Multilevel Secure Systems and Cross Domain Solutions: Challenges

Transcription

Multilevel Secure Systems and Cross Domain Solutions: Challenges
Multilevel Secure Systems
and Cross Domain Solutions:
Challenges and Solutions
Systems and Software Technology Conference
Salt Lake City
City, April 27
27, 2010
Paul Chen
Director Product Management
Director,
Presentation Goal
ƒ To understand a new way to increase defense system
capability while reducing cost (development,
acquisition, and operation)
by creating Multilevel Secure (MLS) systems running
multiple applications on a single processor
based on
1.
An emerging system and security architecture implemented in
software: Multiple Independent Levels of Security
(MILS)
2 Common
2.
C
C
Criteria
it i security
it evaluation
l ti of that RTOS
2
| © 2010 Wind River. All Rights Reserved.
Defense Challenge – More for Less
1
3
Defense Requirements
• Higher lethality
•
•
•
•
•
g
survivability
y
• Higher
+
2
Functionality
Mobility
y
Connectivity
Proven security
Proven safety
Lower Cost
• Purchase cost
• Operational cost
• Tech refresh cost
3
More Capability
| © 2010 Wind River. All Rights Reserved.
≠
4
• Higher costs
Challenge and Today’s Solution:
Lockheed Martin F
F-35
35 Lightning II
ƒ > 100 microprocessors per plane !
http://en.wikipedia.org/wiki/F-35_Lightning_II
> 100 microprocessors per plane !
4
| © 2010 Wind River. All Rights Reserved.
Challenge and Today’s Solution:
DDG 1000 D
DDG-1000
Destroyer
t
ƒ Dual Band Radar, Adv.
Gun System, Integrated
Undersea
U
de sea Warfare,
a a e,
Peripheral Vertical
Launch System, … !
ƒ 1,000 blade servers
200 HAIPE boxes
6 data centers !
http://en.wikipedia.org/wiki/Zumwalt_class_destroyer and other public sources.
5
| © 2010 Wind River. All Rights Reserved.
Challenge and Today’s Solutions:
General’s
General
s Field HQ
http://www.af.mil/shared/media/photodb/photos/100223-F-0938O-154.jpg
Army officer:
“We need three C-130s to move a general’s field headquarters
because of the large amount of computer equipment.
equipment ”
6
| © 2010 Wind River. All Rights Reserved.
C
Courtesy
t
D
Dr. B
Ben C
Calloni
ll i
7
| © 2010 Wind River. All Rights Reserved.
The Solution:
Divide and Conquer
8
| © 2010 Wind River. All Rights Reserved.
To Build The Devices We Need
Exploit increasing microprocessor power (faster
processors, multicore processors)
to run multiple software components on a single
processor or smaller set of processors
But then new challenge:
g the multiple
p software components
p
ensuring
cannot interfere with each other in any
undesired or covert way while interacting
exactly as required
9
| © 2010 Wind River. All Rights Reserved.
Security Critical Code Not Well Isolated,
Security Policies Centralized in Kernel
Evaluation: 10+ Years, $50-$100M for system
Orange Book Approach
MIL-STD
Large
applications
in user mode
Monolithic Applications
User
Mode
Large
middleware
Dangerous “privilege”
privilege
(supervisor) mode code
is large due to kernel
with MAC, DAC, multiple
drivers etc
drivers,
etc.
10
| © 2010 Wind River. All Rights Reserved.
MLS Requires
Evaluatable
Applications!
Fault Isolation
Network I/O
Periods Processing
Monolithic
pp cat o
Application
Extensions
Monolithic Kernel
Information Flow
File systems
y
Data isolation
Privilege
Mode
Auditing
Kernel
29 Nov 2004
MILS/MLS Architecture for Deeply Embedded Systems
23
Divide and Conquer: Decompose and Partition a
System into Multiple Software Components
Large App B
ƒ Run multiple applications on
top of a secure operating
system
– multiple,
lti l separate
t
components
– 10-30 components practical
b
based
d on performance
f
requirements
– with strict control of
interactions
11
| © 2010 Wind River. All Rights Reserved.
App A
UnUn
trusted
Stack
(U)
(U)
Mostly
unclassified but
includes
TSÆ
S S
Downgrader,
so all TS
NO
Secure Operating System
Trusted
Stack
(TS)
Divide and Conquer: Decompose and Partition a
Large Component
ƒ S
Split
lit llarge application
li ti B iinto
t
small security-critical
components and larger lower or
non-secure
non
secure elements
– Very small security-critical
TS Æ S Downgrader
– Mid
Mid-size
size Secret part
App A
UnUn
trusted
Stack
(U)
(U)
App B
Part 1
(U)
App B
P
Part
2
(S)
App B
P t3
Part
Downgrader
(TS/S)
Trusted
Stack
(TS)
– Larger Unclassified part
ƒ Downgrade
o g ade secu
security
ty po
policy
cy now
o
isolated to the Downgrader
ƒ Still strict control of componentto-component interaction
i
i
12
| © 2010 Wind River. All Rights Reserved.
NO
Secure Operating System
Therefore, security evaluation cost for
Therefore
downgrader and whole system greatly
reduced
MILS Architecture
Split app reduces cost of
development, cert, operation
Architecture with three layers
– Trusted hardware
– Separation kernel (SK) in
supervisor mode
– User components (applications
(applications,
middleware, drivers) in user mode
– Reduce security-critical code
– Therefore increase scrutiny of
security-critical code
– Separation
– Composition
– Layered assurance
13
| © 2010 Wind River. All Rights Reserved.
Trusted
Network
Driver
TS
U
App
2a
S
Guest OS
HA Runtime
Supervis
sor
Mode
e
through “Divide and Conquer”
User Mo
ode Partitions
Enable independent development
and evaluation/certification
App
or MW
Guest OS
App 2b
TS/S
Downgrader
HA Runtime
Separation Kernel (SK)
Trusted Hardware
HA Runtime: High Assurance EAL6+ SK interface
Guest OS:
Traditional RTOS, Linux, Windows
Evaluatable at Acceptable Cost
Evaluation: 3+ Years and $3-$5M for RTOS, and great
reuse; components evaluation also lower cost
MILS Architecture
COTS Baseline
CSCI
Applications in
partitions
SL (S)
Application
SL (TS)
Application
ed
vic
ers
I/O
riv
or k
tw
DAC
MLS
Downgrader
De
Ne
Auditing
AC
Evaluatable
Applications
On an
E l t bl
Evaluatable
Infrastructure
SL (U)
Application
M
Middleware
p
components
and drivers
in partitions
(Main Program)
Fi
le
s
Separation Kernel
Small kernel
29 Nov 2004
14
| © 2010 Wind River. All Rights Reserved.
Information Flow
Data isolation
Fault Isolation
Periods Processing
MILS/MLS Architecture for Deeply Embedded Systems
t
ys
em
s
User
Mode
Rushby’s
Middleware
Appropriate
Mathematical
Verification
Privilege
Mode
25
App1
(SK Reqt.)
Attestatio
A
on
Notional MILS-Based Gateway
Guard1
App2
Guard2
Network
Stack
HAE1
GOS2
User
Config
Network
Stack
HAE
HAE
GOS
Windows
Separation Kernel
Trusted Hardware
Config
High
Note: inter-partition communications require a
g the SK;;
secure communication mechanism through
for clarity these actual paths are not shown
15
| © 2010 Wind River. All Rights Reserved.
Low
1
2
HAE: High Assurance Environment
Guest OS: e.g.,
g , traditional real-time operating
p
g
system, Linux, Windows, other
Evaluation ((C&A)) for MILS
Components: Common Criteria
16
| © 2010 Wind River. All Rights Reserved.
System Certification (Notional Example)
Customer (US): ATO,
based on DIACAP or
DCID 6/3
Customer:
DO-178B
DO
178B
Customer: one or more
of DIACAP,
DIACAP DITSCAP
DITSCAP,
DO-178B, DO-254
Customer: Common Criteria
EAL6+ SABI,
EAL6+,
SABI TSABI
FCS
Driver
Common Core System
Customer + OS Vendor:
Common Criteria EAL6+
and DO-254
ATO (US):
DIACAP (US):
DCID 6/3:
DO-178B:
DO-254:
SABI:
TSABI:
17
TS
U
App
S
Downgrader
TS/S
Separation Kernel (SK)
Trusted Hardware
OS Vendor:
Common
Criteria
EAL6+
Authorization to Operate
Operate, or IATO: Interim ATO
US DoD Information Assurance Certification and Accreditation Process (replaced DITSCAP on 2006)
Director of Central Intelligence Directive 6/3: Protecting Sensitive Compartmented Information Within Information Systems
Software Considerations in Airborne Systems and Equipment Certification (RTCA; EUROCAE ED-12B in Europe)
Design Assurance Guidance for Airborne Electronic Hardware (RTCA)
Secret and Below (US DoD)
Top Secret and Below (US Intelligence Community)
| © 2010 Wind River. All Rights Reserved.
MILS Evaluation Using Common Criteria
What?
ƒ An internationally defined way to
y of anyy IT
evaluate the security
product
Accepted By?
• EAL1 – EAL4 accepted
internationally
ƒ Evaluation Assurance Level
– EAL1 (lowest) to EAL7 (highest)
ƒ May include formal methods
Operated By?
• In US: National Information
Assurance Partnership (NIAP):
NSA + NIST
18
| © 2010 Wind River. All Rights Reserved.
• Higher EAL certified by
security agencies in each
country
Common Criteria: Initially From Canada,
France Germany
France,
Germany, Netherlands
Netherlands, UK,
UK US
1980s
1990s
US “Orange
Book” TCSEC1
US Federal
Criteria Draft7
(1985)
(1992)
French “BlueBlue
White-Red Book”2
German ITSecurity Criteria3
Netherlands
Criteria
UK Sys. Security
C fid
Confidence
Levels4
UK “Green Books”5
(All 1989)
19
| © 2010 Wind River. All Rights Reserved.
Canadian
Criteria
CTCPEC8
(1993)
European
ITSEC6
(1991)
2000s
Common Criteria, ISO 15408
v1.0 1996
v2.0 1998
v2.1 1999
v2.2 2004
v2 3 2005*
v2.3
2005
v3.0 2005
v3.1 2006
* Base for Separation Kernel Protection Profile for
High Robustness, 29 June 2007
1-8: See end slide “References For Security Documents”
U.S. Government Protection Profile for Separation Kernels
i E
in
Environments
i
t R
Requiring
i i Hi
High
hR
Robustness,
b t
V i 1
Version
1.03
03
Suitable for “mission-critical
mission critical systems
systems” …
and “management of classified and other
high-valued information”
http://www.niap-ccevs.org/cc-scheme/pp/pp_skpp_hr_v1.03/
20
| © 2010 Wind River. All Rights Reserved.
With MLS systems
y
using
g MILS,,
we can …
21
| © 2010 Wind River. All Rights Reserved.
… Reduce Many Radios to One
Top Secret
Secret
Confidential
Unclassified
Today:
• Multiple radios at different
security levels
• Multiple waveforms
22
| © 2010 Wind River. All Rights Reserved.
Top Secret
Secret
Confidential
Unclassified
Goal:
Single, multilevel secure,
multi-waveform radio
… Increase Field Agility
ƒ Reduce the number of C-130s to move a general’s field
headquarters from three to one
htt //
http://www.af.mil/shared/media/photodb/photos/100223-F-0938O-154.jpg
f il/ h d/ di / h t db/ h t /100223 F 0938O 154 j
23
| © 2010 Wind River. All Rights Reserved.
http://www.af.mil/shared/media/photodb/photos/100114-F-2435S-110.jpg
… Eliminate many workstations
S
U
C
TS
Ground Theater Air Control System (GTACS)
From Federation of American Scientists
http://www.fas.org/man/dod-101/sys/ac/equip/gtacs.htm
Today:
• Multiple workstations at different
security levels, applications,
networks
24
| © 2010 Wind River. All Rights Reserved.
Goal:
Single, multilevel secure, multiapplication workstation
… Consolidate Networks: From This …
TS/SCI
Top Secret
Secret
C fid ti l
Confidential
Unclassified
Today:
Multiple networks at different
security levels or for different
coalition partners or domains
25
| © 2010 Wind River. All Rights Reserved.
Separate servers,
networks, and
workstations for
different domains
… Consolidate Networks: To This …
U
U
U
U
UU U
U
U
U
U
U
Secure
Net Interface
Secure
Net Interface
SCI
Encrypted black network link
carrying messages at multiple
levels
Goal:
G
l
Multilevel secure networks
Combined with a multilevel secure devices
26
| © 2010 Wind River. All Rights Reserved.
S
C
TS
Save Money !
$6.6M total
the new way
$50M the
old way!
Courtesy Dr. Ben Calloni
27
| © 2010 Wind River. All Rights Reserved.
Summary:
y MILS Is
Challenging, But Worth It !
28
| © 2010 Wind River. All Rights Reserved.
Comparing Separation Technologies
Orange Book Approach
MIL-STD
GIG
Monolithic Applications
Physical Separation
User
Mode
Traditional MLS
Monolithic
Application
Extensions
MLS Requires
Evaluatable
Applications!
Fault Isolation
Network I/O
Periods Processing
Monolithic Kernel
Information Flow
Data isolation
Privilege
Mode
Auditing
Secure
Good
Bad
29
| © 2010 Wind River. All Rights Reserved.
Data
Sharing
NATO
S
(SLS)
S
(SLS)
TS, S
(MLS)
Guard (MLS)
Crypto (MSLS)
File systems
Kernel
29 Nov 2004
MILS
U
(SLS)
NIC Driver (MSLS)
Print Spooler Driver
(MSLS)
MILS/MLS Architecture for Deeply Embedded Systems
23
Easy to
Use
MILS Separation Kernel, Kernel Security Policy Data
Trusted Processor
Affordable Technology
Evolution
MILS
S enables
bl multilevel
ltil
l secure
(MLS) systems that meet
today’s
today
s and tomorrow’s
tomorrow s threats
at reasonable cost and
acceptable risk
30
| © 2010 Wind River. All Rights Reserved.
References Referred to in Speaker Notes
1.
ARINC 653, Avionics Application Software Standard Interface, is in three parts at:
https://www.arinc.com/cf/store/catalog.cfm?prod_group_id=1&category_group_id=3 (scan for “653”, then Parts 1, 2, and 3)
2
2.
Common Criteria Evaluation and Validation Scheme (CCEVS): http://www.niap-ccevs.org/cc-scheme/
http://www niap ccevs org/cc scheme/
3.
Computer Security Planning Study, J. P. Anderson, October 1972, ESD-TR-73-51, Vol. II: paper is listed at
http://seclab.cs.ucdavis.edu/projects/history/CD/index.html. “E”, “A”, and “T” of “NEAT” come from this report.
4.
Design and Verification of Secure Systems, Dr. John Rushby, December 1981: http://www.csl.sri.com/papers/sosp81/
5.
Enabling the GIG, PowerPoint presentation, Dr. Jim Alves-Foss, University of Idaho, Dr. Ben Calloni, Lockheed Martin, Michael
Dransfield, NSA/IAD, Jahn Luke, AFRL, Dr. Lee MacLaren, Boeing, Uchenick, G., Objective Interface Systems, Mark Vanfleet,
NSA/IAD, November 2004. A copy suitable for printing the extensive slide notes is available from Wind River; contact
[email protected], +1.510.749.4486. References in this presentation of the form [EtG #slide-number] refer to this version.
6
6.
Intel Trusted Execution Technology: http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf
http://www intel com/technology/security/downloads/TrustedExec Overview pdf
7.
National Security Telecommunications and Information Systems Security Policy (NSTISSP No. 11), CNSS (Committee on National
Security Systems) Secretariat (I42), National Security Agency, July 2003: http://www.cnss.gov/Assets/pdf/nstissp_11_fs.pdf.
8.
RTCA DO-178B, Software Considerations in Airborne Systems and Equipment Certification:
http://www rtca org/onlinecart/product cfm?id=341
http://www.rtca.org/onlinecart/product.cfm?id
341.
9.
RTCA DO-297, Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations:
http://www.rtca.org/onlinecart/product.cfm?id=382.
10. Trusted Computer Security Evaluation Criteria (TCSEC), the “Orange Book”, US DOD, 1985:
http://csrc.nist.gov/publications/history/dod85.pdf.
p
g p
y
p Good introduction:
http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria.
11. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, v1.03:
http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03
12. Zumwalt-class destroyer
y showing
g an example
p of increased demand for functionality:
y
http://en.wikipedia.org/wiki/Zumwalt_class_destroyer
31
| © 2010 Wind River. All Rights Reserved.
References For Securityy Documents
32
ƒ
Most from http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf
ƒ
US TCSEC “Orange
g Book”: Trusted Computer
p
Systems
y
Evaluation Criteria,, 5200.28-STD,, DoD,,
USA, December 1985; (superceded original “Orange Book”, Department of Defense Trusted
Computer System Evaluation Criteria, CSC-STD-001-83, 15 August 1983)
ƒ
French SCSSI “Blue-White-Red Book”: Catalogue de Critères Destinés à évaluer le Degré de
Confiance des Systèmes d'Information
d Information, 692/SGDN/DISSI/SCSSI,
692/SGDN/DISSI/SCSSI July 1989
ƒ
German ZSISC: Criteria for the Evaluation of Trustworthiness of Information Technology (IT)
Systems, ISBN 3-88784-200-6, Zentralstelle fűr Sicherheit in der Informationstechnik (ZSI)
(German Information Security Agency, now of (Bundesamt für Sicherheit in der
Informationstechnik) Federal Republic of Germany
Informationstechnik),
Germany, January 1989
ƒ
UK: UK Systems Security Confidence Levels, CESG Memorandum No. 3, CommunicationsElectronics Security Group, United Kingdom, January 1989
ƒ
“UK Green Books”: DTI Commercial Computer Security Centre Evaluation Levels Manual, V22,
Department of Trade and Industry, United Kingdom, February 1989
ƒ
ITSEC: Information Technology Security Evaluation Criteria, Commission of the European
Communities, Document CMO(90) 314, 1991
ƒ
US: Federal Criteria for Information Technology Security
Security, NIST and NSA
NSA, US Government
Government,
December 1992
ƒ
Canadian CTCPEC: Canadian Trusted Computer Product Evaluation Criteria, Canadian System
Security Centre, Communications Security Establishment, Government of Canada, Version 3.0e,
January 1993
| © 2010 Wind River. All Rights Reserved.
Acknowledgements
g
ƒ
ƒ
33
This presentation includes contributions from several organizations, including especially:
–
Lockheed Martin Aeronautics Company
–
United States Air Force Research Laboratory (AFRL)
–
United States National Security Agency (NSA)
Contributions from the following individuals are very gratefully acknowledged:
–
M tt Benke,
Matt
B k NSA (concepts,
(
t detailed
d t il d review)
i )
–
Dr. Ben Calloni, Lockheed Martin Aeronautics Company (concepts, slides, and review)
–
Michael McEvilley, The MITRE Corporation (concepts, detailed review)
–
Tomoaki Nakamura, HCX Corporation (slide “Not Just for Defense”)
–
Dr. John Rushby, SRI (basic separation concepts, quote “MILS is intended … and assurance case”)
–
Gordon Uchenick, Objective Interface Systems (before and after “Hardware Reduction” slide concepts)
–
Mark Vanfleet, NSA (concepts, slides, detailed review)
ƒ
This presentation also borrows substantially from the presentation Enabling the GIG
GIG. See
availability of this presentation on prior slide “References Referred to in Speaker Notes”.
ƒ
In making these acknowledgements, no formal endorsement of any part of this presentation by any
of the above is implied; all errors and omissions are the responsibility of Wind River
ƒ
This presentation is intended for general education and to actively promotes MILS and related
concepts in a vendor-neutral manner. It is a work in progress and corrections and suggestions for
improvement are encouraged and will be gratefully accepted and acknowledged in future editions;
please send all comments to [email protected], +1-510-749-2242
| © 2010 Wind River. All Rights Reserved.
For a detailed version of this presentation,
contact:
Americas, APAC,
C Japan
Europe, Middle East, Africa
f
ƒ Chip Downing, Director,
A&D Industry Marketing
[email protected]
+1-650-520-8775
ƒ Alex Wilson,
Sr Program Manager,
Sr.
Manager A&D
[email protected]
+44 12 83 79 20 01
ƒ Paul Chen, Director,
Product Management
[email protected]
l h @ i di
+1-510-749-4486
34
| © 2010 Wind River. All Rights Reserved.