y showing g an example p of increased demand for functionality: y http://en.wikipedia.org/wiki/Zumwalt_class_destroyer 31 | © 2010 Wind River. All Rights Reserved. References For Securityy Documents 32 Most from http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf US TCSEC “Orange g Book”: Trusted Computer p Systems y Evaluation Criteria,, 5200.28-STD,, DoD,, USA, December 1985; (superceded original “Orange Book”, Department of Defense Trusted Computer System Evaluation Criteria, CSC-STD-001-83, 15 August 1983) French SCSSI “Blue-White-Red Book”: Catalogue de Critères Destinés à évaluer le Degré de Confiance des Systèmes d'Information d Information, 692/SGDN/DISSI/SCSSI, 692/SGDN/DISSI/SCSSI July 1989 German ZSISC: Criteria for the Evaluation of Trustworthiness of Information Technology (IT) Systems, ISBN 3-88784-200-6, Zentralstelle fűr Sicherheit in der Informationstechnik (ZSI) (German Information Security Agency, now of (Bundesamt für Sicherheit in der Informationstechnik) Federal Republic of Germany Informationstechnik), Germany, January 1989 UK: UK Systems Security Confidence Levels, CESG Memorandum No. 3, CommunicationsElectronics Security Group, United Kingdom, January 1989 “UK Green Books”: DTI Commercial Computer Security Centre Evaluation Levels Manual, V22, Department of Trade and Industry, United Kingdom, February 1989 ITSEC: Information Technology Security Evaluation Criteria, Commission of the European Communities, Document CMO(90) 314, 1991 US: Federal Criteria for Information Technology Security Security, NIST and NSA NSA, US Government Government, December 1992 Canadian CTCPEC: Canadian Trusted Computer Product Evaluation Criteria, Canadian System Security Centre, Communications Security Establishment, Government of Canada, Version 3.0e, January 1993 | © 2010 Wind River. All Rights Reserved. Acknowledgements g 33 This presentation includes contributions from several organizations, including especially: – Lockheed Martin Aeronautics Company – United States Air Force Research Laboratory (AFRL) – United States National Security Agency (NSA) Contributions from the following individuals are very gratefully acknowledged: – M tt Benke, Matt B k NSA (concepts, ( t detailed d t il d review) i ) – Dr. Ben Calloni, Lockheed Martin Aeronautics Company (concepts, slides, and review) – Michael McEvilley, The MITRE Corporation (concepts, detailed review) – Tomoaki Nakamura, HCX Corporation (slide “Not Just for Defense”) – Dr. John Rushby, SRI (basic separation concepts, quote “MILS is intended … and assurance case”) – Gordon Uchenick, Objective Interface Systems (before and after “Hardware Reduction” slide concepts) – Mark Vanfleet, NSA (concepts, slides, detailed review) This presentation also borrows substantially from the presentation Enabling the GIG GIG. See availability of this presentation on prior slide “References Referred to in Speaker Notes”. In making these acknowledgements, no formal endorsement of any part of this presentation by any of the above is implied; all errors and omissions are the responsibility of Wind River This presentation is intended for general education and to actively promotes MILS and related concepts in a vendor-neutral manner. It is a work in progress and corrections and suggestions for improvement are encouraged and will be gratefully accepted and acknowledged in future editions; please send all comments to [email protected], +1-510-749-2242 | © 2010 Wind River. All Rights Reserved. For a detailed version of this presentation, contact: Americas, APAC, C Japan Europe, Middle East, Africa f Chip Downing, Director, A&D Industry Marketing [email protected] +1-650-520-8775 Alex Wilson, Sr Program Manager, Sr. Manager A&D [email protected] +44 12 83 79 20 01 Paul Chen, Director, Product Management [email protected] l h @ i di +1-510-749-4486 34 | © 2010 Wind River. All Rights Reserved.