2007 Issue 2 - Raytheon

More documents

Recommendations

Info

Feature Col. Roger Shell was the deputy director of the National Security Agency’s (NSA) National Computer Security Center (NCSC) as it was formed in the early 1980s. Dr. Kenneth Kung joined NCSC in 1984 as one of the system evaluators using the famous Orange Book. He learned his information assurance techniques from Dr. Shell and other early pioneers in this field (e.g., Steve Walker, David Bell, Marv Schaefer, Earl Boebert, etc.). Dr. Kung is the co-author and contributor to several other Rainbow Series of guidelines, while NSA remains the premier organization to learn the latest information system and weapon system protection techniques. 8 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY The Benefits of Multi-Level Security Multi-level security (MLS) has been a holy grail ever since the early days of applying computer systems to meet the automation needs of military and intelligence systems. In the 1970s, MITRE published a series of papers (by Bell and LaPadua) that describe the issues and rules of determining access rights of individual users to information, based on their credentials. In fact, in 1971, Dr. Roger Schell (then a U.S. Air Force major) conducted his Ph.D. research at MIT on the Multics OS protection rings. Although multiple initiatives in the 1980s and ‘90s were launched to tackle the MLS “problem,” the issue is still with us today. This article addresses the background of the issues involved in solving the general MLS problem. It also describes both the security functionality and the assurance needs of the Department of Defense (DoD) community of users and possible solutions to address those needs. The DoD has a goal of fielding systems that provide the right information at the right time to the right person. In many cases, this goal is difficult to achieve due to the security classification of the data. To properly safeguard information today, many DoD information systems are separated in domains at the highest classification level of any data in the domain. They are commonly referred to as “system high” domains. If an individual does not possess a security clearance to access a domain, they are denied access to all information within the domain, even though some of the information may have originated at a lower classification and thus should be accessible to the individual. To ameliorate this problem, high-speed guards requiring additional hardware and processing overhead, or labor intensive procedures such as manually reviewing data, are commonly used when moving data between domains. The single-level security domain paradigm is not compatible with this time-sensitive collaborative processing environment needed to support net-centric operations and the systems of element approach where information is first published, then later subscribed. The concept of using single-level security domains results in over-clearing personnel, over-classifying data and creating system inefficiencies and redundancies. To minimize or eliminate these problems, the concept of MLS systems was developed. MLS eliminates the need for these separate domains. MLS systems reduce the total cost of ownership by eliminating hardware and software redundancies. Top secret, Unclassified Domain secret, confidential and unclassified data all can reside in a single MLS domain. MLS provides the ability to simultaneously receive, process, store and disseminate data of multiple classifications within a domain where not all users have the security clearance to access all the data within the domain. MLS needs to permeate into the computing environment (workstations, servers and operating systems), the network, the database and the mission applications — all must work together to maintain trust. MLS systems must assure that users are granted access to all the data, systems and services for which they are authorized, while denying them access if they are not authorized. Figure 1 illustrates a traditional configuration using guards between security domains on the left and an MLS enclave on the right. Multinational Information Systems The next major research milestone is to tackle the issue of multination- Traditional: one domain per security classification Multi-level security (MLS) Secret Domain Data Store High Speed Guard Data Store High Speed Guard Computing Environment Switch/Router Computing Environment Switch/Router Data Store Top Secret Domain Computing Environment Switch/Router Figure 1. Traditional vs. MLS Enclaves Top Secret Data Store MLS Domain with Unclassified through Top Secret Secret Data Store Switch/Router Unclassified Data Store Computing Environment
al information systems (MNIS). MNIS are inherent in battle command to ensure the timely exchange of information across all coalition member domains and government agencies. Raytheon is doing research with the DoD to identify the issues and potential solutions under a study contract. With the proliferation of coalition operations and joint operations, the issue of information separation becomes even more challenging. Not only must the information be separated by clearance levels with each country’s security policy, but well-defined information must be shared across multiple countries, where agreements to share are on a bilateral basis. Information releasable to certain countries is not releasable to other coalition partners. This complicated set of access control rules makes the Bell- LaPadula hierarchical security model of “write up, read down” traditionally used in MLS systems look simple. Raytheon is currently working to solve this demanding challenge of sharing information in the presence of multiple compartments within single security levels. Trusted Operating Systems There are several common approaches when attempting to provide MLS capability. One is to use a trusted operating system that attaches sensitivity labels to all objects within the domain. (Sun’s Trusted SolarisTM is an example of a trusted operating system.) Sensitivity labels identify security classification and handling restrictions of the object. The sensitivity labels are compared to the user’s security clearance and privileges to determine if access to the object is allowed. These operating systems are proprietary, tend to be very difficult to administer, and are at times extremely cumbersome to use. Because of their size and complexity, they have typically been evaluated only to a medium level of robustness. Due to administrative difficulties, customers often prefer less trustworthy operating systems such as Windows. Multiple Independent Levels of Security Another approach being developed to provide MLS capability is called Multiple Independent Levels of Security (MILS). Raytheon has been working with the Air Force Research Laboratory Information Directorate, the Cryptographic Modernization Program and the National Security Agency for several years on the foundational components for this high assurance architecture to support systems with MLS requirements and/or Multiple Single Levels of Security (MSLS). The goal of the MILS program is to establish a viable commercial market for high assurance, standardsbased commercial off-the-shelf (COTS) products that can be used to produce NSA-accredited systems. By leveraging COTS products that conform to the DO-178B safety standard, it is anticipated that the wider customer base for these products will result in a lower cost to DoD security customers. MILS have a layered architecture that enforces an information flow and data isolation security policy. At the bottom layer of the architecture is a small but highly trusted separation kernel. A separation kernel executes on processors such as Pentiums and PowerPCs to provide a virtual machine upon which a variety of COTS operating systems (e.g., Windows, Lynux, Solaris, etc.) can be hosted. The separation kernel provides a high robustness reference monitor 1 to enable this separation and to control communication between untrusted applications and data objects at various levels of classification/caveats on a single processor. It also enables trusted applications to execute on the same processor as untrusted applications, while ensuring that the trusted applications will not be compromised or interfered with in any way by the untrusted applications, (see Figure 2). Security policy enforcement mediated by the separation kernel is non-bypassable, always invoked and tamper-proof, because it is the only software that runs in privileged mode on the processor. Thus, systems with applications at different security levels/caveats require fewer processing resources. The separation kernel’s security requirements are specified in the NSA’s U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, now in its final draft. A separation kernel can be evaluated to a high level of assurance (Evaluation Assurance Level (EAL 6+), because it is very small — on the order of 4,000 lines of C-Language code. Although originally targeted to real-time, embedded systems, the Separation Kernel Protection Profile (SKPP) has been generalized to provide the security requirements for a high assurance virtual machine on which operating systems with medium or no assurance, such as Windows, can execute in separate partitions without degrading the assurance of the overall system. The Green Hills Software (GHS) Integrity Separation Kernel is available commercially and is currently undergoing evaluation at a high robustness level by a National Information Assurance Partnership (NIAP) accredited Common Criteria Testing Laboratory. It is targeted for embedded and server applications running on PowerPC and Intel ® processors. The Integrity Separation Kernel is being used in the Raytheon’s Space and Airborne Systems NETSecure internal research Continued on page 10 1 IAEC 3285, NSA Infosec Design Course, High Robustness Reference Monitors version 3, Michael Dransfield, W. Mark Vanfleet. Raytheon is fielding a product called CHAIN (Compartmented High Assurance Information Network). CHAIN permits the separation of the information by compartments (as the name implies). Until the true MLS system is available, Raytheon is fielding CHAIN in multiple systems to separate information from different domains using the compartments enforcement mechanism. There are multiple commercial operating systems that allow this enforcement. To upgrade from compartments to multi-level security, the underlying operating system must meet the functionality and trust discussed in this article. RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 9
Page 1 and 2: Technology Today HIGHLIGHTING RAYTH
Page 3 and 4: Technology Today is published quart
Page 5 and 6: Ensuring That Our Systems Can Be Tr
Page 7: ISSE Process DIACAP DoDIIS NIST Dis
Page 11 and 12: Data Validation Data Feed 1 Large F
Page 13 and 14: diagnose attacks/bugs/errors; gener
Page 15 and 16: ated a functional prototype wireles
Page 17 and 18: Feature Information Assurance and S
Page 19 and 20: Figure 1. User CONOPS/E-mail Figure
Page 21 and 22: L E A D E R S C O R N E R Heidi Shy
Page 23 and 24: onTechnology Warfighter Challenges
Page 25 and 26: Short-term Benefits Faster Code Dev
Page 27 and 28: onTechnology The Benefits of Galliu
Page 29 and 30: µ, ε Space k = ω εµ M A T E R
Page 31 and 32: 2007 SEPG Conference Continuing its
Page 33 and 34: Getting to Know Your Raytheon Certi
Page 35 and 36: Vision/Direction Architecture/Style
Page 37 and 38: When you help a student master the
Page 39 and 40: International Patents Issued to Ray

2007 Issue 2 - Raytheon

Create successful ePaper yourself

Delete template?

Save as template?